The GWEB Episode

Introduction to the Guest and Topic:

Host Allie Krings introduces Greg Champa, Chief Technology Officer at Kirkpatrick Price. The conversation centers on secure application development and Greg’s GWEB certification. Before exploring security concepts, Greg shares his background—from starting as a developer in financial services to growing into leadership roles through hands‑on experience. He explains that while college provided foundational knowledge, most of what he relies on today was learned on the job due to the rapid pace of technological change.

What Is the GWEB Certification?:

GWEB is a cybersecurity certification issued by the SANS Institute. It focuses on the skills required to build, secure, and defend web applications—covering both development and security concepts. Greg explains that GWEB is designed for those who create or maintain applications, as well as those responsible for preventing attacks against them. Because web applications are central to businesses today, the certification strengthens an organization’s ability to safeguard sensitive data.

What Are Web Applications?:

Web applications are tools accessed through a browser on any device connected to the internet. Examples include email platforms, online banking portals, and Kirkpatrick Price’s own Online Audit Manager. These systems store and process sensitive data, which makes securing them essential. Greg emphasizes that because we all rely heavily on web‑based tools, attackers frequently target them.

Why Does Web Application Security Matter?:

Web applications store personal and business‑critical information. Protecting this data is essential to prevent unauthorized access, theft, manipulation, or misuse. As more services migrate online, attackers continually develop new ways to exploit vulnerabilities. Greg highlights that defending applications is not optional—security must be built into the development lifecycle to keep pace with evolving threats.

Foundational Principles of Securing Web Applications:

Greg explains several key practices that developers and organizations must follow to protect their applications.

Access Control:
Only authorized users should have access to specific information. For example, within an audit platform, only individuals associated with a company should be able to view that company’s data. Access must be managed consistently as employees join or leave the organization.

Input Validation and Sanitization:
Developers should never trust user input. Attackers may insert malicious code into fields intended for normal data entry. Cross‑site scripting (XSS) is a common example where harmful scripts are injected into web pages. Validating and sanitizing all input reduces the risk of these attacks.

Automated Security Checks:
After earning his GWEB certification, Greg implemented automated security testing early in the development process. This allows vulnerabilities to be identified before code reaches production rather than after issues impact users. Catching vulnerabilities early reduces risk and saves time.

How Penetration Testing Supports Application Security:

Greg notes that penetration testers are valuable partners to developers. Pentesters use the same techniques as attackers but with the goal of identifying weaknesses before malicious actors exploit them. Their findings allow developers to fix vulnerabilities proactively, strengthening the overall security posture of an application.

How AI Helps—and Hurts—Application Security:

AI is increasingly used in software development, but it introduces both opportunities and risks. Greg explains that AI can help automate repetitive tasks and support developers, but it can also generate insecure code if used carelessly. Developers must remain responsible for their work by performing code reviews and running automated security scans. AI is a tool—not a replacement for expertise or oversight.

Tips for Everyday Users of Web Applications:

Greg offers practical advice for individuals to protect themselves and their organizations:

Use Strong Passwords and Multifactor Authentication:
These remain some of the most effective defenses against account compromise.

Stay Alert for Phishing Attempts:
Some phishing emails are obvious, while others appear legitimate. Slowing down, verifying unexpected requests, and avoiding impulsive clicks can prevent compromise.

Be Cautious Across All Platforms:
Whether using email, LinkedIn, Facebook, or workplace applications, awareness is key. Attackers rely on urgency and familiarity to trick users.

Why Awareness and Training Matter:

Both leaders and technical teams must constantly educate themselves. As attackers evolve their methods, staying current becomes essential. Greg emphasizes that training helps teams recognize threats early, maintain secure practices, and embed security into everyday thinking.

Final Advice for Strengthening Application Security:

Greg encourages organizations to focus on foundational security practices: enforcing strong passwords, enabling multifactor authentication, implementing access controls, and conducting regular training. While technology continues to evolve, the basics remain some of the strongest defenses. He reminds listeners that security is a shared responsibility—and growth comes from continually learning about new risks and adapting accordingly.