This course is designed to help you understand and address key web application security risks, so you can better evaluate your systems, contribute to safer practices, and guide your team in avoiding costly mistakes.

By the end of this course, you will be able to:

• Identify common reasons teams overlook security flaws in web applications
• Explain why security tools and policies are not always enough to prevent risk
• Recognize the structure and purpose of the OWASP Top Ten vulnerabilities
• Understand how unvalidated data and broken access control open systems to attack
• Evaluate real-world demonstrations of input validation, injection, and misconfiguration issues
• Apply secure thinking when reviewing authentication, encryption, and logging practices
• Spot vulnerable and outdated components and explain the risks they introduce
• Build stronger habits and technical practices for secure web application planning and review

If your team requires different topics, additional skills or a custom approach, our team will collaborate with you to adjust the course to focus on your specific learning objectives and goals. 

This technical overview course is intended for security analysts, DevSecOps team members, web developers, project leads, and application stakeholders who are involved in web application planning, architecture, review, or oversight. It is particularly useful for team members who do not specialize in secure coding but need to understand the risks that exist in real applications and how to mitigate them. No hands-on coding is required, but a comfort level with web system design, workflows, and technical discussion is recommended.

NOTE: If your class is hands-on, the demos can be done as labs designed to give light, hands-on exposure to core secure coding practices. While we’re using ASP.NET as the base language for the examples, no prior experience with ASP.NET is needed—just follow along. The focus is on learning key web application security skills, not on mastering the language itself.

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We'll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience skill level, interests and participation. 

1. Bug Hunting Foundation

Start with a clear understanding of what bug hunting is, why it matters, and how to approach it responsibly in real-world environments.

• Why Hunt Bugs?
• Safe and Appropriate Bug Hunting/Hacking

2. Exploring the OWASP Top Ten & Removing Bugs

Learn how to spot and respond to the most common and dangerous web application risks using the OWASP Top Ten as your guide.

• OWASP Top Ten Deep Dive (latest edition)
• Removing Bugs

3. Bug Stomping 101: What Makes Applications Break: The Essentials

Explore the most frequent application-level flaws and how to recognize unsafe patterns that lead to real vulnerabilities.

• Unvalidated Data
• Validation Analysis
• Broken Access Control
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration

4. Bug Stomping 102: Advanced Vulnerabilities and Harder-to-See Threats

Dig deeper into system-wide risks like authentication failures, outdated components, and logging gaps that attackers love to exploit.

• Identification and Authentication Failures
• Vulnerable and Outdated Components
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgeries (SSRF)

5. Best Practices & What's Next

Wrap up with practical, team-ready strategies you can use right away to improve security awareness and reduce risk in your web environment.

• Quick Review of Best Practices
• AI and Web Application Security

Bonus: Web App Security Playbook

• Tip Guides, Cheat Sheets and other helpful resources