Is your web application easy to hack using common attacks?

  • Do you have any idea how many files you send to the user are modified in transit?
  • When a user logs in, do you know if they are impersonated by an attacker?
  • Are you performing access control checks at the right places, with the right data?
  • Are you fully aware of the devastating effects of XSS, regardless whether it's stored or reflected?

Learn how to minimise your exposure by protecting 4 key areas of your web applications

Register now, and get two YubiKey authentication keys for free!

Web Security Essentials

November 20 - 21, Leuven (Belgium)

Day 1

Registration and Welcome coffee

The modern web security landscape

Coffee break
Coffee break
End of day 1

Day 2

Welcome coffee
Coffee break
Coffee break

Fitting security into an application architecture

End of day 2

Registration includes two free YubiKey USB authentication keys!

Major sites like Github, Facebook and Google already support FIDO U2F. Thanks to a sponsorship deal with Yubico, you will get hands-on experience with these hardware keys in this course. And the best part? You get to take them home afterwards!

I would recommend the Web Security Essentials training to all web developers and architects: the balance between the slide sessions and the practical labs made the course a joyful full-immersion in the security field.

Nicola Di Giorgio, Software Architect/CEO, PREGIOTEK sprl

Key Area 1

Keep your business private by securing the communication channel

In the modern web, end users have gone mostly wireless, which is wonderful for usability, but quite worrisome for security. Compared to the wired days, both passive and active network attacks have become easy to execute, and difficult to detect. In essence, without a full HTTPS deployment, the communication channel can no longer be considered private, and can no longer be trusted.

How much sensitive information is up for grabs to an eavesdropper?

Is there an attacker sitting in the middle, with the ability to carry out a dangerous SSL Stripping attack?

Today, simply deploying HTTPS is no longer sufficient. You need to move all of your content to HTTPS, and deploy additional security policies to establish a secure end-to-end communication channel. In this session, you will learn:

  • why a partial HTTPS deployment can easily be undermined by easy-to-execute network attacks
  • how to leverage the latest security technologies, like HSTS, to prevent attacks such as SSL Stripping
  • how to deal with mixed content, the number one issue when switching from HTTP to HTTPS
  • best practices for deploying HTTPS correctly, and verifying your deployment with automated tests

Key Area 2

Confirm your user’s identity with strong authentication

Billions of users have lost an online identity in a data breach, making their account details and personal information publicly available. And while the effects of a data breach of one application can already be devastating, it becomes a true nightmare if an attacker starts re-using stolen credentials to impersonate the user elsewhere.

Are the credentials you store easily retrieved in the event of a breach?

Does your application leak information, thereby exposing you to targeted brute-force attacks?

By protecting the user management flows in your application, you can effectively protect your user's identities, even in case of a potential breach. In this session, you will learn:

  • how your applications can effectively help users to improve their security practices
  • about common attacks against user management flows that occur in most applications
  • how to integrate effective countermeasures that neutralise these common attacks
  • about the benefits of multi-factor authentication, and practical ways to integrate this in your applications

The gained knowledge and skills are directly applicable, and immediately shared with colleagues. This training has changed the way we work and affected the security of our product.

Sam Verschueren, Lead Software Engineer, Pridiktiv NV

Key Area 3

Avoid authorization bypasses by locking down your sessions

Authorization bypass attacks are so common that they are covered by 4 items in the OWASP top 10. Coincidentally, various built-in session management mechanisms need additional tweaking to be secure. And because of the nature of the web, an attacker can launch such attacks from within the user's browser, thereby targeting internal systems on private networks, such as intranet applications, routers, printers, etc.

Are your session identifiers or session objects vulnerable to common attacks?

Does your backend know if a user intended to perform an action, or is it vulnerable to CSRF?

Avoiding authorization bypasses depends on making access control decisions with trusted data. In a web context, this means that everything coming from the client is considered untrusted, even the existence of the request itself. In this session, you will learn:

  • why almost all built-in session management mechanisms are vulnerable to common attacks, and how to fix them
  • how to add intent to requests coming from the browser, allowing the backend to prevent harm being done by uninentional requests
  • how to correctly move from server-side session management to client-side session management, either with cookies or with tokens
  • why Direct Object References can be insecure, and how to prevent this common vulnerability in your application

Key Area 4

Refuse to be compromised and neutralize code injection attacks

Cross-Site Scripting (XSS) vulnerabilities. Google has them. Facebook has them. Your application has them. XSS vulnerabilities are so severe, that bug bounty programs have turned it into a million dollar business. The main reason that XSS is so dangerous, is because it gives an attacker full control over a user's context, allowing him to access private data, make requests to the backend, ...

Do you correctly encode your untrusted data, or are you vulnerable to XSS attacks?

Do you know how Content Security Policy can help you neutralize XSS attacks?

Tackling injection attacks is a challenging task, regardless whether it's a new or an existing application. Fortunately, by adhereing to a few best practices, you can vastly improve the security of your application. In this session, you will learn:

  • first-hand which tremendous power you get by successfully exploiting an XSS vulnerability
  • why almost every web application is vulnerable to XSS attacks, and the only right way to stop them
  • how modern JavaScript frameworks can actually make the problem a bit easier to solve
  • how to leverage the power of the recent Content Security Policy, and how to overcome common deployment problems

The November 2017 edition of the course is fully booked.

Subscribe to our mailing list to be notified when the next edition will be held

You can find more information about upcoming events on our site

I'm also really grateful for the excellent hand-outs, providing concise but complete information presented in a way that helped me a lot to better understand the more advanced web security mechanisms.

