Disclaimer for Students: This is an advanced lecture about the security of modern web applications. It is recommended to have taken at least CySec1, CySec2 or Security. In addition to covering new advanced concepts, this lecture will thoroughly test your hands-on skills, asking you to write lots of code, read someone else's source code, finding vulnerabilities, writing working web exploits, and patching code. If you are looking for easy 6CPs, this lecture is not for you.


This lecture will teach you how to build secure web applications and do security assessments, covering both theory and with lots of hands-on practice. In addition, this lecture intends to cultivate a positive, ethical, and responsible mindset in vulnerability management, from hunting to reporting.


The theory of this lecture will cover in details the following topics:

  • Secure software engineering
  • Security assessment and security testing
  • Building blocks for secure modern web applications
  • Plenty of non-trivial vulnerabilities and exploitations

Practice: the SWD Competition

Throughout the lecture, you will apply these concepts in the SWD Competition. Participation is mandatory. Teams will develop an entire web application and get scored based on the specs’ adherence. Then, teams will search for vulnerabilities, create working exploits, and write vulnerability reports. Teams are scored based on the number of confirmed vulnerabilities. Finally, students will address reports by patching their code, and scoring is based on the number of fixed vulnerabilities.

Apart from testing students’ technical skills, the SWD Competition fosters a positive, ethical, and responsible culture about vulnerability management. Teams will be rewarded for creating high-quality vulnerability reports and interacting with one another respectfully when disclosing vulnerabilities.

SWD vs. FoWS

Foundations of Web Security (FoWS) covers the fundamental security problems that are prevalent on the Web as well as security mechanisms to mitigate them. A particular focus lies on the offensive side of web security, whereas defense mechanisms merely need to be added to stop the attacks.

In contrast, SWD is focussed on architectural and engineering aspects of secure web applications, including secure coding, secure architectures, security testing, code review techniques and secure full message processing pipelines.

You can take both courses at the same time, but neither requires the other to follow the lecture material.


Registration via the CISPA’s Course Management System.