Training Program Catalog

This course describes general principles to think about for improving your deployment process, best practices for logging and monitoring, as well as different ways to defend the operating system, web server and the database.

After complicating this course you will understand attack surface reduction, compartmentalization, defense in depth, least privilege deployment, secure defaults and security incident response plans.

This course covers best practices for logging and monitoring, as well as security misconfiguration and mitigation techniques.

After completing this course you will understand application security patching processes, strategies for defense-in-depth, and mechanisms to ensure sufficient logging and monitoring.

Building a culture of collaboration between software development (Dev) and information-technology operations (Ops) is full of challenges and learning. The notion of DevOps requires a good understanding of complex technical problems and business needs at the same time. This course introduces learners to the philosophy and provides the fundamental knowledge needed to execute practices that shorten system development lifecycles and provide continuous delivery with high software quality.

After completing this course you will be able to:

• Understand the unique opportunities for including security in your DevOps pipeline
• Understand at which points in your development process—from architecture to deployment—you can improve security
• Automate security compliance and controls using a variety of open-source tools
• Identify opportunities for increased collaboration and better feedback loops

The usage of Commercial-off-the-shelf software (COTS) by organizations while advantageous comes with its own set of challenges and complexities. Unfortunately, it is rare for acquisition approaches to account for complex software supply chains; this course provides learners with an understanding of how to apply DevSecOps best practices to reduce software supply chain risks.

After completing this course you will be to:

• Employ acquisition strategies, contract tools, and procurement methods for the purchase of the software, COTS from suppliers
• Conduct a supplier review prior to entering into a contractual agreement to acquire the COTS
• Conduct an assessment of the COTS prior to selection, acceptance, or update
• Employ security safeguards to validate that the COTS received is genuine and has not been altered
• Establish and retains the unique identification of supply chain elements, processes, and actors for the COTS
• Establish a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements

As modern software development evolves, organizations are finding themselves leveraging Open Source Software to reduce costs, simplify operations, accelerate innovation, and improve interoperability. Adoption is expected to continue, but distribution and licenses allow anyone to use, view, modify, and share source code, which introduces new security vulnerability risks into the supply chain. This course provides learners with an understanding of how to apply DevSecOps best practices to reduce software supply chain risks inherent with the use of open-source software.

After completing this course you will be to meet compliance requirements while developing a DevSecOps mindset, including:

• Expanding the development teams use of dependency checking tools, including integration into the build process
• Ensuring application security teams implement security tests to audit select open-source software and components
• Establishing a build process that ensures the installation of the latest open software releases for operations teams migrating server platforms to containers
• Understanding the importance of monitoring repo feeds and CVEs, especially critical libraries such as OpenSSL that could affect many different products

Widespread adoption of cloud computing and DevOps have led to containers becoming the most popular and efficient way to deploy applications. However, containerization presents enterprise security risks that question existing security policies and compliance frameworks. This course provides a necessary understanding of known attacks required to improve the security of container application deployments.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• The importance of Identifying threats to containers and data in the DevSecOps framework
• Why containers are particularly susceptible to image vulnerabilities, and how to mitigate the threat by rebuilding images as part of security updates.
• How to validate external images to prevent malware, unintended functionality, functional bugs, or components with known vulnerabilities into your environment
• Securely encrypting communication channels to avoid man-in-the-middle attacks designed to extract image contents, compromise credentials used to access registries or tamper with images being sent to orchestrators

Zero-trust is a security concept that defines various practices and technologies that, when brought together, provide a multilayer security approach. Coverage in this course aligns with CISA Zero Trust Maturity Model. It will help you understand what zero-trust security is, why it is necessary, and which points an organization would consider when implementing a zero-trust architecture.

After you complete this course, you will have the knowledge needed to:

• Understand secure network strategy
• Identify strong versus weak security policy
• Identify common security-driven tools and methodologies.

Using a cloud Platform solves issues with distributed complexity and provides DevOps automation with a standard and centralized platform for testing, deployment, and production creating a complementary relationship between the two. This course provides learners with an understanding of how to align and configure AWS services to NIST Cybersecurity Framework (CSF) core functions to achieve security in the cloud.

After completing this course you will be able to:

• Implement inventory and configuration controls and services, including AWS Config, AWS CloudFormation, and Amazon Inspector
• Ensure Infrastructure Security using Amazon VPC, AWS WAF, Customer-controlled encryption and automatic encryption of all traffic
• Mitigate DDoS threats with Autoscaling, Amazon CloudFront and Amazon Route 53
• Encrypt data using AWS Key Management Services (KMS), Server-side encryption (SSE), AWS CloudHSM; and leverage EBS, S3, Glacier, Oracle RDS, SQL Server RDS, and Redshift encryption features
• Meet Monitoring and Logging requirements using AWS CloudTrail and Amazon CloudWatch
• Use Identity and Access Controls to define, enforce, and manage user access policies with AWS Identity and Access Management (IAM), AWS Multi-Factor Authentication and AWS Directory Services
• Understand AWS policies for customer Penetration Testing

Using a cloud Platform solves issues with distributed complexity and provides DevOps automation with a standard and centralized platform for testing, deployment, and production creating a complementary relationship between the two. Provides learners with an understanding of how to align and configure Azure services to NIST Cybersecurity Framework (CSF) core functions to achieve security in the cloud.

After completing this course you will be able to:

• Identify and manage the data, personnel, devices, systems, and facilities to meet the organization’s business objectives and risk strategy
• Protect assets and associated facilities by using Access Control, limiting access to authorized users, processes, or devices, and to authorized activities and transactions
• Protect data-at-rest and data-in-transit by leveraging security services such as Azure Storage Service Encryption, Azure Backup Data Encryption, Azure SQL Transparent Data Encryption BitLocker, Azure VPN Gateway
• Detect anomalous activity in a timely manner and understand the potential impact of events by using Azure Security Center, Advanced Threat Analytics, Design and Implementation for Active Directory (DIAD), SIEM integration and Cloud App Security
• Ensure response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events

Using a cloud Platform solves issues with distributed complexity and provides DevOps automation with a standard and centralized platform for testing, deployment, and production creating a complementary relationship between the two. This course provides learners with an understanding of how to align and configure Google Cloud Services to meet the NIST Cybersecurity Framework (CSF) core functions to achieve security in the cloud.
Upon successful completion of this course, you will have the knowledge and skills to:

• Use Identity and Access Controls to define, enforce, and manage user access policies with Google Cloud Identity and Access Management (IAM)
• Develop strategies for integrating security into your DevOps pipeline
• Use different strategies for securing pipeline resources
• Understand different methods for protecting secrets used in deployment applications