Stefan Eestermans, ICT Security Consultant, Optaris sprl

Practical Information

Do I really get two YubiKey 4 USB authentication keys for free?

Yes! Because we strongly support multi-factor authentication, we have asked Yubico to sponsor the Web Security Essentials course. They generously donated 1 YubiKey 4 and 1 YubiKey 4 nano per attendee. That's a package worth $90! The only thing Yubico asks in return, are your professional contact details.

Don't worry if you're not comfortable sharing your information. You can still work with the YubiKeys during the lab sessions, you just don't get to take them home with you.

What do I need to participate in the lab sessions?

You will receive a VirtualBox image containing all required software and tools at the start of the training. All you need to bring is a computer capable of running VirtualBox VMs.

What course materials do I get?

The Web Security Training program of imec-DistriNet takes pride in its high-quality course materials. Both the slides used throughout the lectures, and the detailed guides for the lab sessions will be provided to you at the start of the training. You will a printed booklet, as well as a digital version.

What is the price?

The price for participating in the full course is € 1 000 excluding VAT. An Early Bird discount of € 100 is available for a limited period.

If you are a startup, you may be eligible for the Startup Discount Plan (see below). Every ticket includes course materials, coffee breaks, and lunches.

You can also get a discout via the KMO Portefeuille (see below)

What is the Startup Discount Plan?

The Startup Discount Plan offers startups a 50% discount on the price of the full course, giving them the possibility to take security into account from the get go. This discount is available to any company that meets all of the following requirements:

  • Is privately held
  • Has been in business for no more than 3 years
  • Is engaged in development of a software-based product or service
  • Is an established business with a website and/or existing public references on the Internet
    Please note that any recently registered affiliates of existing business entities and business entities that were incorporated as a result of any legal/business process (merger, acquisition, etc.) do not qualify for this discount.

If you want to benefit from the Startup Discount Plan, please provide us with documentation to show that you meet these critera (e.g. Memorandum of Association). You can reach us at After approval, you will receive a discount code which you can use to register for the course.

What is the KMO Portefeuille?

The KMO Portefeuille is an initiative of the Flemish government to cover a significant part of the fees for various courses. This initiative also covers the Web Security Essentials course.

If you want to benefit from the KMO Portefeuille discount, please contact us at You will receive detailed instructions to complete your registration.

How do I register?

Registration is handled by our internal registration system. Payments are charged to a credit card. If you need an invoice, make sure you select that option during registration.

Where will the training take place?

The training will take place at the offices of imec-DistriNet, located at the Department of Computer Science of the University of Leuven, Belgium. The full address can be found on the map below, and directions on how to get there are available here.

Endorsements of the Web Security Essentials course

100% of attendees recommend this course to colleagues and friends

Whether you’re a veteran or new, everyone in the industry should attend this training. Either the hands on sessions will be an eye opener on the dangers of failing security and you'll learn how to avoid creating security holes, or it’ll bring you up to speed on latest HSTS policy or CSP headers and properly protect your application using the latest standards.

Thank you Philippe for our in-depth and valuable talks!

Maarten Segers, Consultant, AMPLEXOR

Web security and application security are gaining mor and more attention. As a developer, you know what's going on, but since these domains are very broad, it is hard to see the full picture. We were not sure whether the Web Security Essentials was a good fit for our company.

Once the course started, these doubts vanished. The course is well-structured, and accessible for both frontend and backend developers. It changes the way you look at the development of web applications. Following theory sessions with hands-on labs creates an interesting combination. On top of that, you get a head start with the right tools to assess your own application. The gained knowledge and skills are directly applicable, and immediately shared with colleagues. This training has changed the way we work and affected the security of our product.

This training deserves a high recommendation. The course offers varied, up-to-date and detailed content. Security may still be low on the radar, but this 2-day training already makes a world of difference.

Sam Verschueren, Lead Software Engineer, Pridiktiv NV

As web architect, security is an important concern in the design and implementation of an application. However, I must admit, my knowledge on the subject was quite sparse as it was difficult to me to find a main reference on the subject.

For this reason I decided to join the Web Security Essentials training. The course allowed me to have a complete overview on the subject, understand the main security pitfalls, and use some of the most important tools to overcome them.

The awareness of the main security threats is key in my daily work with big companies and the course well addresses it via the presentations and the practical labs. I would recommend this training to all web developers and architects: the balance between the slide sessions and the practical labs made the course a joyful full-immersion in the security field.

Nicola Di Giorgio, Software Architect/CEO, PREGIOTEK sprl

Thanks for providing this course packed with very up-to-date information. I greatly appreciated the good balance between theory and hands-on labs which allowed me to gain a deeper understanding and new insights on web security measures to defend against current threats. I'm also really grateful for the excellent hand-outs, providing concise but complete information presented in a way that helped me a lot to better understand the more advanced web security mechanisms.

Stefan Eestermans, ICT Security Consultant, Optaris sprl

I was looking for information to get an idea of what kind of issues modern web applications face (or do not face), and how much an attacker needs to invest to launch various kinds of attacks. I do not believe such information can be obtained from high-level overview presentations. I was looking for a more hands-on approach, to get some experience with issues that managers often sweep under the rug as unimporant.

The course delivered on my expectations, not only by confirming that modern web applications face various threats, but also by clarifying that numerous threats depend on the level of freedom users have. Thanks to the Web Security Essentials course, I know have a better and more concrete understanding of what needs to happen to build a secure application.

Paul Valckenaers, Senior Researcher, UCCL