Certified Secure Web Application Engineer Training (CSWAE)

Commitment 5 Days, 7-8 hours a day.
Language English
User Ratings Average User Rating 4.8 See what learners said
Delivery Options Instructor-Led Onsite, Online, and Classroom Live


Certified Secure Web Application Engineer Training (CSWAE): Organizations and governments fall victim to internet-based attacks every day. In many cases, web attacks could be thwarted but hackers, organized criminal gangs, and foreign agents are able to exploit weaknesses in web applications. The Secure Web programmer knows how to identify, mitigate and defend against all attacks by designing and building systems that are resistant to failure. The secure web application developer knows how to develop web applications that aren’t subject to common vulnerabilities, and how to test and validate that their applications are secure, reliable, and resistant to attack.

Web applications are increasingly more sophisticated and as such, they are critical to almost all major online businesses. As more applications are web-enabled, the number of web application security issues will increase, and traditional local system vulnerabilities, such as directory traversals, overflows, and race conditions, are opened up to new vectors of attack. The responsibility for the security of sensitive systems will rest increasingly with the web developer, rather than the vendor or system administrator. As with most security issues involving client/server communications, Web application vulnerabilities generally stem from improper handling of client requests and/or a lack of input validation checking on the part of the developer.

  • Accredited by the NSA CNSS 4011-4016
  • Mapped to NIST / Homeland Security NICCS’s Cyber Security Workforce Framework
  • Approved on the FBI Cyber Security Certification Requirement list (Tier 1-3)

The Certified Secure Web Application Engineer exam is taken online through our Assessment and Certification System (“MACS”), which is accessible on your mile2.com account. The exam will take 2 hours and consists of 100 multiple-choice questions. The cost is $500 USD and must be purchased from us.

  • 5 Days of CSWAE Training from an Authorized Instructor
  • Official Student Courseware (Electronic Version)
  • Student Lab guide
  • Exam Prep Guide
  • Certificate of Completion
  • CPEs: 40 Hours



Upon completion, Certified Secure Web Application Engineer Training (CSWAE) students will be able to:

  • Establish industry-acceptable auditing standards with current best practices and policies.
  • Students will also be prepared to competently take the CSWAE exam.
  • We can adapt this Certified Secure Web Application Engineer Training (CSWAE) course to your group’s background and work requirements at little to no added cost.
  • If you are familiar with some aspects of this CSWAE Certification Training course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the CSWAE Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the CSWAE Certification Training course in a manner understandable to lay audiences.

The target audience for this Certified Secure Web Application Engineer Training (CSWAE) course:

  • Coders
  • Web Application Engineers
  • IS Managers
  • Application Engineers
  • Developers
  • Programmers

The knowledge and skills that a learner must have before attending this Certified Secure Web Application Engineer Training (CSWAE) course are:

  • A minimum of 24 months experience in software technologies & security
  • Sound knowledge of networking
  • At least one coding Language
  • Linux understanding
  • Open shell


Module 1: Web Application Security
  • Web Application Security
  • Web Application Technologies and Architecture
  • Secure Design Architecture
  • Application Flaws and Defense Mechanisms
  • Defense In-Depth
  • Secure Coding Principles
Module 2: OWASP TOP 10
  • The Open Web Application Security Project (OWASP)
  • Certified Secure Web Application Engineer Training (CSWAE)
  • OWASP TOP 10 for 2017 & 2018
Module 3: Threat Modeling & Risk Management
  • Threat Modeling Tools & Resources
  • Identify Threats
  • Identify Countermeasures
  • Choosing a Methodology
  • Post Threat Modeling
  • Analyzing and Managing Risk
  • Incremental Threat Modeling
  • Identify Security Requirements
  • Understand the System
  • Root Cause Analysis
Module 4: Application Mapping
  • Application Mapping
  • Web Spiders
  • Web Vulnerability Assessment
  • Discovering other content
  • Application Analysis
  • Application Security Toolbox
  • Setting up a Testing Environment
Module 5: Authentication and Authorization attacks
  • Authentication
  • Different Types of Authentication (HTTP, Form)
  • Client Side Attacks
  • Authentication Attacks
  • Authorization
  • Modeling Authorization
  • Least Privilege
  • Access Control
  • Authorization Attacks
  • Access Control Attacks
  • User Management
  • Password Storage
  • User Names
  • Account Lockout
  • Passwords
  • Password Reset
  • Client-Side Security
  • Anti-Tampering Measures
  • Code Obfuscation
  • Anti-Debugging
Module 6: Session Management attacks
  • Session Management Attacks
  • Session Hijacking
  • Session Fixation
  • Environment Configuration Attacks
  • Certified Secure Web Application Engineer Training (CSWAE)
Module 7: Application Logic attacks
  • Application Logic Attacks
  • Information Disclosure Exploits
  • Data Transmission Attacks
Module 8: Data Validation
  • Input and Output Validation
  • Trust Boundaries
  • Common Data Validation Attacks
  • Data Validation Design
  • Validating Non-Textual Data
  • Validation Strategies & Tactics
  • Errors & Exception Handling
  • Structured Exception Handling
  • Designing for Failure
  • Designing Error Messages
  • Failing Securely
 Module 9: AJAX attacks
  • AJAX Attacks
  • Web Services Attacks
  • Application Server Attacks
Module 10: Code Review and Security Testing
  • Insecure Code Discovery and Mitigation
  • Testing Methodology
  • Client Side Testing
  • Session Management Testing
  • Developing Security Testing Scripts
  • Pen testing a Web Application
 Module 11: Web Application Penetration Testing
  • Insecure Code Discovery and Mitigation
  • Benefits of a Penetration Test
  • Current Problems in WAPT
  • Learning Attack Methods
  • Methods of Obtaining Information
  • Passive vs. Active Reconnaissance
  • Footprinting Defined
  • Introduction to Port Scanning OS Fingerprinting
  • Web Application Penetration Methodologies
  • The Anatomy of a Web Application Attack
  • Fuzzers
Module 12: Secure SDLC
  • Secure-Software Development Lifecycle (SDLC) Methodology
  • Web Hacking Methodology
Module 13: Cryptography
  • Overview of Cryptography
  • Key Management
  • Cryptography Application
  • True Random Generators (TRNG)
  • Symmetric/Asymmetric Cryptography
  • Digital Signatures and Certificates
  • Hashing Algorithms
  • XML Encryption and Digital Signatures
  • Authorization Attacks
  • Module 1: Environment Setup and Architecture
  • Module 2: OWASP TOP 2013: Session Management Attacks
  • Module 3: Threat Modeling
  • Module 4: Application Modeling and Analysis
  • Module 5: Authentication and Authorization Attacks
  • Module 6: Session Management Attacks
  • Module 9: AJAX Security
  • Module 10-1: Code Review
  • Module 10-2: Security Test Scripts
  • Module 10-3: Writing Java Secure Code
  • Annex 11: Alternatives Labs
  • Lab 11-1 4: WebGoat & WebScarab
  • Lab 11-2: WebGoat – Cross-Site Request Forgery (CSRF)
  • Lab 11-3 Missing Function Level Access Control
  • Lab 11-4: Perform Forced Browsing Attacks
Certified Secure Web Application Engineer Training (CSWAE)Certified Secure Web Application Engineer Training (CSWAE) Course Recap, Q/A, and Evaluations