Building and maintaining quality software requires functional configuration management, but this is easier said than done in today’s day and age. This process involves automation, but minimizing errors while securely and systematically managing changes in systems is complicated. This course provides Systems Developers, Network Operations Specialists, System Administrators, and Systems Security Analysts with the necessary skills to consistently and securely manage environments.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• Identifying and mitigating gaps in your current orchestration security policies
• Ensuring the coordination and consistency of security policies across the enterprise
• The importance of maintaining immutability of live container instances, ensuring that changes occur in the source control and are only deployed via new versions of the resource
• Understanding the role of third-party tools such as Clair, Actuary, and Anchore in testing Infrastructure-as-Code (IAC) and Configuration-as-Code (CAC) platforms

Modern application development, increasing speed-to-market requirements, and assuring application security have made automated security testing a top priority for many organizations. Automating Security Testing can be difficult and daunting, but incorporating into workflows can provide consistency, expedience, and ensure software quality. This course teaches learners to integrate the built-in strengths of DevOps within the security Testing process while adhering to security testing needs.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• Understanding the importance of orchestrating secure system and service configuration
• Determining which types of automated tests should be performed at various stages of the software development lifecycle
• Creating policies that support simultaneous testing and building in keeping with DevSecOps secure software development
• Leveraging Information Security Continuous Monitoring (ISCM) tools to perform a broad range of tasks, including periodic security and vulnerability scans of all system components

Essential to keeping systems secure, reducing risk, introducing new or enhanced features, or improving compatibility, software updating can be challenging and resource-intensive. Automating this process eliminates routine tasks and frees up administrative time. This course introduces automation procedures for systems administration to effectively and efficiently manage IT software in adherence to functional and security requirements.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• Employ automated mechanisms to implement changes to the current system baseline and deploy the updated baseline across the installed base
• Review system changes to determine whether unauthorized changes have occurred
• Remove previous versions of software or firmware components after installing updated versions
• Ensure that security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures

APIs are a critical component of cloud computing, and modern development fueling the success of DevOps. This course enables learners to implement mechanisms to securely manage API requests through the use of API gateways in DevOps and serverless environments.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• Deployment of secure API gateways through the implementation of core features such as to request and response collapsing API Transformation, and Protocol Translation for microservice-based applications
• Implement secure Identity and Access Management (IAM) across all services
• Provide certificate management, secrets management, and encryption services
• Leverage APIs to gather, synthesize and alert on security-relevant events as part of a comprehensive cybersecurity risk management program

The adoption of cloud infrastructure and DevOps requires consistent integration of security to achieve a reliable lifecycle of continuous deployment. Integrating compliance into the CI/CD Pipeline requires a coordinated effort by everyone involved in the development pipeline. This course enables learners to automate the implementation of security tasks across the CI/CD pipeline in adherence to compliance requirements.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• Automate scanning and reporting tasks to ensure privacy policies, applicable laws, regulations, and service-level agreements are reviewed and documented for compliance regulations
• Identify and document controls owned by outside parties
• Configure change monitors to identify changes to organizational systems and environments of operation that may affect security and privacy risk
• Verify that all control objectives are met, and all key controls are designed and operating effectively

Used to automate infrastructure deployment processes, Implementing Infrastructure as Code comes with a unique set of challenges making it hard for organizations to maintain agility, control, and visibility. This course is designed to help developers leverage Infrastructure as Code to securely and effectively launch cloud environments.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• Using tools in the development stage to help convert requirements into source code
• Leveraging the security features available in most integrated development environments (IDEs) for multiple programming language support
• Identify and mitigate the most common IaC vulnerabilities, including Weak Authentication Tokens, Disclosure of Authentication Credentials, Excessive Privileges or Capabilities, Misconfigured Network Filtering, and Missing Encryption

As the need to protect critical data increases, organizations must focus efforts on improving processes used to manage essential information. This course is designed to ensure software development teams employ appropriate techniques to manage identities, privileges, and secrets securely.

Upon successful completion of this course, learners will have the knowledge and skills required to meet compliance requirements while developing a DevSecOps mindset, including:

• Ensuring that approved cryptographic algorithms and methods are used for securing critical assets
• Aligning key-management processes and procedures with those recognized by industry-standards bodies
• Using Approved Random Number Generators| Providing strong entropy when Using Random Number Generator

At the core of Kubernetes’ control plane is the API server and the HTTP API that it exposes. The Kubernetes API lets you query and manipulates the state of objects in Kubernetes. This course gives learners an understanding of the role secure access control plays in protecting the Kubernetes API. Controlling who has access and what actions they are allowed to perform must be the primary concern. Learners will understand how to control the Kubernetes platform and how to use API requests as the first line of defense against attackers.

On successful completion of this course, learners should have the knowledge and skills required to:

• Encrypt all traffic by default using Transport Layer Security (TLS)
• Leverage Kubernetes in-built API server authentication mechanisms for non-production or small clusters
• Implement role-based access control using API Authorization

Google Cloud Platform adoption provides many organizations with the agility and scalability needed to transform their business but lack of awareness surrounding best security practices and control implementation increases the risk of a security breach. This course provides the knowledge and skills to implement and leverage GCP security features, manage secrets, and protect applications and data against common threats.

Topics Include:

• Google Cloud Platform security features
• Creating, managing, and protecting secrets
• Common security threats
• Google Cloud monitoring and auditing facilities.

This course is designed for Network Operations Specialists and aligns with the NICE requirements for the secure planning, implementation, and operation of network services and systems, including hardware and virtual environments.

Coverage includes:

• Security Principles
• Network Topologies
• Demilitarized Zones
• Routers; Switches; Bridges; and Firewalls
• Wireless Access Points
• Transmission Media
• Network Authentication
• Server Configuration

This course is designed for the System Administrator role and aligns with the NICE requirements for system administration on specialized cyber defense applications and systems (e.g; antivirus, audit, and remediation) or Virtual Private Network (VPN) devices, to include installation, configuration, maintenance, backup, and restoration.

This course provides DevOps Engineers, IT Architects and Network Engineers responsible for the security of applications and data with the skills and knowledge required to protect their organization’s cloud infrastructure.

Topics Include:

• The role of Data Encryption
• Identity and Authentication
• Firewalls and Network Security (SDNs, VPNs, DMZs)
• Division of Duties
• Compliance requirements
• Securing VM and Containers

Terraform helps create a workflow and combine multiple automation tasks across a broad range of Infrastructure resources using configuration files, including IaaS, PaaS, SaaS, and hardware services. This course provides an understanding of how to securely use Terraform in infrastructure as code (IaC) deployments without disrupting automation and performance.

After completing this course, you will be able to:

• Identify and mitigate the most common IaC vulnerabilities
• Leverage the security features and capabilities of Terraform
• Maintain security of infrastructure definitions and deployment secrets

Using Microservices, organizations can isolate software functionality into multiple independent modules that are individually responsible for performing precisely defined, standalone tasks communicating with each other through simple, universally accessible application programming interfaces (APIs). Containers enable developers to simultaneously build and ship these microservices; integrate them with other systems and automatically orchestrate them using predefined rules and processes.

This course is designed to educate DevOps Engineers, IT Architects, and Network Engineers working in Linux or on the cloud to add value to the application lifecycle through proper orchestration and enable faster development and fault-prone provisioning and configurations.

Topics Include:

• Hardening the OS
• Vulnerability Scanning
• Docker, SELinux and AWS Microservices
• API Gateways
• Node monitoring with Prometheus
• Implementing OAuth
• Schedulers and Orchestrators
• Defining a Pod Security Policy
• Using Metadata Concealment

Google Firebase offers an active backend as a service (BaaS) for building dynamic web and mobile applications, but it has disadvantages. This course gives learners a fundamental understanding of how Firebase Security Rules leverage extensible, flexible configuration languages to define what data your users can access for Realtime Database, Cloud Firestore, and Cloud Storage. Firebase Realtime Database Rules leverage JSON in rule definitions, while Cloud Firestore Security Rules and Firebase Security Rules for Cloud Storage leverage a unique language built to accommodate more complex rules-specific structures.

On successful completion of this course, learners should have the knowledge and skills required to:

• Understand Firebase security rules, security concepts, and setup
• Path match rules, Read and Write operations, Conditions and Functions
• Implement security for reading Documents
• Conduct role-based Authentication and Unit Testing
• Setup for data testing in Firestore
• Write tests for Firestore security

Serverless computing has redefined how companies build, consume, and integrate cloud-native applications. This course introduces the best-practices developers, and cloud customers should follow when using a serverless architecture. Learners will develop an understanding of the fundamental technologies serverless architectures use and how they should be secured from a development perspective to protect against the most common threats to serverless environments today.

On successful completion of this course, learners should have the knowledge and skills required to:

• Identifying Key Components
• Secure the API Entry Point, Runtime Environment, and Data Storage
• Identify a reliable and secure cloud provider
• Account for cloud provider considerations

This course provides learners with an understanding of how to secure a Kubernetes ecosystem in accordance with compliance standards. The content and recommendations in this course align with CIS, NIST, NSA-CISA, PCI-DSS, and HIPAA data and privacy requirements.

After completing this course, you will understand:

• Logging and auditing strategies for secure administration
• Implementing AAA controls to monitor user and group permissions
• Configuring system maintenance configurations to harden user access and file paths
• Leveraging HIPAA resources via NIST
• Filesystem configuration methodologies
• Services that should be disabled
• Network configurations to harden containers

Securing Docker depends mostly on your organization and its IT offerings to end users. To fully secure Docker, a multi-faceted approach should include Kernel Namespaces, Control Groups, Docker Daemon Attack Surface, Linux Kernel Capabilities, Docker Content Trust Signature Verification, and other Security Tools.

Upon completing this course, you should have the knowledge and skills to identify common Docker Engine vulnerabilities and automate software and application deployments.

Manufacturing organizations rely on industrial control systems (ICS) to monitor and control their machinery, production lines, and other physical processes that produce goods. Operational Technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. This course provides guidance on how to improve the security of Operational Technology (OT) systems while addressing their unique performance, reliability, and safety requirements.

On successful completion of this course, learners should have the knowledge and skills required to:

• Understand how to identify typical threats to organizational mission and business functions supported by Operational Technology (OT)
• Describe typical vulnerabilities in Operational Technology (OT)
• Provide recommended security safeguards and countermeasures to manage the associated risks

This lab presents a challenge in the Shadow Bank cyber range that exploits a Broken Access Control vulnerability, caused in part by missing or broken input validation and a business logic flaw. According to OWASP.org “Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.

In this lab, you are an adversary acting outside of your intended permissions, attempting to sell the stock you don’t own.

In this lab, while authenticated as an adversary, you will interrupt the purchase process to substitute the object ID of someone else’s credit card with that of your own. A proper authorization check, if implemented, should prevent you from completing the purchase, as you should not be allowed to use credit cards that are not associated with your account.

This lab presents a challenge in the LetSee cyber range that exploits a Broken Object-Level Authorization vulnerability by allowing an adversary to charge a purchase to someone else’s credit card. Adversaries can exploit failures in complex authorization mechanisms of API-based applications by manipulating parameters such as object IDs sent in requests.

Authentication is the process of attempting to verify identity; Problems with authentication can be introduced at many phases throughout the software development life cycle, so adversaries have a potentially broad attack surface to work with. One technique adversaries use and learners can perform as part of penetration testing is to interact with aspects of the authentication mechanism to find valid identifiers. Registration, or the process of creating new accounts, is part of authentication.

This lab presents a challenge in the Gold Standard cyber range that reveals a Broken User Authentication vulnerability. The challenge is “Register as Loan Officer.” Abusing the registration functionality allows an adversary to bypass filters or access controls in Gold Standard to gain access to a default higher-privilege account.

This lab presents a challenge in the Account All cyber range that exploits a Business Logic Flaw vulnerability caused in part by improper input validation. Adversaries exploiting business logic flaws take advantage of the legitimate processes of an application, many times by interacting with the application in unexpected ways. Business rules or business logic implemented in the application should prevent users from doing harmful or nonsensical actions. However, flaws in the design of such logic can lead to adversaries circumventing these rules.

In this lab, you are attempting to set a value for your W2 withholding that does not make sense. In the USA, this value is used in calculating the amount an employer withholds from an employee’s pay over the course of the year for tax purposes.

Use access techniques to exfiltrate an unprotected facility leftover by developers of a banking website from part of their testing suite to download credentials in the production site and exploit a credential dumping vulnerability.

This lab presents a challenge in the Account All cyber range that reveals the presence of a Cross-Site Scripting vulnerability, caused in part by improper input validation and filtering. Cross-site scripting vulnerabilities are web-based vulnerabilities that can be exploited whenever a web application embeds untrusted input data in site content or web responses without first validating the data or its encoding.

In this lab, you are an adversary performing tests to determine whether Cross-Site Scripting vulnerabilities are present on the Timesheets page.

This lab presents a challenge in the Account All cyber range that exploits an Injection vulnerability, caused in part by improper input validation and query handling. According to OWASP.org, “Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”

This lab’s challenge is to force the Log In page to generate an unhandled exception. Solving this challenge will demonstrate the presence of a particular type of Injection vulnerability. In this lab, you are an adversary acting outside of your intended permissions, attempting to input improper validation and potentially expose sensitive information.

This lab presents a Reverse Engineering challenge in the Runstoppable cyber range which simulates a mobile fitness application. In this lab, you are an adversary using Reverse Engineering to look for a Hardcoded Secret “READTHISFLAG1 ” in the Runstoppable code.

Competitive cyber range activities are sometimes known as “Capture the Flag” events. In this lab, the flag is the Hardcoded Secret that you will find by using Reverse Engineering, but in a real application, an adversary might discover other, more valuable secrets using this technique.

Security Misconfiguration is not limited in scope to the application code itself. Improperly secured operating systems, web server applications, and databases all contribute to the overall attack surface.

This lab presents a challenge in the InstaFriends cyber range that exploits an Integer Overflow vulnerability in its Messaging functionality, which in turn reveals a Security Misconfiguration vulnerability.

This lab presents a challenge in the ShadowBank cyber range that exploits a Sensitive Data Exposure vulnerability caused in part by a Hardcoded Secret and Missing or Weak Encryption. The discovered information leads to further Sensitive Data Exposure by exploiting a revealed Broken Access control vulnerability.

To solve the challenge “Into the Shadows: Cryptanalysis” we are looking for a Hardcoded Secret encoded with Weak Encryption.

This lab on Server-Side Request Forgery (SSRF) assesses the learner’s understanding of how an existing SSRF vulnerability in a cloud application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities, leverage trust relationships among back-end systems protected by network topology but lacking more sophisticated access controls, and access resources not directly reachable by end-users.

This lab challenges a learner to discover and exploit an existing cryptographic failure in the password hashing functionality of an online banking application. In this lab, you are an adversary leveraging tools to crack passwords and gain access to user accounts where you can perform all the actions the legitimate user can or move laterally in the system or application. In addition to exploring symptoms and causes under this category, participants will learn how to prevent and mitigate cryptographic failures.

This lab on Cookie Tampering assesses the learner’s understanding of how an existing Cookie Tampering vulnerability in an online banking application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to bypass security policies and gain access or privileges.

This lab on Reflective XSS assesses the learner’s understanding of how an existing Reflective XSS vulnerability in an online e-commerce application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to execute arbitrary commands, such as JavaScript, and display arbitrary content in a victim’s browser.

This lab on Forceful Browsing assesses the learner’s understanding of how an existing Forceful Browsing vulnerability in an online Human Resources (HR) back-office application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to bypass weak access controls and gain access to what should be restricted resources and higher privileged operations.

This lab on Hidden Form Fields assesses the learner’s understanding of how an existing vulnerability related to hidden form fields in an online banking application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to tamper with client-side data, in this case for monetary gain. Improper validation of hidden yet mutable field values potentially paves the way for other attacks such as Cross-Site Scripting, SQL Injection, or even gaining unauthorized access.

This lab on Weak File Upload Validation assesses the learner’s understanding of how an existing Weak File Upload Validation vulnerability in an online banking application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to upload malicious files to escalate privileges, execute arbitrary code, compromise the application, or compromise the host server.

This lab on Persistent XSS assesses the learner’s understanding of how an existing Persistent XSS vulnerability in an online social media application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to leave malicious payloads that will continue to affect subsequent victims that visit the page.

This lab on XML Injection assesses the learner’s understanding of how an existing XML Injection vulnerability in an online banking web application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to bypass authentication mechanisms and gain access to an application, sometimes with high-level privileges.

This lab challenges a learner to discover and exploit the use of a vulnerable and outdated component in an online banking application that fails to properly validate the supply chain. In this lab, the outdated web framework used has a known vulnerability to Denial-of-Service attacks that can shut down the entire server. After completing this lab, the learner will understand how adversaries can exploit any known vulnerabilities in underlying components of your application and best practices to avoid and mitigate them.

This lab challenges a learner to discover and exploit an existing API vulnerability to bypass authorization mechanisms and steal private files in a cloud application. In this lab, you are an adversary interacting with the application in a legitimate way to discover flaws in a REST API to bypass authorization mechanisms and steal private files that contain AWS Credentials. Participants will also learn best practices to prevent and mitigate broken object-level authorization vulnerabilities related to insecure APIs?

This lab challenges a learner to discover and exploit an existing credential management error in a cloud application to gain initial access and then escalate their privileges. In this lab, you are an adversary attempting to manually approve your own purchase using post parameter manipulation and vertical privilege escalation. Participants will also learn best practices to prevent and mitigate account hijacking and vertical privilege escalation exploitation.

This lab on Horizontal Privilege Escalation assesses the learner’s understanding of how existing Broken Object-level Authorization and Weak or Missing Cryptography vulnerabilities in an e-commerce application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to gain unauthorized access to objects belonging to other users with the same level of privilege in order to exfiltrate, tamper with, or destroy them.

This lab on Buffer Overflow assesses the learner’s understanding of how an existing Buffer Overflow vulnerability in a cryptocurrency cyber range can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to cause the arbitrary execution of malicious code with the application’s privileges, often without requiring any user interaction.

This lab on Information Leakage assesses the learner’s understanding of how existing Insufficiently Protected Credentials and Insecure API vulnerabilities in a social media application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to gain unauthorized access to an area of the site which in turn exposes credentials, enabling adversaries to impersonate legitimate users.

This lab on Security Logging or Monitoring Failures assesses the learner’s understanding of how an existing Insecure API vulnerability in an online e-commerce application can be discovered and exploited, revealing sensitive logging information.

After completing this lab, the learner will understand how adversaries can probe insecure applications to exploit such vulnerabilities and gain insight into the inner workings of your application or data relationships.

This lab on Unverified Password Changes assesses the learner’s understanding of how an existing Identification and Authentication Failure vulnerability in an online e-commerce application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can defeat weak cryptography and exploit broken password change mechanisms to take over other users’ accounts.

This lab on Error Messages Containing Sensitive Information assesses the learner’s understanding of how an existing SQL Injection vulnerability in an online cryptocurrency trading application can be discovered and exploited to trigger error messages from other insecurely configured layers.

After completing this lab, the learner will understand how adversaries can probe insecure applications to exploit such vulnerabilities which expose the inner workings of your application or data relationships.

This lab on Generation of Predictable Numbers or Identifiers assesses the learner’s understanding of how such an existing vulnerability in an online e-commerce application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can probe insecure applications to exploit such vulnerabilities and leverage this information to gain other users’ credentials.

This lab on Improper Restriction of XML External Entity References assesses the learner’s understanding of how an existing Improper Restriction of XXE References vulnerability in a cloud-native marketing automation SaaS suite can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to upload malformed XML documents. Such attacks may lead to the disclosure of confidential data, denial of service, server side request forgery, and other system impacts.

