background image


Learning Web Application Security


Finding great developers is very difficult; finding great developers who understand security and have technical, hands-on security skills is even harder. Figuring out where to start learning about security can appear intimidating, industry and media alike portraying security as a mysterious, dark underground world riddled with criminals, government agents and foreign spies doesn’t help. Security breaches are very costly, the average breach in 2018 cost was $4.74 million USD for Canadian organizations.

It is crucial that the developers of your applications and IT are technically capable of understanding security vulnerabilities and the implications of the risks to a business or organization. IT budgeting is typically tight, on average the security budget of an organization is 5.6% of the IT budget, maximizing your budget on training is essential, this article aims to provide you with a list of various training resources related to web application security.

In the cybersecurity world, there is a wide variety of training resources available; anyone with a desire to learn can get started right now and for free. There are many no-cost introductory and intermediate tutorials and intentionally vulnerable applications available, for organizations looking for hands-on training and with more budget, there is a large number of paid courses and training including online labs and in-person training ranging from $500 to $10,000+ aimed to meet the demands of any organization.

Free Introductory Readings

Packetlabs Vulnerability Series

We consistently write informative blog articles, roughly once a month we release a new post for our Vulnerabilities Series that seeks to explain a security vulnerability to a wide range of non-technical and technical audiences alike. Here are a few of our current vulnerability series posts:


The OWASP Top 10 is an industry-recognized document that represents the most critical security risks to web applications and is derived from a panel of experts from around the world. Being familiar with the OWASP Top Ten is a must for anyone who deals with web application security and is a great place to get started learning about vulnerabilities.

Top Free Hands-on Training

PortSwigger’s Web Security Academy

PortSwigger makes one of the most widely used, and arguably most popular and well-respected web application testing tools, Burp Suite. Recently PortSwigger launched the Web Security Academy which provides free training on web application security vulnerabilities, techniques for finding and exploiting bugs, and defensive measures to remediate vulnerabilities. At the time of writing, there are four in-depth vulnerabilities covered in the academy with new topics added regularly.

The academy can be accessed here.

OWASP’s Broken Web Applications Project

This project is a free collection of vulnerable web applications contained in a single virtual machine and is designed to appeal to beginners and seasoned, trained professionals alike. A number of the apps are real-world applications with real vulnerabilities; others are intentionally vulnerable applications designed to be realistic or used for training purposes. All the resources provided in the Broken Web App project are immensely valuable; below is a short list of the most popular resources contained in the project:

  • Damn Vulnerable Web Application (DVWA)

  • OWASP Mutillidae II

  • Google Gruyere

  • OWASP WebGoat

To find out more about the project visit the project page here.

OWASP Juice Shop

The Juice Shop is a modern, sophisticated intentionally vulnerable web application which features many of the OWASP’s Top Ten vulnerabilities, and even has a companion guide targeted at developers to help awareness, training and demonstrate security risks.

Available here.

SANS Institute

SANS is the industry recognized leader in providing security-related training regardless of which position or expertise you have. They have courses aimed at all levels of knowledge and positions. SANS courses can be taken online, or in-person. In addition to courses, SANS has additional resources including frequent webinars that are free to attend, regularly publish newsletters for keeping up to date and maintain mailing lists for community discussions.

Offensive Security

Offensive Security offers some of the best-valued courses, and arguably the most hands-on and most technical training available. While their coveted OSCP isn’t focused on web applications, many of the learning modules, lab machines and exam involve web applications. Recently they have launched their Advanced Web Attacks and Exploitation (AWAE) course and accompanying certification, OSWE. While not beginner friendly, it is an excellent course for those learning to take their web application security skills to the next level, the entire course and labs are based on source code reviews, which will benefit any developer.

Learn more here.

Honourable Mentions

  • Hack the Box, an online playground to improve technical security skills.

  • HackThisSite, a free and legal place to practice hacking web applications starting with fundamental challenges, scaling up to advanced challenges.

  • Pentester Lab, Hands-on labs and courses ranging from free to low-cost paid options.

How we can help

The Packetlabs team is composed of highly trained and experienced, ethical hackers that focus and excel at the discovery, exploiting, and chaining together multiple vulnerabilities that often are overlooked. Our team members have the highest regarded certifications in industry including the Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), GIAC Web Application Penetration Tester (GWAPT), and GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) certifications. Please contact us to learn more or speak to us about how we can help.