Web Application Security: Building an Offensive Testing Program with Cybersecurity Graduate Students

Tuesday, May 02 | 11:45AM–12:30PM PT | Regency Ballroom D-G, Second Floor
Session Type: Breakout Session
Delivery Format: Presentation/Panel Session

According to the 2022 Verizon Data Breach Investigations Report, 40% of all data breaches involved a web application attack. At the same time, hands-on web application security testing is resource-intensive and out of reach for many institutions on tight budgets, leaving many critical applications vulnerable to attack. Come learn about UC Berkeley’s innovative solution to this challenge, a partnership between the Information Security Office and the School of Information's Master of Information and Cybersecurity (MICS) Program, to provide offensive web application security testing services for campus business applications. Through their coursework, MICS students are authorized to launch attacks against real-world campus web applications. This invaluable learning strategy prepares them for cybersecurity careers while lowering our campus risk profile by providing actionable reports to campus application developers. During this session, we’ll cover all aspects of this program from inception to management and give you ideas for implementing a similar program at your institution.


  • Charron Andrus

    Associate Chief Information Security Officer, University of California, Berkeley
  • Allison Henry

    Chief Information Security Officer, University of California, Berkeley
  • Josh Kwan

    IT Security Analyst, University of California, Berkeley

Resources & Downloads

  • WebApplicationSecurityOffensiveTestingProgram_PresentationSlides

    Updated on 6/17/2024
  • WebApplicationSecurityOffensiveTestingProgram_Handout_SampleReportTemplate

    Updated on 6/17/2024
  • WebApplicationSecurityOffensiveTestingProgram_Handout_SyllabusCodeOfConduct

    Updated on 6/17/2024