This lab on Exposed Services assesses the learner’s understanding of how an existing security misconfiguration in a cloud-native marketing automation SaaS suite can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to grab server banners from HTTP response headers and leverage the information exposed to launch targeted attacks.

This lab on Exposure of Sensitive Information Through Environmental Variables assesses the learner’s understanding of how such an existing vulnerability on a server hosting an ecommerce application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to steal secrets, gain unauthorized access, establish persistence, penetrate further into a system, and plan more damaging attacks.

This lab on Plaintext Storage of Passwords assesses the learner’s understanding of how an existing Credentials Management Error in the database supporting an ecommerce application can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to steal secrets, gain unauthorized access, establish persistence, penetrate further into a system, and plan more damaging attacks.

This lab on URL Redirection to Untrusted Site (otherwise known as Open Redirect) assesses the learner’s understanding of how an existing Open Redirect vulnerability in a cloud-native marketing automation SaaS suite can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to send users to a malicious site via a legitimate-looking URL to compromise their machine with malware or steal their credentials.

This lab on Improper Neutralization of Script in Attributes in a Web Page assesses the learner’s understanding of how an existing persistent cross-site scripting vulnerability in the email templates of a cloud-native marketing automation SaaS suite can be discovered and exploited.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to leave malicious payloads that will continue to affect subsequent victims that use the template or receive emails generated by the template.

This course provides learners with the skill and knowledge required to perform threat modeling, and ensure that security principles are applied at each step of the design process.

Topics Include:

• Integrating attack surface reduction
• Secure defaults
• Least privilege
• Defense in depth
• Compartmentalization

This course provides learners with an understanding of the role Cybersecurity Incident Response plays within your organization’s overall security plan. The content and the recommendations in the course align with CIS, NIST, NSA-CISA, PCI-DSS, and HIPAA guidelines.

After completing this course, you will understand:

• Parties who should be involved in establishing a Cybersecurity Incident Response plan
• Details about what should be included in the plan’s development
• Execution of key portions of the plan after its development

Ransomware is an evolving threat to the cyber and data security of many organizations. This course provides learners with an understanding of the role identifying and protecting assets plays in protecting against ransomware attacks. Learners will gain a better understanding of the attacker’s mindset and the ransomware “Business Model.”

On successful completion of this course; learners should have the knowledge and skills required to:

• Implement network segregation, anti-virus, and endpoint security
• Create a system shutdown policy, using Virtual Machines (VMs) for instant backup restore (snapshotting) and recovery of business processes and assets

Security Information & Event Management platforms have become a significant component in streamlining security workflows, but, as powerful as these platforms can be, they can be inherently challenging. This course provides learners with an understanding of the role of Security Information & Event Management (SIEM) in your organization’s overall security plan.

On successful completion of this course, learners should have the knowledge and skills required to:

• Detect known and emerging threats
• Identify vulnerabilities
• Accelerate incident response
• Identify policy violations
• Provide system troubleshooting or forensic evidence in the event of a security breach

In the past, software applications were created with little thought to the importance of security. Recently, businesses have become more rigorous about how they buy and deploy software as security is a large part of the total cost that risk software applications inherently carry. In this course, you examine the state of the industry from a security perspective, setting the foundation for secure software development.

Topics include:

• Application security architecture principles
• Lessons learned:  security disasters in software design
• How to use confidentiality, integrity, and availability to drive better security design decisions

The PCI Secure SLC Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle. This course provides baseline knowledge needed to implement security requirements and assessment procedures to validate proper management of the security of payment software throughout the entire software lifecycle.

After completing this course you will be able to:

• Identify and mitigate common threats and vulnerabilities defined in the PCI Secure SLC standard
• Build an environment for secure software development, change control, and management
• Improve communications for secure deployment, configuration and software updates.

This course presents an overview of the fundamental services provided by cryptographic suites, namely encoding, encrypting, and hashing.

Topics include:

• Encoding and decoding
• Encryption and decryption
• The difference between encoding and encryption
• The value and application of hashing
• Where, when, and how to use crypto

This course aligns with the National Initiative for Cybersecurity Education (NICE) requirement(s): K0018: Knowledge of encryption algorithms.

This course introduces three important elements of cryptographic systems: random number generation, algorithms and keys.

Topics include:

• The critical role of randomness in cryptography
• Common algorithms to perform cryptographic manipulation of information
• Types and roles of cryptographic keys
• The key management problem
• Common types of digital certificates and its creation process
• Components and roles of a public key infrastructure
• Weaknesses in the digital certificate trust mode
• Mechanisms to manage and distribute cryptographic keys

This course aligns with the National Initiative for Cybersecurity Education (NICE) requirement(s):

• K0018: Knowledge of encryption algorithms
• K0019: Knowledge of cryptography and cryptographic key management concepts

This course introduces cryptography and how cryptography can help secure software applications and data. It also provides an overview of common uses of cryptography.

Topics include:

• Identifying relevant cryptographic technologies
• Knowing common “data-in-motion” crypto options and the strengths/weaknesses of each
• Applying common “data-at-rest” crypto options and the strengths/weaknesses of each

This course explains how encrypting and signing a message works, how message authentication codes work, and why a digital signature is superior to a cryptographic hash for validating software integrity.

Topics include:

• Message integrity function is its value
• The difference between a message authentication code and a digital signature
• How a digital signature works
• Encrypting and signing messages
• Message authentication codes
• Digital signature vs. a cryptographic hash for validating software integrity

This course aligns with the National Initiative for Cybersecurity Education (NICE) requirement(s):

• K0018: Knowledge of encryption algorithms
• K0019: Knowledge of cryptography and cryptographic key management concepts

The adoption of cloud services involves various roles making it difficult to govern the selection and brokering of cloud services while adhering to policies and procedures. This course is designed to ensure privacy and security teams may effectively and efficiently adopt cloud computing in support of strategic and business goals.

Upon successful completion of this course, learners will have the knowledge and skills required to meet privacy compliance requirements, including:

• Creating Policies, Procedures, Standards, and Controls that meet all regulatory and legal requirements, industry standards, and technical controls such as encryption.
• Establishing, deploy and assess a compliance baseline that determines targets
• Handling sensitive data, including how to identify and classify data, define data retention periods, and comply with data storage requirements.
• Prepare for compliance auditing and Reporting

The objectives of this course align with NIST Special Publication (SP) 800-63, Digital Identity Guidelines, and explains the fundamentals of authentication and how to maintain strong account access and authentication policies.

After successfully completing this course, you will understand secure authentication methods, including the function of the access provisioning lifecycle, credential service providers, Public Key Infrastructure (PKI), and Federation basics.

