imageThis past spring I attended the SANS2013 Conference at the Marriott World Center in Orlando, to sit for their DEV522 class; Defending Web Applications Security Essentials.  This class is meant to prepare the student for the GIAC Certified Web Application Defender (GWEB) Certification exam.


This was the second SANS event that I’ve attended.  The first was SEC401, to prepare for my GSEC certification.  I was so impressed with the training and the event, I knew that I would be back.

Upon arrival at SANS2013, I checked in and was issued my bag of six books, one for each day.  The DEV522 class was much smaller than the SEC401 class that I took in 2011.  It was taught by Johannes Ullrich and the courseware was written by Jason Lam.  The OWASP Top 10 is the core in which the entire course it built around.  Labs were littered throughout the coursework, to drive home concepts and test your ability and understanding of topics.

With my background in web development, nothing was “ground breaking”, but everything was interesting nonetheless.  I never felt bored.  I would definitely recommend it to other Application Architects and Developers.

The course lasted six days, all day, except for the final day.

Studying/Preparations for the Test

Surprisingly, during the DEV522 class, I took few notes.  But there were times throughout the course that I “picked up on” the significance of a topic from the instructor.  In these cases, I made notes in the margin and/or highlighted the terms to further research.

2013-08-06 15.16.04After the SANS2013, I began a formal indexing of the book.  Each day, I would try to work through approximately 1/2 of a book, adding all keywords and topics in to an Excel spreadsheet.  In addition to referencing the book and page number of the topic, I would add notes that could be useful for quick reference.  In addition to the detailed index, I created a basic table of contents of the six books.  Once completed, my detailed index was 32 pages and the table of contents about five.  The image to the right shows the difference between this course’s courseware (on left) and SEC401 (on right).

SANS also provides MP3s of the course.  In the case of DEV522, the audio was of Jason Lam teaching the course.  So on my daily commutes and while at the gym, this is what I listened to.  Honestly, many of the topics were more easily understood by Jason’s teaching.  All in all, the audio was very useful.

Like I did with the GSEC test, I bound all of my indexes in a three ring binder along with some the following cheat sheets:

I did not repeat any of the labs in preparation.

Practice Tests

Once I felt reasonable confident in my organization of the information, I took a practice test via the SANS website.  The SANS practice testing interface is basically exactly the same as the actual test.  The only difference is that during the actual test, you are not provided explanations when you answer a question incorrectly.

My goal, was that if I scored an 85 or above on my first test, I would immediately schedule the actual test.  I ended up scoring a 80%.  During the test I made sure to note topics that I needed further studying/understanding of and to annotate shortcomings in my indexes.

A few days later I took the second practice and scored a 90.67%.  It seemed like the 2nd practice test repeated about 20-30% of the questions from the 1st.  Seeing this, I figured I had this test in the bag, so I scheduled the test.

Actual Test

After signing into the testing center, I sat down and began the test.  I went through the first 10 questions or so, and not a single question repeated from the practice tests.  This proved true for the entire test, showing that SANS needs to add more questions to their practice test pool.

I finished the test in just under two hours, scoring a 90.67%.  Believe me, this test is not easy.  You either know the topics or not.


Unlike some of the other GIAC test which are just facts, this test evaluates your knowledge and understanding of what is taught. There are many “situational” type questions that give you a big picture overview of a scenario and you have to pick the best answer, taking cost and benefit into account.  Most of the questions I didn’t have to lookup, but often did, just for validation of my understanding of a concept.

Of all of the preparation that I did, the following is my rank of value (to me)

  • 10 – DEV522 Course: The class is well worth it.  You can do online or in person.  I’d recommend the later.
  • 9 – DEV522 MP3s: While not adequate for the initial course, it was excellent for review and to hear another instructor teach the same material.
  • 9 – Practice Test #1: The first test really shows you how well you prepared
  • 8 – Detailed Index: While not as valuable as in other courses, it still got used
  • 8 – Cheat Sheets: I used everyone listed above, except the OWASP ones
  • 5 – Practice Test #2: While beneficial, it repeated far too many questions to be critical.
  • 1 – Table of Contents: Used once, during one practice test
  • 0 – OWASP Publications – The course work covers them more than enough to prepare and take this test.

My advice to others interesting in the GWEB exam;  ensure you have an enterprise level understanding of the web application environment before attempting this test.  A developer who works in a vacuum or security personnel without any programming experience are going to have a tough time.

The class was definitely worth the time.  I think it sets the stage for my next SANS class SEC542 Web App Penetration Testing and Ethical Hacking.

8 thoughts on “Earning my GWEB Certification – SANS2013 and Test Prep”

  1. Fantastic study guide here. I am taking the GWEB, my first SANS test, next week and I have done most of this so far. I’ve got my basic table of contents of the books done, all the quizzes are done and passed, cheat sheets prepped and ready to go. I’m currently working on my detailed index, but it’s not nearly as complete as I would like. Would there be any chance of getting a copy of your detailed index?

    1. I would think doing so would violate the code of ethics. Regardless, the act of creating the index itself is worth the effort. It gives you that secondary review of all of the material; at your own pace, instead of the race through it during the SANS event.

      1. Ah, I guess I didn’t look at it from a violation of ethics, more of a sharing of knowledge. But I see where you are coming from, no worries. Once again, thanks for sharing your thoughts on the test here. It has been useful nonetheless.

  2. Had my test yesterday and I killed it. Well, not as much as you did, but I passed with an 85. Thanks again for the study guide here.

      1. I echo many of the things you said here. The test was not just a regurgitation of stuff in the books. You really had to know how to apply the concepts, not just “page 42 of book 3 says the answer is CSRF”. I used several of the Quick Reference sheets you listed here; the IPv6, HTML Status Codes and the RegEX, if I recall correctly. I ended up combing my basic ToC and my detailed index into one document and that served me pretty well. It ended up around the 22 page count. That let me quickly find sections in the books if I was waffling between two of the answers.

        And to reflect over your “Summary” section I would say that I think it’s pretty spot on, with one exception. The mp3s were fairly useless to me. I took the class online and it was the same audio with Power Point slides and some video thrown in. But the class was great and I really learned quite a bit.

  3. This is a very good review of DEV522. I took this course too, I felt boring for this course. The course caught the high of OWASP Top10 but it was not taught in detailed.
    My MP3 was from Johannes Ullrich. I would love to listen Jason Lam’s mp3. BB

  4. Hi,
    This is a wonderful write-up and great assessment. Number 59x here. I found this to be pretty a pretty challenging class and a tough test. Harder than SANS 542 and 642 in fact. I have very little development experience other than scripting and a bit of Python. You were spot on with the last statement. I worked the hardest, passed scoring poorly, but learned the most of any of my other certification endeavors. Well worth the effort as it put a lot of things together for me. Janson was funny, engaging and very sharp on the self-study audio.

Leave a Reply

Your email address will not be published. Required fields are marked *