GIAC Certified Web Application Defender (GWEB) icon

GIAC Certified Web Application Defender (GWEB)

Practitioner Certification

The GIAC Web Application Defender (GWEB) certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems. The successful candidate will have hands-on experience using current tools to detect and prevent input validation flaws, cross-site scripting (XSS), and SQL injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended. GWEB candidates have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.

Areas Covered

  • Access Control, AJAX Technologies and Security Strategies, Security Testing, and Authentication
  • Cross Origin Policy Attacks and Mitigation, CSRF, and Encryption and Protecting Sensitive Data
  • File Upload, Response Readiness, Proactive Defense, Input Related Flaws and Input Validation
  • Modern Application Framework Issues and Serialization, Session Security & Business Logic, Web
  • Application and HTTP Basics, Web Architecture, Configuration, and Security

Who is GWEB for?

  • Application developers
  • Application security analysts or managers
  • Application architects
  • Penetration testers who are interested in learning about defensive strategies
  • Security professionals who are interested in learning about web application security
  • Auditors who need to understand defensive mechanisms in web applications
  • Employees of PCI compliant organizations who need to be trained to comply with PCI requirements 

Exam Format

  • 1 proctored exam
  • 75 questions
  • 3 hours
  • Minimum passing score of 68%

Delivery

NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.

GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.

Exam Certification Objectives & Outcome Statements

  • Access Control
    The candidate will demonstrate understanding of access control attacks and mitigation strategies, as well as applying the best practice in avoiding access control issues.
  • AJAX Technologies and Security Strategies
    The candidate will demonstrate an understanding of Asynchronous JavaScript and XML (AJAX) architecture, common attacks against AJAX technologies and best practices for securing applications using AJAX.
  • Authentication
    The candidate will demonstrate understanding of web authentication, single sign on methods, third party session sharing and common weaknesses, as well as how to develop test strategies, and apply best practices.
  • Cross Origin Policy Attacks and Mitigation
    The candidate will demonstrate an understanding of methods attackers use to circumvent single origin policy enforcement and best practices for preventing, detecting or mitigating these attacks in web applications.
  • CSRF
    The candidate will demonstrate understanding of the conditions that make a CSRF attack possible, the steps an attacker takes and how to mitigate CSRF attacks.
  • Encryption and Protecting Sensitive Data
    The candidate will demonstrate understanding of how cryptographic components work together to protect web application data in transit and in storage and also when and where to use encryption or tokenization to protect sensitive information.
  • File Upload, Response Readiness, Proactive Defense
    The candidate will demonstrate an understanding of incident response as well as file upload, logging, and anti automation issues
  • Input Related Flaws and Input Validation
    The candidate will demonstrate understanding of SQL injection, Cross site Scripting, HTTP Response splitting, and how to protect against them with proper input validation
  • Leading Edge Technologies and Web Security
    The candidate will demonstrate an understanding of leading edge web application security issues and technologies
  • Modern Application Framework Issues and Serialization
    The candidate will demonstrate understanding of miscellaneous security technolgies and techniques associated with web application security including REST, Java Frameworks, Serialization, and Browser Defense
  • Security Testing
    The candidate will demonstrate an understanding of how to detect and respond to incidents and conduct security testing in the web application environment.
  • Session Security & Business Logic
    The candidate will demonstrate understanding of what sessions are, how to test and mitigate common weaknesses, and how to properly implement session tokens and cookies in a web application as well as security issues associated with business logic.
  • Web Application and HTTP Basics
    The candidate will demonstrate understanding of the building blocks of web applications and how components work together to provide HTTP content as well as high level attack trends.
  • Web Architecture and Configuration
    The candidate will demonstrate an understanding of web application architecture and controls needed to secure servers and services that host web applications.
  • Web Services Security
    The candidate will demonstrate an understanding of Service Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL, etc) and best practices for securing web services.

Other Resources

  • Training is available in a variety of modalities including live training and OnDemand
  • Practical work experience can help ensure that you have mastered the skills necessary for certification
  • College level courses or self paced study through another program or materials may meet the needs for mastery.
  • Get information about the procedure to contest exam results.

Practice Tests

  • These tests are a simulation of the real exam allowing you to become familiar with the test engine and style of questions.
  • Practice exams are a gauge to determine if your preparation methods are sufficient.
  • The practice bank questions are limited so you may encounter the same question on practice tests when multiple practice tests are purchased.
  • Practice exams never include actual exam questions.
  • Purchase a GWEB practice test here.
  • GIAC recommends leveraging additional study methods for test preparation.

Find Affiliate Training

Explore affiliate training options to prepare for your GIAC certification exam.