Hardening is a critical step in ensuring security and diligence as it reduces the chances of attack, but this requires the use of appropriate methodologies. In today’s connected world securing an operating system has become increasingly sophisticated as computing ecosystems increase in complexity. This course provides learners with an understanding of best practices for hardening Linux and Unix systems.

After completing this course you will be able to:

• Upgrade your kernel
• Disable root cron jobs
• Enforce strict firewall rules
• Disable unnecessary services
• Check for backdoors and rootkits
• Check listening ports
• Monitor and manage logs using IDS

This course defines concepts, methods, and techniques for analyzing the architecture and design of a software system for security flaws. Special attention is given to analysis of security issues in existing applications; however, the principles and techniques are applicable to systems under development. Techniques include accurately capturing application architecture, threat modeling with attack trees, attack pattern analysis, and enumeration of trust boundaries.

Topics include:

• How to assess design components for security flaws
• The use and value of threat modeling and attack surface analysis
• Techniques to remove architecture weak spots and avoid vulnerability propagation

Addressing updates across the Internet of Things (IoT) can be complicated due to the complex ecosystems of connected devices deployed across multiple environments. This course aims to educate learners to establish a secure, scalable update process for IoT devices.

After completing this course, you will be able to:

• Identify the risks of delivering IoT device updates
• Understand each phase in the IoT update process
• Determine considerations for the secure delivery of updates to the vehicle
• Securely design, develop, delivery, and install IoT update

This course focuses on topics related to architecting and designing a secure Internet of Things (IoT) system. Particular emphasis is placed on embedded IoT devices and their relationship with cloud services.

After completing this course, you will have a deep understanding of an IoT system, its components, and the security implications of various design choices.

Topics include:

• Elements to be reviewed and defined in the requirements phase
• Authorization considerations within the IoT device itself as well as connected components
• Designing a secure IoT architecture
• Authentication to validate the identity of users and devices
• Logical access controls to ensure users are granted appropriate levels of service
• Physical security concerns to protect access to IoT devices
• Monitor communications throughout the IoT system
• Secure communications between the various system components

Low-code application platforms present new vulnerabilities that organizations are not prepared for as they introduce unintended threats and connections between core systems and third-party applications. This course is designed to create awareness around security and privacy risks related to Low-Code Application Platforms (LCAP) applications and provide learners with a fundamental understanding how to identify and mitigate the security risks associated with Low-Code Application Platforms (LCAP).

On successful completion of this course, learners should have the knowledge and skills required to:

• Avoid creating vulnerabilities that put communications and other systems at risk
• Ensure the privacy of customers
• Secure Node.js queries

Blockchain implementation poses a number of challenges from storage capacity and scalability to anonymity and data privacy thus making the protection of existing assets complex. This course provides learners with an understanding of how to secure existing Blockchain assets against security threats.

After completing this course you will be able to:

• Secure the cryptographic keys that allow access to the ledger
• Use hardware security modules (HSMs)
• Ensure the integrity of “Smart Contracts”
• Protect communications between nodes

While Blockchain technology continues to emerge for its ability to improve data security, speed up transactions and save costs, it comes with its advantages it comes with a wide array of challenges. Properly securing a blockchain network begins with the implementation of strong authentication and cryptography key vaulting mechanisms. This course provides learners with an understanding of the essential requirements for creating a secure blockchain network.

After completing this course you will be able to:

• Identify operational, legal and compliance requirements
• Create a blockchain threat model
• Create blockchain trust policies, access controls, and smart contracts
• Manage identity, access, entitlements, certificates, and keys
• Monitor, report, and manage incidents

Architecting secure solutions is paramount to ensure developers do not incorporate insecure components, which could introduce hundreds of individual security vulnerabilities in the as-built system. This course covers a set of key security principles to improve the security of application architecture and design.

Topics include:

• Applying defense to harden applications and make them more difficult for intruders to breach
• Reducing the amount of damage an attacker can accomplish
• Compartmentalizing to reduce the impact of exploits
• Using centralized input and data validation to protect applications from malicious input
• Reducing the risk in error code paths

While cardholder data consists of any personally identifiable information (PII) associated with a person who has a credit or debit card, the PCI Secure Standards Council (PCI SSC) has specific requirements to protect cardholder data at all times. Despite common misconceptions, this also includes account numbers, expiration date, and/or service code as cardholder data. This course is designed to provide Information Systems Security Developers with the knowledge needed to minimize the storage of cardholder data and take necessary precautions to protect it in adherence to the PCI Software Security Framework and NIST 800-53 Guidelines.

Upon successful completion of this course, learners will have the knowledge and skills required to meet privacy compliance requirements, including:

• Ensuring the software does not store sensitive authentication data after authorization, even if encrypted unless the software is intended only for use by issuers or organizations that support issuing services.
• Rendering the Primary Account Number (PAN) is unreadable anywhere it is stored.
• Guiding customers regarding the secure deletion of cardholder data after the expiration of the customer-defined retention period.

The CIA Triad – Confidentiality, Integrity, and Availability are the information security tenets used as a means for analyzing and improving the security of your application and its data. After completing this course, you will be able to understand and use confidentiality, integrity, and availability (CIA) as the three main tenets of information security.

Staying current on legislation and engaging the business on timely privacy compliance and practical solutions can be challenging. As the focus on compliance continues to increase, and the GRC landscape continues to evolve, compliance officers need to keep pace with emerging regulations. This course provides learners with a clear understanding of their role in meeting compliance requirements.

Upon successful completion of this course, learners will have the knowledge and skills required to meet privacy compliance requirements, including:

• Enable better privacy engineering practices that support privacy by design concepts
• Ensure collaboration on privacy protection objectives across your organization
• Apply the NIST Privacy Framework to meet region-specific regulations such as GDPR and CCPA
• Communicate privacy practices with individuals, business partners, assessors, and regulators

This course introduces the industry-leading Microsoft Security Development Lifecycle (SDL) Optimization Model and how to implement it.

Topics include:

• Capability areas of the Microsoft SDL Optimization Model
• Maturity levels and how to reach them
• Optimization techniques to reduce risk

The standard MS SDL process follows the traditional incremental waterfall model, while Agile methodologies are more iterative. This course focuses on the Agile variation of the SDL process and covers the following topics:

• How to map critical SDL security practices into every-sprint requirements, bucket or periodic requirements, and one-time requirements
• How to incorporate security education, tooling and automation, threat modeling, fuzz testing, handling bug-dense and at-risk code, exceptions, and the final security review into sprints

This course describes the main phases of the Microsoft Security Development Lifecycle (SDL) process: Requirements, Design, Implementation, Verification, and Release, with a focus on security throughout.

