Secure Web Development Giancarlo Pellegrino, Cristian-Alexandru Staicu


Currently, no news are available

Secure Web Development

Disclaimer: This is an advanced lecture about the security of modern web applications. This lecture will thoroughly test your hands-on skills, asking you to write lots of code, read someone else's source code, finding vulnerabilities, writing working web exploits, and patching code. It is recommended to have taken at least CySec1, CySec2 or Security. If you are looking for easy 6CPs, this lecture is not for you.


This lecture will teach you how to build secure web applications and do security assessments, covering both theory and with lots of hands-on practice. In addition, this lecture intends to cultivate a positive, ethical, and responsible mindset in vulnerability management, from hunting to reporting.


The theory of this lecture will cover in details the following topics:

  • Secure software engineering, security assessment, and security testing
  • Building blocks for secure modern web applications: web authentication, web authorization, handling inputs, application logic, and more.
  • Plenty of non-trivial vulnerabilities and exploitations

Practice: the SWD Competition

Throughout the lecture, you will apply these concepts in the SWD Competition. Participation is mandatory.

The SWD Competition is a BIBIFI competition centered on web application security and vulnerability discovery and reporting. The competition is divided into three phases: the build-it, the break-it, and the fix-it phases.

  1. Build-it Phase: During the build-it phase, teams will develop an entire web application following the docs and specs that we provide. Teams get scored based on the specs’ adherence.

  2. Break-it Phase: During the break-it phase, teams will search for vulnerabilities in each other web applications. Teams will create working exploits and write high-quality vulnerability reports. Teams are scored based on the number of confirmed vulnerabilities.

  3. Fix-it Phase: During the fix-it phase, teams will address reports submitted by other teams by patching their code. Scoring is based on the number of fixed vulnerabilities.

Apart from testing students’ technical skills, the SWD Competition fosters a positive, ethical, and responsible culture about vulnerability management. Teams will be rewarded for creating high-quality vulnerability reports and interacting with one another respectfully when disclosing vulnerabilities.

More details about rules, timeline, scoring, how-tos, and past editions, visit

Seats and Registration

Given our limited resources for this lecture, the max number of seats for this lecture is 40. 

Admission is on a first-come first-served basis. We strongly recommend students to have taken at least CySec1, CySec2 or Security. 

Registration will open soon However, if you are really motivated to take this lecture, send an email to the lecturers, asking to be in the notification list. We will send an email the moment the registration is open.

Important Dates

  • Registration: [TBD]
  • Lecture on Wednesdays, at 14-16 (Calendar [TBD])
  • Exam: [TBD]
  • Re-exam: [TBD]



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators