C)SWAE - Certified Secure Web Application Engineer




Organizations and governments fall victim to internet based attacks every day.


In many cases, web attacks could be thwarted but hackers, organized criminal gangs, and foreign agents are able to exploit weaknesses in web applications.


The Secure Web programmer knows how to identify, mitigate and defend against all attacks through designing and building systems that are resistant to failure.


The secure web application developer knows how to develop web applications that aren’t subject to common vulnerabilities, and how to test and validate that their applications are secure, reliable and resistant to attack.


The vendor neutral Certified Secure Web Application Engineer certification provides the developer with a thorough and broad understanding of secure application concepts, principles and standards.


The student will be able to design, develop and test web applications that will provide reliable web services that meet functional business requirements and satisfy compliance and assurance needs.


The Certified Secure Web Application Engineer course is delivered by high level OWASP experts and students can expect to obtain real world security knowledge that enables them to recognize vulnerabilities, exploit system weaknesses and help safeguard against application threats.



  • Individual Course Access
  • Course Video
  • Physical, Printed Course book
  • Exam Prep Guide
  • Exam Simulator
  • Exam

C)SWAE - Certified Secure Web Application Engineer - Physical Course Kit & Exam

  • Module 1: Web Application Security

    • Web Application Security
    • Web Application Technologies and Architecture
    • Secure Design Architecture
    • Application Flaws and Defense Mechanisms
    • Defense In-Depth
    • Secure Coding Principles

    Module 2: OWASP TOP 10

    • The Open Web Application Security Project (OWASP)
    • OWASP TOP 10 for 2017 & 2018
    • Module 3: Threat Modeling & Risk Management
    • Threat Modeling Tools & Resources
    • Identify Threats
    • Identify Countermeasures
    • Choosing a Methodology
    • Post Threat Modeling
    • Analyzing and Managing Risk Incremental Threat Modeling
    • Identify Security Requirements
    • Understand the System
    • Root Cause Analysis

    Module 4: Application Mapping

    • Application Mapping
    • Web Spiders
    • Web Vulnerability Assessment
    • Discovering other content
    • Application Analysis
    • Application Security Toolbox
    • Setting up a Testing Environment

    Module 5: Authentication and Authorization attacks

    • Authentication
    • Different Types of Authentication (HTTP, Form)
    • Client Side Attacks
    • Authentication Attacks
    • Authorization
    • Modeling Authorization
    • Least Privilege
    • Access Control
    • Authorization Attacks
    • Access Control Attacks
    • User Management
    • Password Storage
    • User Names
    • Account Lockout
    • Passwords
    • Password Reset
    • Client-Side Security
    • Anti-Tampering Measures
    • Code Obfuscation
    • Anti-Debugging

    Module 6: Session Management attacks

    • Session Management Attacks
    • Session Hijacking
    • Session Fixation
    • Environment Configuration Attacks

    Module 7: Application Logic attacks

    • Application Logic Attacks
    • Information Disclosure Exploits
    • Data Transmission Attacks

    Module 8: Data Validation

    • Input and Output Validation
    • Trust Boundaries
    • Common Data Validation Attacks
    • Data Validation Design
    • Validating Non-Textual Data
    • Validation Strategies & Tactics
    • Errors & Exception Handling 
    • Structured Exception Handling
    • Designing for Failure
    • Designing Error Messages
    • Failing Securely  

    Module 9: AJAX attacks

    • AJAX Attacks
    • Web Services Attacks
    • Application Server Attacks

    Module 10: Code Review and Security Testing

    • Insecure Code Discovery and Mitigation
    • Testing Methodology
    • Client Side Testing
    • Session Management Testing
    • Developing Security Testing Scripts
    • Pen testing a Web Application

    Module 11: Web Application Penetration Testing

    • Insecure Code Discovery and Mitigation
    • Benefits of a Penetration Test
    • Current Problems in WAPT
    • Learning Attack Methods
    • Methods of Obtaining Information
    • Passive vs. Active Reconnaissance
    • Footprinting Defined
    • Introduction to Port Scanning
    • OS Fingerprinting
    • Web Application Penetration Methodologies
    • The Anatomy of a Web Application Attack
    • Fuzzers

    Module 12: Secure SDLC

    • Secure-Software Development Lifecycle (SDLC) Methodology
    • Web Hacking Methodology

    Module 13: Cryptography

    • Overview of Cryptography
    • Key Management
    • Cryptography Application
    • True Random Generators (TRNG)
    • Symmetric/Asymmetric Cryptography
    • Digital Signatures and Certificates
    • Hashing Algorithms
    • XML Encryption and Digital Signatures Authorization Attacks

©2019 by Oddfellows Services Ltd t/a OFS.

Registered in England Number 11987380

Registered Office : International House, 24 Holborn Viaduct, London, EC1A 2BN, London, United Kingdom.

Email : operations@ofsec.co.uk

Telephone : +44 (0) 203 787 4785