Security Certification: GWEB

Security Certification:

GIAC Certified Web Application Defender (GWEB)


The GIAC Web Application Defender certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems.

The successful candidate will have hands-on experience using current tools to detect and prevent Input Validation flaws, Cross-site scripting (XSS), and SQL Injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended.

GIAC Certified Web Application Defenders (GWEB) have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.


Developers, Web Application Security Analysts, Auditors, Penetration Testers, Security Professionals responsible for web application security and anyone interested in learning the concepts of securing web applications.

*No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.*


  • 1 proctored exam
  • 75 questions
  • Time limit of 3 hours
  • Minimum Passing Score of 68%


Certifications must be renewed every 4 years. Click here for details.


NOTE: All GIAC exams are delivered through proctored test centers and must be scheduled in advance.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt. GIAC exams must be proctored through Pearson VUE. Please click the following link for instructions on How to Schedule Your GIAC Proctored Exam GIAC exams are delivered online through a standard web browser.


Bulletin (Part 2 of Candidate Handbook)

Exam Certification Objectives & Outcome Statements

The topic areas for each exam part follow:

Access Control
The candidate will demonstrate understanding of access control attacks and mitigation strategies, as well as applying the best practice in avoiding access control issues.
AJAX Technologies and Security Strategies
The candidate will demonstrate an understanding of Asynchronous JavaScript and XML (AJAX) architecture, common attacks against AJAX technologies and best practices for securing applications using AJAX.
The candidate will demonstrate understanding of web authentication, single sign on methods, third party session sharing and common weaknesses, as well as how to develop test strategies, and apply best practices.
Cross Origin Policy Attacks and Mitigation
The candidate will demonstrate an understanding of methods attackers use to circumvent single origin policy enforcement and best practices for preventing, detecting or mitigating these attacks in web applications.
The candidate will demonstrate understanding of the conditions that make a CSRF attack possible, the steps an attacker takes and how to mitigate CSRF attacks.
Encryption and Protecting Sensitive Data
The candidate will demonstrate understanding of how cryptographic components work together to protect web application data in transit and in storage and also when and where to use encryption or tokenization to protect sensitive information.
File Upload, Response Readiness, Proactive Defense
The candidate will demonstrate an understanding of incident response as well as file upload, logging, and anti automation issues
Input Related Flaws and Input Validation
The candidate will demonstrate understanding of SQL injection, Cross site Scripting, HTTP Response splitting, and how to protect against them with proper input validation
Leading Edge Technologies and Web Security
The candidate will demonstrate an understanding of leading edge web application security issues and technologies
Modern Application Framework Issues and Serialization
The candidate will demonstrate understanding of miscellaneous security technolgies and techniques associated with web application security including REST, Java Frameworks, Serialization, and Browser Defense
Security Testing
The candidate will demonstrate an understanding of how to detect and respond to incidents and conduct security testing in the web application environment.
Session Security & Business Logic
The candidate will demonstrate understanding of what sessions are, how to test and mitigate common weaknesses, and how to properly implement session tokens and cookies in a web application as well as security issues associated with business logic.
Web Application and HTTP Basics
The candidate will demonstrate understanding of the building blocks of web applications and how components work together to provide HTTP content as well as high level attack trends.
Web Architecture and Configuration
The candidate will demonstrate an understanding of web application architecture and controls needed to secure servers and services that host web applications.
Web Services Security
The candidate will demonstrate an understanding of Service Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL, etc) and best practices for securing web services.

Where to Get Help

Training is available from a variety of resources including on line, course attendance at a live conference, and self study.

Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.

Finally, college level courses or study through another program may meet the needs for mastery.

The procedure to contest exam results can be found at