After completing this course, you will have a solid understanding of the SDL process and the recommended/required tasks for each phase.

This course describes the Microsoft Security Development Lifecycle for Line of Business (SDL-LOB), which focuses on the development of internal or business-facing applications.

Topics include:

• The five primary phases of the SDL: Requirements, Design, Implementation, Verification, and Release
• LOB-specific tasks, requirements and deliverables for each phase of the SDL
• How to integrate security-improving tasks at each level of risk
• Necessary skills to be effective

This course describes the features of the Microsoft SDL Threat Modeling tool, which complements the Microsoft SDL Threat Modeling process. While not required to perform threat modeling, using the tool facilitates the creation of threat models and helps enumerate threats using STRIDE.

Topics include:

• Creating accurate data flow diagrams (DFDs) in your threat model
• Identifying flaws in DFDs and analyzing it for potential threats
• Generating reports to export threats to issue tracking tools

This course describes how to take a question-driven approach to threat modeling to help identify security design problems early in development process.

After completing this course, you will be able to create a threat model for your application scenario and use it to refine your application’s design and improve communication within the team.

To preserve the confidentiality, integrity, and availability of application data, software applications must be engineered with security in mind. Without defined security requirements, design choices will be made without security guidance and security testing cannot be effective.

This course provides technical and non-technical personnel with the knowledge to understand, create, and articulate security requirements as part of a software requirement document.

Topics include:

• Applying the application security maturity (ASM) model to the development process
• Key security engineering activities: gathering security objectives, applying security design guidelines, and creating threat models
• Identifying threats, attacks, vulnerabilities, and countermeasures
• How to conduct impactful security architecture and design reviews to identify potential security problems and minimize the application’s attack surface.

All software activity involving critical assets must be tracked, and any methods that may expose sensitive data should also be tracked as defined by control objectives within the PCI Software Security Framework. Unfortunately, protecting the integrity of event datasets and analyzing records to detect attacks in real-time can be challenging. This course is designed to equip Information Systems Security Developers and Software Developers with the knowledge required to detect, respond to, and investigate attacks.

Upon successful completion of this course, learners will have the knowledge and skills required to meet the Secure Software Operations requirements described in PCI’s Secure Software Requirements and Assessment Procedures, including:

• Ensuring that all access attempts and usage of critical assets are tracked and traceable to a unique individual
• Facilitating the retention of detailed activity records either within the software itself or by supporting integration with other solutions such as centralized log servers, cloud-based logging solutions, or a back-end monitoring solution
• Ensuring that the software possesses the basic functionality to differentiate between normal and anomalous user behavior: such changes in post-deployment configurations or obvious automated-attack behaviors

Risk management should be a foundational tool used to facilitate thoughtful and purposeful defense strategies. In today’s environment, the most significant threats to systems come from purposeful attacks that are often disciplined, well organized, and well-funded.

This course aims to educate IT architects, Analysts, and DevOps Engineers to understand their responsibilities when protecting organizational assets.

Topics Include:

• Key Risk Management Concepts
• Common management techniques and strategies
• various risk assessment methods and risk control strategies

The attack surface of an application represents the number of entry points exposed to a potential attacker. The larger the attack surface, the larger the set of methods that can be used by an adversary breaking into software applications. Resultantly, minimizing it is a key exercise in risk reduction.

Topics covered:

• Understanding the goals and methodologies of attackers
• Identifying attack vectors that expose the application
• Defining and reducing an application’s attack surface

Application developers have a variety of tools at their disposal to identify flaws in their software. However, many of them cannot be used until late in the development lifecycle: dynamic analysis tools require a staging site and sample data, and some static analysis tools require a compiled build. In contrast, manual code reviews can begin at any time leveraging secure coding knowledge.  Because manual security code reviews can be laborious if  done inefficiently, this course focuses on time saving  but effective techniques.

Topics include:

• How to organize and approach code reviews
• Prioritizing code segments to be reviewed
• Maximizing security resources

Before any organization can adequately Implement the Risk Management Framework they must understand how to determine and apply appropriate security requirements. Preparation requires a disciplined and structured set of activities in order to execute the framework at appropriate risk management levels.

This course aims to provide Engineers, Software Architects, and Systems Analysts with context and priorities for managing security and privacy risk.

Topics Include:

• Identifying key Individuals and specification of roles and responsibilities in the risk management process
• Identifying risk tolerance and determining a particular strategy for risk management
• Conducting an organization-level risk assessment to ensure leadership is aligned
• Continuous monitoring to enable a rapid and effective response to changes in the risk landscape or changes in the effectiveness of controls

Security categorization provides a structured way to determine the criticality and sensitivity of the information being processed, stored, and transmitted by an information system. This course provides learners with an understanding of how to categorize the system and the information using the NIST SP 800-37 Rev. 2 Risk Management Framework.

After completing this course you will be able to:

• Identify all information types based on the system boundary
• Categorize information (processed, stored, or transmitted) by the potential adverse impact that information being compromised as regards confidentiality, integrity or availability
• Ensure the security categorizations are consistent with roles, operating environment, connectivity, and intended use

Selecting the appropriate set of security controls helps to achieve organizational operations and objectives. This course provides learners with an understanding of how to select, implement and assess security controls using the NIST SP 800-37 Rev. 2 Risk Management Framework.

After completing this course you will be able to:

• Select and document the controls necessary to protect the information system and organization commensurate with the risk to the organization
• Implement the controls in the security and privacy plans for the system and organization
• Document the specific details of the control implementation in a baseline configuration
• Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements

Authorizing and monitoring security controls provides an understanding of security posture and provides an indication of whether or not cybersecurity controls are operating as intended. This course provides learners with an understanding of the Authorization and Monitoring steps of the NIST SP 800-37 Rev. 2 Risk Management Framework.

After completing this course you will be able to:

• Provide organizational accountability by requiring a senior management official to determine if the security and privacy risk to operations, assets, and individuals is acceptable
• Report authorization decisions, significant vulnerabilities, and risks to organizational officials | Monitoring the system and the associated controls on an ongoing basis
• Document changes to the system and environment of operation
• Conduct risk assessments and impact analyses | Reporting the security and privacy posture of the system

By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII). In addition, new microservices architectures with individual application components have become de facto APIs that significantly expand the attack surface. This course focuses on strategies and solutions used to mitigate APIs’ unique vulnerabilities and security risks.

