The very first certification I ever got in my career is GIAC-GWEB, where GWEB stands for “GIAC Certified Web Application Defender”. You can see my certification here. Here is an overview of my experience.
Why GIAC-GWEB?
When you decide that you want to do a cybersecurity-related certification (or any certification for that matter), make sure that the certification provider is recognized in the related field of expertise. In this case, GIAC has a well-known reputation.
As for why GWEB, I had multiple reasons. Given that I have a developer background (I have a degree in software engineering), it was more natural for me to go with a certification that is made for builders. In other terms, its goal is to certify that you have the necessary knowledge to develop a secure web application. To do that, you have to know and understand the potential security issues that can arise and be exploited with that kind of software.
Another reason is that, back in 2016, I was just starting my cybersecurity journey and had recently finished my university program. I wanted to start with a certification that is obtained by doing a more traditional type of exam since this is what I was used to at that time. GWEB was a 4 hours multiple-choice exam, not that different from any exams I have taken so far.
The final reason was for the job. Indeed, I was the guinea pig to test that certification. At my job at the time, we had a pretty strong network of security champions. One of the next steps was to put in place what we called “Super Security Champions”. There would be only a handful of them. Those “Super Security Champions” would need to have a specific certification under their belt to hold that title. We wanted to assess if GWEB would be a good option for that.
Who is it for?
As mentioned above, the GWEB certification is primarily focused on builders (i.e., developers). If you want to show the world that you know how to develop a secure web application, this is for you. That being said, I think this is a good certification for Application Security engineers in general as well. To pass the exam, you must prove that you understand the security threats that can affect a web application and how to defend against them.
If you read that carefully, you have probably noticed that if you are looking for a certification related to offensive security activities, this is not really for you. In terms of GIAC certifications, you would be better off with GIAC-GWAPT for example.
That being said, it could be interesting for a web application pentester. Indeed, the primary output of a web application pentest is a list of vulnerabilities, the related proof of concepts, and finally potential mitigations. As a pentester myself, I have found that knowing how to fix or prevent an issue in a software application (by knowing what code to write) gives me an edge. Indeed, it increases the value I can provide in my reports of web application pentests.
Learning Process
At the time I did this certification, no official training was provided for it. This means that all I had to help me in my studies was the exam objectives/blueprint. Having that in my hands, I searched for relevant resources for each objective.
My standard study process, for a question-based exam at least, is the following: when I find information that is relevant and that I should remember, I make a question where the answer is the information that I want to remember. When I review my notes, I make sure that I am able to answer all of my questions.
I have kept my notes in this GitHub repository. Please note that the content of the exam has likely changed since I took it. Moreover, this is not based on any official learning material necessary to pass the exam. Use it at your own risk.
The one thing I had going for me at the time was the 2 practice exams. After a few weeks of study, I took the first practice exam. This was a good way for me to assess if my study was on target and where I needed to do some adjustments. Please note that the most relevant practice exam is the first one. Make sure to do it after you’ve studied, but not just before the real exam. Doing that, you’ll have some time to review what you’ve failed during the practice exam.
It took me roughly 100 hours to study for this exam. Note that when I started to prepare for the exam, at the time, my application security knowledge was almost nonexistent. Depending on how you study and what is your current knowledge, your millage may vary. I have to say though, having a developer background is kind of mandatory. After all, this certification shows you how to properly defend a web application. This is not to say that you need a formal education in software engineering to take it on, but some software development experience is a must.
Note: there is now an official course related to this certification. I haven’t done it, therefore I can’t comment on the subject.
Last Thoughts
If you are a developer who wants to understand how to build a secure web application or you are getting started in application security, this could be a good fit for you. If you are a web application pentester that wants to show that you not only can break stuff but also know how to fix it, this may be a good option. Personally, I highly recommend this certification. There are no useless skills or knowledge that you have to remember for the exam and forget about it after. Most of the questions of the exam focus on making sure that you understand the concepts rather than focusing on learning stuff by heart (but it is unavoidable to have some of that). In the end, I am very happy to have completed this certification since it provided me with the kickstart I needed to get into application security at the start of my career.
I don’t know how I ended up here, but I thought this post was excellent. I have no idea who you are, but you will become a well-known blogger very soon if you aren’t already. Salutations.