Finding vulnerabilities in real applications through a web application security assessment class 

The Web Application Security Assessment class in the UC Berkeley School of Information’s Master of Information and Cybersecurity (MICS) program offers students an opportunity to gain hands-on experience with penetration testing of real Berkeley campus applications. Offered for the first time in the summer of 2022, the class combines lectures and testing to find vulnerabilities in web application security. 

This class’s hands-on approach benefits not only students, but also the campus application owners and developers. The testing portion of the course begins when an app owner presents the functionality and features to the class, and then the class spends a few weeks testing. At the end, the students meet with the app owner again to present the detailed application vulnerabilities in a written report.  

Identifying potential vulnerabilities before they can be exploited helps to reduce the risk of sensitive data exposure and potential losses. In addition, an equivalent report from external consultants would be cost-prohibitive. The result is a win-win! 

Since app owners don’t always have a security background, some find out things for the first time.  

Working with the MICS students was a great experience. They found a handful of things that we missed in code reviews and a few things that we just plain missed. 

STEVEN HANSEN, Application Developer, University of California, Berkeley 

In addition, the students gain valuable skills, which add value to their resumes.  

This course was my first real deep dive into Web Application security testing. The real hands-on experience […] really helped grow my understanding of Web Application security. I have since used the practices I learned in this course to train others in my professional circle, and I’ve used the principles taught to argue for increased testing coverage of systems that I work with. All said, this is one of the most immediately applicable and useful courses I have taken in the MICS program. 

JACOB GLAD, Student University of California, Berkeley 

This hands-on course was the brainchild of three devoted professionals: 

  • Josh Kwan – UC Berkeley, Information Security Team 
  • Lisa Ho – Academic Director, Cybersecurity Program 
  • Jennia Hizver – Lecturer 

Josh recognized the need for additional help testing UC Berkeley applications and reached out to Lisa to discuss how they could partner to do real testing in a class format. They then worked with Jennia to create the syllabus. This hard work resulted in the first Web Application Security Assessment class.  

To learn more about the class, read the Web Application Security Assessment class overview. For questions about the class, please reach out to Lisa Ho:  

To read more stories about system-wide cybersecurity initiatives, program accomplishments, and goals for the future, please check out the 2022 UC Cyber Risk Program Annual Report. And, if you are a member of the UC IT community and have a story you’d like to share about a program or initiative you’re working on that pertains to cybersecurity across UC, please reach out by emailing


Wendy Rager
Wendy Rager
Manager, Cyber Risk Coordination Center
UC Office of the President