-
- Current Site
Security Certification- Choose a different site Help
Security Training
Internet Storm Center
College Cybersecurity Programs
Security Awareness Training
Blue Team Operations
Forensics & Incident Response
Offensive Operations
Industrial Control Systems
Cloud Security
Cybersecurity Leadership
Government Private Training
Cyber Security Certification: GWEB
GIAC Certified Web Application Defender (GWEB)
The GIAC Web Application Defender certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems. The successful candidate will have hands-on experience using current tools to detect and prevent input validation flaws, cross-site scripting (XSS), and SQL injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended. GIAC Certified Web Application Defenders (GWEB) have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.
Areas Covered
- Access Control, AJAX Technologies and Security Strategies, Security Testing, and Authentication
- Cross Origin Policy Attacks and Mitigation, CSRF, and Encryption and Protecting Sensitive Data
- File Upload, Response Readiness, Proactive Defense, Input Related Flaws and Input Validation
- Modern Application Framework Issues and Serialization, Session Security & Business Logic, Web
- Application and HTTP Basics, Web Architecture, Configuration, and Security
Who is GWEB for?
- Application developers
- Application security analysts or managers
- Application architects
- Penetration testers who are interested in learning about defensive strategies
- Security professionals who are interested in learning about web application security
- Auditors who need to understand defensive mechanisms in web applications
- Employees of PCI compliant organizations who need to be trained to comply with PCI requirements
Requirements
- 1 proctored exam
- 75 questions
- Time limit of 3 hours
- Minimum Passing Score of 68%
Delivery
NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.
Exam Certification Objectives & Outcome Statements
The topic areas for each exam part follow:
- Access Control
- The candidate will demonstrate understanding of access control attacks and mitigation strategies, as well as applying the best practice in avoiding access control issues.
- AJAX Technologies and Security Strategies
- The candidate will demonstrate an understanding of Asynchronous JavaScript and XML (AJAX) architecture, common attacks against AJAX technologies and best practices for securing applications using AJAX.
- Authentication
- The candidate will demonstrate understanding of web authentication, single sign on methods, third party session sharing and common weaknesses, as well as how to develop test strategies, and apply best practices.
- Cross Origin Policy Attacks and Mitigation
- The candidate will demonstrate an understanding of methods attackers use to circumvent single origin policy enforcement and best practices for preventing, detecting or mitigating these attacks in web applications.
- CSRF
- The candidate will demonstrate understanding of the conditions that make a CSRF attack possible, the steps an attacker takes and how to mitigate CSRF attacks.
- Encryption and Protecting Sensitive Data
- The candidate will demonstrate understanding of how cryptographic components work together to protect web application data in transit and in storage and also when and where to use encryption or tokenization to protect sensitive information.
- File Upload, Response Readiness, Proactive Defense
- The candidate will demonstrate an understanding of incident response as well as file upload, logging, and anti automation issues
- Input Related Flaws and Input Validation
- The candidate will demonstrate understanding of SQL injection, Cross site Scripting, HTTP Response splitting, and how to protect against them with proper input validation
- Leading Edge Technologies and Web Security
- The candidate will demonstrate an understanding of leading edge web application security issues and technologies
- Modern Application Framework Issues and Serialization
- The candidate will demonstrate understanding of miscellaneous security technolgies and techniques associated with web application security including REST, Java Frameworks, Serialization, and Browser Defense
- Security Testing
- The candidate will demonstrate an understanding of how to detect and respond to incidents and conduct security testing in the web application environment.
- Session Security & Business Logic
- The candidate will demonstrate understanding of what sessions are, how to test and mitigate common weaknesses, and how to properly implement session tokens and cookies in a web application as well as security issues associated with business logic.
- Web Application and HTTP Basics
- The candidate will demonstrate understanding of the building blocks of web applications and how components work together to provide HTTP content as well as high level attack trends.
- Web Architecture and Configuration
- The candidate will demonstrate an understanding of web application architecture and controls needed to secure servers and services that host web applications.
- Web Services Security
- The candidate will demonstrate an understanding of Service Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL, etc) and best practices for securing web services.
*No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.*
Other Resources
- Training is available in a variety of modalities including live training and OnDemand
- Practical work experience can help ensure that you have mastered the skills necessary for certification
- College level courses or self paced study through another program or materials may meet the needs for mastery.
- The procedure to contest exam results can be found at https://www.giac.org/about/procedures/grievance.
