This 4-day course aims to provide web application developers with an understanding of application security issues and attack vectors, and the skills necessary to code defensively against web attacks. We will show how hackers can abuse a web application, and what developers can do to prevent this. In addition, we show how developers and testers can test their own applications in order to determine if they are susceptible to web application attacks. The material would also be of interest for software testers (QA); system, network and database administrators; software, network and system architects; Information Security personnel; and Compliance Officers (Privacy, SOX, PCI, etc.) Although we use Java and .NET examples throughout, the material in the main tends to be platform agnostic. The idea is to teach the fundamental concepts which can be applied no matter the web application development language being used. We will concentrate on platform-specific security issues on Day 4, and will spend some time on Microsoft ASP/.Net, Java, PHP and Ajax. We can address specific platforms used by students if requested. In each area, the course covers theoretical foundations, common implementation pitfalls, details on historical exploits, suggested security policies, implementation best practices, and pseudo-code examples.