Learn to identify, analyse, and understand real-world web vulnerabilities. This hands-on course, aligned with the OWASP Top 10 2025, empowers professionals to spot and assess security risks—human or AI-generated—before they reach production.
Modern organisations rely heavily on web applications, and attackers exploit their weaknesses daily.
As AI tools accelerate software development, code is being generated faster than ever before. Yet every line, human-written or AI-generated, still carries risk. This instructor-led course gives participants the knowledge and practical experience to recognise vulnerabilities, understand how exploitation works, and assess potential impact.
Aligned with the latest OWASP Top 10 2025, the course provides an in-depth exploration of each key risk, illustrated through demonstrations and guided labs.
Participants will learn how attackers think, how vulnerabilities are introduced, and how to recognise and validate them — preparing teams to collaborate effectively with developers and security engineers in future remediation work.
AI may change how we build applications, but not the need to understand how they break.
After completing this course, participants will be able to:
Pre-requisites: Basic understanding of web technologies (HTTP, HTML, Javascript). Basic coding experience required.
1. Introduction to Web Application Security
2. Technologies Used in Web Applications
3. Tools Used During the Course
4. Critical Areas in Web Applications - OWASP Top 10 2025
5. Broken Access Control (A01:2025)
6. Security Misconfiguration (A02:2025)
7. Software Supply Chain Failures (A03:2025)
8. Cryptographic Failures (A04:2025)
9. Injection (A05:2025)
10. Insecure Design (A06:2025)
11. Authentication Failures (A07:2025)
12. Software or Data Integrity Failures (A08:2025)
13. Logging and Alerting Failures (A09:2025)
14. Mishandling of Exceptional Conditions (A10:2025)
15. Capture-the-Flag (CTF)
Our Web Application Security Essentials course offers a dynamic, hands-on learning experience led by internationally recognised instructors. Combining real-world examples with interactive sessions, it balances theory and practice to help participants understand how web vulnerabilities arise and are exploited.
You will begin by exploring common web application vulnerabilities before gaining access to a purpose-built lab environment containing the bugs and coding errors discussed in class. This provides an ideal, safe setting to observe and exploit these vulnerabilities using open-source tools and techniques, bridging the gap between theory and real-world practice.
This practical approach builds the confidence and analytical skills needed to identify and assess security risks effectively. Sessions encourage active participation, group discussions, and collaboration, allowing you to share insights and learn from peers across disciplines.
SECWASE-01 Fundamentals (1 Day) – Introduces web application security principles and the OWASP Top 10:2025, building essential awareness of key risks.
SECWASE-02 Core (2 Days) – Develops practical skills to identify, assess, and analyse vulnerabilities through guided, hands-on labs.
SECWASE-03 Advanced (3 Days) – Examines emerging and AI-generated vulnerabilities, concluding with a Capture-the-Flag (CTF) challenge.
Senior Official ISC2 Authorised Instructor for CISSP, CCSP, CSSLP and SSCP
Fabio Cerullo, CISSP, CCSP, CSSLP, SSCP, is the Managing Director of Cycubix Ltd., where he leads cybersecurity consulting, compliance programs and professional training services for organisations across a wide range of industries. His work spans secure engineering, cloud security and guidance on major regulatory and certification requirements including ISO 27001, SOC2, FedRAMP, NIS2, PCI and GDPR.
He also serves as an ISC2 Senior Authorised Instructor, delivering advanced courses that help security and engineering teams build practical skills in cloud security, software security and information risk management. His cloud expertise is reinforced by his AWS Certified Solutions Architect and AWS Security Specialty certifications and hands-on experience advising organisations on secure architecture and cloud-native security practices.
He is an active contributor to the OWASP Foundation, regularly providing training, speaking at industry events and supporting community initiatives focused on modern application security. He volunteers as Google Summer of Code administrator, mentoring new students into the cybersecurity field and guiding them through their first contributions to open source security projects.
Originally from Argentina and now based in Ireland, he holds a master’s degree in computer engineering. His interests include emerging technologies, with a particular focus on AI risks and secure AI engineering. Outside of his professional work he enjoys spending time with his family, running outdoors, and actively supporting initiatives that aim to make high-quality cyber-security education accessible to a broader audience.
Fabio Cerullo, CISSP, CCSP, CSSLP, SSCP, is the Managing Director of Cycubix Ltd., where he leads cybersecurity consulting, compliance programs and professional training services for organisations across a wide range of industries. His work spans secure engineering, cloud security and guidance on major regulatory and certification requirements including ISO 27001, SOC2, FedRAMP, NIS2, PCI and GDPR.
He also serves as an ISC2 Senior Authorised Instructor, delivering advanced courses that help security and engineering teams build practical skills in cloud security, software security and information risk management. His cloud expertise is reinforced by his AWS Certified Solutions Architect and AWS Security Specialty certifications and hands-on experience advising organisations on secure architecture and cloud-native security practices.
He is an active contributor to the OWASP Foundation, regularly providing training, speaking at industry events and supporting community initiatives focused on modern application security. He volunteers as Google Summer of Code administrator, mentoring new students into the cybersecurity field and guiding them through their first contributions to open source security projects.
Originally from Argentina and now based in Ireland, he holds a master’s degree in computer engineering. His interests include emerging technologies, with a particular focus on AI risks and secure AI engineering. Outside of his professional work he enjoys spending time with his family, running outdoors, and actively supporting initiatives that aim to make high-quality cyber-security education accessible to a broader audience.
Java is used to develop full featured and very powerful corporate applications. To minimise the likelihood of security vulnerabilities caused by programmer error, Java developers must understand and adhere to best practices.
.NET provides unprecedented flexibility and productivity to web application developers. Application developers are responsible for understanding the limitations of .NET and adopting best practices to ensure that their code is secure.
Security must be an integral part of the development process and consider risks in a focused and efficient way. Including threat modeling in the application life cycle ensures that applications are developed with security built-in from inception.
The PCI DSS enhances the security of cardholder data. Applications handling payment information must be secure. This course equips developers with the skills to code defensively and meet the secure coding and application security requirements of PCI
