Evergreen Alliance Training Program for GIAC Certified Web Application Defender (GWEB)

Access Control
The candidate will demonstrate an understanding of access control vulnerabilities and mitigation strategies, applying best practices to prevent access control issues.

AJAX Technologies and Security Strategies
The candidate will show a comprehensive understanding of Asynchronous JavaScript and XML (AJAX) architecture, common attacks targeting AJAX technologies, and the best practices for securing AJAX-based applications.

Authentication
The candidate will demonstrate an understanding of web authentication, single sign-on methods, third-party session sharing, and common weaknesses, along with how to develop testing strategies and implement best practices.

Cross-Origin Policy Attacks and Mitigation
The candidate will show knowledge of how attackers circumvent the same-origin policy and apply best practices for preventing, detecting, and mitigating these attacks in web applications.

CSRF (Cross-Site Request Forgery)
The candidate will demonstrate an understanding of the conditions that make CSRF attacks possible, the steps an attacker takes, and how to effectively mitigate these types of attacks.

Encryption and Protecting Sensitive Data
The candidate will demonstrate knowledge of cryptographic components used to protect data in transit and at rest, and when to use encryption or tokenization to secure sensitive information.

File Upload, Response Readiness, and Proactive Defense
The candidate will show understanding of incident response, file upload security, logging, and anti-automation measures.

Input-Related Flaws and Input Validation
The candidate will demonstrate an understanding of input-related vulnerabilities, such as SQL injection, Cross-Site Scripting (XSS), and HTTP Response Splitting, and how to prevent them using proper input validation techniques.

Leading Edge Technologies and Web Security
The candidate will demonstrate awareness of emerging web application security issues and technologies.

Modern Application Framework Issues and Serialization
The candidate will show an understanding of security concerns related to modern web application frameworks, including REST, Java frameworks, serialization, and browser defense techniques.

Security Testing
The candidate will demonstrate the ability to detect, respond to incidents, and conduct effective security testing in a web application environment.

Session Security and Business Logic
The candidate will demonstrate an understanding of session security, how to test and mitigate common session weaknesses, and the proper implementation of session tokens and cookies, along with security concerns related to business logic.

Web Application and HTTP Basics
The candidate will demonstrate knowledge of the fundamental components of web applications, how these components interact to deliver HTTP content, and general attack trends affecting web applications.

Web Architecture and Configuration
The candidate will show an understanding of web application architecture and the security controls required to secure the servers and services hosting web applications.

Web Services Security
The candidate will demonstrate an understanding of Service-Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL), and best practices for securing web services.