Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

SEC522: Application Security: Securing Web Applications, APIs, and Microservices

SEC522Cloud Security
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Jason LamDr. Johannes Ullrich
Jason Lam & Dr. Johannes Ullrich
Register NowCourse Preview
SEC522: Application Security: Securing Web Applications, APIs, and Microservices
Course created by:
Jason LamDr. Johannes Ullrich
Jason Lam & Dr. Johannes Ullrich
Register NowCourse Preview
  • GIAC Certified Web Application Defender (GWEB)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Advanced Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 21 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Gain the skills you need to understand and mitigate vulnerabilities and secure web applications, APIs, and microservices.

Featured Quote

[Labs are] thought out and easy to follow with good practical knowledge learned.
Barbara BooneCDC

Course Overview

SEC522 is a hands-on, advanced application security course that teaches security professionals how to identify and mitigate vulnerabilities in web applications, APIs, and cloud-native services. Through 20 practical labs and a final Defend–the-Flag challenge, participants gain the skills to defend against real-world threats, integrate security early in the development lifecycle, and protect modern application ecosystems. The course also prepares students for the GWEB certification and aligns with OWASP Top 10 and industry best practices.

What You’ll Learn

  • Defend against OWASP Top 10 attacks and input-related vulnerabilities like SQL injection, XSS, and CSRF
  • Enhance infrastructure security and configuration management for robust protection
  • Securely integrate cloud components, microservices, and AI tools into modern applications
  • Strengthen authentication and authorization with OAuth, SAML, SSO, and password-less mechanisms
  • Improve web security using protective HTTP headers and cross-domain request controls
  • Protect SOAP, REST, and GraphQL APIs from emerging threats

Business Takeaways

  • Comply with PCI DSS and other compliance requirements
  • Reduce the overall application security risks, and protect company reputation
  • Adopt the "shifting left" mindset: Address security issues early and quickly, reducing cost
  • Adopt modern apps with API and microservices in a secure manner
  • This course prepares students for the GWEB certification

Meet Your Authors

Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC522: Application Security: Securing Web Applications, APIs, and Microservices.

Section 1Web Fundamentals and Secure Configurations

The course begins with web application fundamentals, including the HTTP protocol and architecture, which are essential for security. It then covers securing configurations in modern development, focusing on Infrastructure as Code. It also explores best practices for managing infrastructure, cloud, and web-server configurations to enhance security.

Topics covered

  • Introduction to HTTP protocol
  • Overview of web authentication
  • Web application architecture
  • Recent attack trends
  • Web security & firewalls

Labs

  • HTTP basics
  • HTTP/2 traffic inspection and spoofing
  • Environment isolation
  • SSRF and credential-stealing

Section 2Input-Related Defenses

Section 2 focuses on defending against threats from external input, which modern applications receive from various sources, including browsers, web services, and non-web-standard systems. It covers common input-related attacks, real-world examples, and defense patterns.

Topics covered

  • Web application vulnerabilities
  • SQL injection
  • Cross-site Request Forgery
  • Unicode and file upload handling
  • Business logic and concurrency

Labs

  • SQL injection
  • Cross Site Request Forgery
  • Cross Site Scripting
  • Unicode and file upload

Section 3Authentication and Authorization

Section 3 covers authentication and authorization in web apps, including exploits and mitigations. It explores passwordless and multifactor authentication, modern SSO solutions like OAuth, JWT, and OpenID Connect, and their challenges. The section concludes with encryption best practices for data in transit and storage.

Topics covered

  • Authentication vulnerabilities
  • Multifactor authentication
  • Session vulnerabilities and testing
  • Authorization and SSL vulnerabilities
  • Encryption for web applications

Labs

  • Authentication
  • Session fixation
  • OAuth and access control
  • Inspecting SSL traffic with wireshark

Section 4Web Services and Front-End Security

This section begins with SOAP-based web services before shifting to JavaScript’s front-end security concerns, including CORS. It covers security risks, mitigation strategies, and best practices for AJAX applications. The section concludes with client-side defenses like Content Security Policy, exploring both benefits and limitations.

Topics covered

  • Web services overview
  • XML security
  • AJAX attack trends
  • Modern JavaScript frameworks
  • Browser features and defense

Labs

  • WSDL enumerations
  • Cross domain AJAX
  • Front end security features and CSP
  • Clickjacking

Section 5APIs and Microservices Security

This section covers deserialization security, DNS rebinding, and security risks in REST and GraphQL APIs. It explores microservices architecture, common attacks, and best practices. The day concludes with a discussion on securely integrating AI components into modern applications.

Topics covered

  • Deserialization
  • REST and Graph QL security
  • Microservices and AI security
  • Security testing
  • Logging and error handling

Labs

  • Deserialization and DNS Rebinding
  • GraphQL
  • API gateways and JSON
  • SRI and log review

Section 6DevSecOps and Defending the Flag

This section introduces DevSecOps in enterprise web development. A hands-on lab reinforces course lessons, challenging students to identify real vs. false vulnerabilities and apply mitigations. Exercises cover securing the OS, web server, configurations, and fixing coding flaws.

Topics covered

  • DevSecOps

Labs

  • Defending the Flag Capstone Exercise

Things You Need To Know

Relevant Job Roles

Cloud Security Engineer

Cloud Security

Building security solutions for cloud workflows

Explore learning path

Technology Research and Development (OPM 661)

NICE: Design and Development

Responsible for conducting software and systems engineering and software systems research to develop new capabilities with fully integrated cybersecurity. Conducts comprehensive technology research to evaluate potential vulnerabilities in cyberspace systems.

Explore learning path

Software Security Assessment (OPM 622)

NICE: Design and Development

Responsible for analyzing the security of new or existing computer applications, software, or specialized utility programs and delivering actionable results.

Explore learning path

Secure Systems Development

NICE: Design and Development

Responsible for the secure design, development, and testing of systems and the evaluation of system security throughout the systems development life cycle.

Explore learning path

Application Pen Tester

Offensive Operations

Application penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.

Explore learning path

Secure Software Development (OPM 621)

NICE: Design and Development

Responsible for developing, creating, modifying, and maintaining computer applications, software, or specialized utility programs.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Jason Lam
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Jason Lam
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Raleigh, NC, US & Virtual (live)

    Instructed by Joshua Barone
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Denver, CO, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Dallas, TX, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
Showing 8 of 10

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources