Skip to main content

Web Application Security (online)

This 5-week CPD training course is open for all software developers interested in improving their knowledge and practical skills in cyber security. The course focuses on web application security. In the course, we introduce participants to the key concepts of cyber security and discuss the importance of security in web applications.

The course will provide an overview of security vulnerabilities in web application and teach how to choose and implement appropriate security countermeasures. The course will provide practical, hands-on experience of conducting web application penetration testing and implementing a wide range of security countermeasures in web applications.

Enrol on this course

Start date Days and times
7 October 2021 7 October - 11 November 2021
£1250 (Early bird discount - save £125 when you book before August 15 2021)

Who it’s for

The course is designed for software developers and web application developers, computer scientists and IT experts who are interested in improving their web application security knowledge and skills.

Re-requisite knowledge and technical requirements

A participant must have Java programming experience, and knowledge of SQL databases. The knowledge of the Spring framework is beneficial.

A participant will require an access to an Internet-connected computer for the duration of the course. All software used in this module is open source. A list of required software includes IntelliJ IDEA (community edition) or another Java IDE, MySQL Server or MariaDB, and MySQL Workbench. Further information about required tools will be provided closer to the start date.

What you’ll learn

On successful completion of the course a participant will be able to:

  • Use key security terminology associated with the topics covered
  • Choose (with justification) an appropriate security countermeasure(s)
  • Secure data in transit and at rest
  • Implement authentication and authorisation in a web-application
  • Prevent CSRF, XSS and SQL injection attacks
  • Prevent information leakage, and direct object reference vulnerabilities
  • Secure a database system
  • Penetration test web-applications
  • Write a penetration test report.

Topics covered

  • Cyber security key concepts and terminology
  • Encryption and hashing, and its applications
  • OWASP Top Ten
  • Common web-application vulnerabilities and countermeasures
    • Effective logging and monitoring
    • Prevention of information leakage
    • User input validation
    • Authentication and authorization
    • Insecure direct object reference vulnerability
    • Injection vulnerabilities, including SQL injection
    • CSRF
    • XSS
    • Encryption in transit and at rest
    • API security
    • Database systems security
  • Penetration testing procedure and tools.


How will the course be delivered?

This is a 5-week online course which consists of weekly live sessions and asynchronous learning activities.  Suggested weekly time commitment is 1 day per week (5-7 hours), including 2 hours of live sessions and 3-5 hours of guided study following provided material and tutorials.

The course is delivered remotely.

Live sessions will take place on Thursdays 2-4 pm. The live sessions will include practical demonstrations of the vulnerabilities and countermeasures taught, as well as group discussions and Q&A/help sessions.

Independent study may be undertaken at the time convenient to participants and at their own pace. All supporting teaching material will be provided.

The online forum for the participants will be available for the duration of the course and will allow participants to discuss questions with each other, and with the course leads.

The course material will be accessible for 3 months after the taught sessions.

At the end of the course, the knowledge will be assessed via an online knowledge test (optional). A certificate of attendance and of successful completion will be provided at the end of the course.

The course is delivered in English.

CPD course delivery team

Dr Yulia Cherdantseva is a Lecturer in cyber security at the School of Computer Science & Informatics at Cardiff University and a cyber skills lead at the Cardiff Centre for Cyber Security Research. Yulia worked as a lead researcher on the project “Supervisory Control and Data Acquisition Systems Cyber Security Lifecycle (SCADA-CSL)” funded by the Airbus Group Endeavr Wales and the Welsh Assembly Government, where she developed a novel SCADA Cyber Security, Safety and Risk (SCADA CSSR) graphical extension for BPMN 2.0 and a configurable dependency model of a SCADA system. In 2020-2021, she led an NCSC and RISCS funded project about cyber-security decision-making by SMEs which resulted in the development of the Best Practice Guide for SME in Cyber Security Investment Decision-Making. In 2021, she was awarded an EPSRC grant for developing a framework for risk-informed and metrics-enriched cyber security playbooks for enhancing CNI resilience. As a cyber skills lead, Yulia is interested in cyber security education from the primary school up to professional development level. Since May 2021, Yulia is a member of the CyBOK Executive Board.  Yulia is passionate about equality, diversity and inclusion in cyber security.

Dr Philip Smart received his PhD in Computer Science from Cardiff University in 2009. After working as a researcher in the field of Geospatial Ontologies for three years, he spent a further eight years at Cardiff University as a senior developer developing bespoke Identity and Access Management systems. For the past 2 years he has been working for Jisc as a Trust and Identity Technical Specialist offering various consultancy services. Two days a week he works for the Shibboleth Consortium helping develop the Security Assertion Markup Language (SAML) based single-sign-on product, Shibboleth.

We offer a gateway for businesses to access the wide range of expertise available within Cardiff University.