Timo Pagel | Web- and Cloud Security Training Expert

Security in Web Applications Basics


During this training, web developers will learn about the most common threats to web applications and what countermeasures can be taken. The open source project Juice Shop is used as an example application with deliberate vulnerabilities.

The concepts learned can be applied to any programming language and architecture.

Upon completion of this module, participants will:

  • Understand the importance of web security for businesses and organizations.
  • Have basic knowledge and methodological knowledge based on it suitable to perform a (simple) risk assessment of web applications as well as to be able to offer approaches for securing them.
  • Have understanding of the interplay between the software development process and security.

Train efficiently


  • Brief introduction to web basics
  • Basics of IT security
  • Web risks oriented to the 2017 OWASP Top Ten.
    • A1:2017-Injection
    • A2:2017-Broken Authentication
    • A3:2017-Sensitive Data Exposure
    • A4:2017-XML External Entities (XXE)
    • A5:2017-Broken Access Control
    • A6:2017-Security Misconfiguration
    • A7:2017-Cross-Site Scripting (XSS)
    • A8:2017-Insecure Deserialization
    • A9:2017-Using Components with Known Vulnerabilities
    • A10:2017-Insufficient Logging & Monitoring

Exercises consist of an attack part, where the threat is first learned by hands-on testing, and a defense part, where measures to reduce or defend against the threat presented or implemented.

If desired, technologies such as Keycloak, OAuth2.1, Open Policy Agent and other modern tools and methods can be used.

Target group

Anyone who has experience of development of web application for at least two years and for whom the following does not raise any questions:

HTML, HTTP, SQL, noSQL, database, browser


Learning by doing is one of the most important paradigms. More about the training methodology here.


Timo Pagel incorporates his knowledge from over 20 years in operations and development into his trainings. As a DevSecOps consultant, he not only advises at the strategic level but also lends a hand.

Arrange a free initial consultation