On successful completion of this course, you should have the knowledge and skills required to:

• Define, identify, and create a plan for managing resources
• Understand uncontrolled resource consumption and the associated risks
• Identify the common causes that lead to a lack of resources
• Implement industry best practices to mitigate API’s lack of resources and rate-limiting

Aligned with OWASP API Security Top 10 and the NIST Cybersecurity Framework; this course is designed for NICE Workforce roles of Software Developer and Secure Software Assessor. Upon successful completion of this course, you should have the knowledge and skills required to identify and resolve object-level authorization issues; be aware of, and mitigate, the most common attack methods for APIs with broken level authorization; and employ industry best practices to prevent and mitigate broken object-level authorization vulnerabilities.

Upon successful completion of this course, you should have the knowledge and skills required to:

• Identify and resolve object-level authorization issues
• Be aware of, and mitigate, the most common attack methods for APIs with broken level authorization
• Employ industry best practices to prevent and mitigate broken object-level authorization vulnerabilities

Mass Assignment occurs when adversaries exploit unexposed object properties or methods through API parameters. An API might be vulnerable to Mass Assignment if the application directly binds parameters to an internal object’s properties without proper validation.

On successful completion of this course, learners should have the knowledge and skills required to:

• Avoid direct use automatic binding
• Define and enforce schemas for input payloads
• Validate and filter input before binding
• Use read-only properties where appropriate

In accordance with the OWASP API Security Top 10 2019 Report, APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role in mitigating issues such as deprecated API versions and exposed debug endpoints.

On successful completion of this course, learners should have the knowledge and skills required to:

• Understand the importance of proper API asset management
• Gather and maintain an inventory of all vulnerable assets
• Determine API access requirements based on scope, API type, and user roles
• Understand the benefits of using an API gateway
• Create documentation for the information gathered about your organization’s APIs

This course introduces the fundamentals and primary drivers of application security, including: The CIA “triad”; the importance of meeting regulatory requirements; what motivates hackers, how to manage vulnerabilities, and the key elements of a responsible disclosure programs.

Upon successful completion of this course, you should have the knowledge and skills required to understand:

• Core concepts of application security risk management
• Why developing secure applications matters
• The importance of meeting regulatory compliance requirements
• Anatomy of an application attack and what motivates hackers.
• Common attack scenarios and how to manage vulnerabilities.
• Best practices for developing secure applications.

This course provides a high-level overview of secure software concepts for web applications including application security and security best practices.

Upon successful completion of this course, you should have the knowledge and skills required to:

• Understand the root causes of application weaknesses
• Realize the importance of encrypting data
• Ensure input is properly validated
• Reduce your application’s overall attack surface
• How to implement a security strategy based on your organization’s risk

This course introduces you to the overriding importance of software security for your organization, and the potential business consequences of developing and deploying insecure software.

Topics include:

• The difference between software security and network security
• Business imperatives for software security, including the high business costs of security breaches
• Compliance and legal implications of security breaches
• Customer expectations of security
• The increasing threat landscape

This course discusses the requirements phase of the software development lifecycle and provides software development teams with the knowledge and skill required to gather security requirements for the software that they are designing and implementing.

Topics Include:

• Identifying potential attacks and exploits
• Legal Security Requirements
• Business Requirements
• Customer Security Requirements

This course introduces you to secure development models, standards, and guidelines that provide you with a structure for reducing risk from application security vulnerabilities.

Topics Include:

• The role of Industry standards and security models like OWASP Top 10, CWE SANS Top 25, PA-DSS and many more
• The common criteria for Information Technology Security Education
• Formal methods applied to the analysis of software to ensure that it adheres to industry standards such as Code Analysis, Static Analysis, and Binary Analysis

This course introduces developers to mobile environment threats and risks and presents secure programming principles to mitigate them.

Topics include:

• Common threats to mobile applications: client-side injection, sensitive data handling, network transition, application patching, web-based attacks, phishing, third-party code, location security and privacy and denial of service
• Defensive coding techniques: input validation, output encoding, least privilege, code signing, data protection at rest and in transit, avoiding client side validation, and using platform security capabilities as they apply in mobile environments
• Threat modeling of mobile applications

In practice, the database represents the goal of many attackers, as this is where the information of value is maintained. However, the functional requirements and security testing often focus on the interaction between a software user and the application, while the handling of data is assumed to be secure.

This course describes how to apply authentication and access control to your database and provides an understanding of database privileges and limiting data access. Coverage also includes techniques for protecting the database and methods for securely concealing specific data while providing an introduction to cloud databases and database encryption.

This course introduces developers to the common risks associated with Cloud applications and secure coding best practices to mitigate them.

Topics include:

• Security features of the different series models (IaaS, PaaS, and SaaS)
• How to identify common vulnerabilities and code defensively to avoid them
• Common threats to cloud applications: unauthorized account access, insecure APIs, shared technology, data leakage, and account hijacking
• Complying with regulatory requirements
• The unique security challenges of “Big Data”
• How to apply the Microsoft SDL to cloud applications

Embedded devices tend to be linked to other devices via a wide array of technologies and often susceptible to targeted attacks. This course identifies security issues inherent to embedded devices and their deployment environments. You will also learn about the appropriate constraint of functionality from a security standpoint, and techniques to prevent common vulnerabilities.

Topics include:

• Techniques to identify system security and performance requirements
• Developing appropriate security architecture
• Selecting the correct mitigations
• How to develop policies that can ensure the secure operation of your system

This secure coding course covers the most common security issues that affect the confidentiality, integrity and availability of COBOL programs on mainframes. These include SQL Injection, Command Injection, Integer Overflow, Weak Cryptography, Unencrypted Communications and Race Conditions.

This course explores secure communications using Transport Layer Security (TLS) and best practices for implementing these within C and C++ applications.

Topics include:

• Key principles of TLS
• Libraries and interfaces for implementing the TLS protocol
• TLS security considerations
• Alternatives to TLS

This secure coding course covers common run-time protection technologies that can be used to protect an application from attack.

Topics include:

• Run-time protection technologies and how to apply them to your applications
• Stack security cookies, Address Space Layout Randomization (ASLR), and No-eXecute (NX)
• Limitations of run-time protection technologies

This secure coding course highlights the most useful security features for avoiding memory corruption vulnerabilities in C++.

Additional topics include:

• Standard containers, bounds-checking functions, smart pointers, and standard concurrency features
• How to use object-oriented programming features to define and manipulate data in terms of objects, use range-based loops and native regular expressions

This secure coding course focuses on how to protect data in transit using encryption libraries and strong TLS ciphers in C++.

Topics include:

• Important issues about public key certificates including signing and verification
• Using well-trusted encryption libraries and strong TLS cipher suites to protect data in transit
• Protect and verify the integrity of public key certificates

As organizations continue to migrate to cloud infrastructures; development teams are finding themselves leveraging GO as a tool of choice.  Lightweight and quick to compile due to generous libraries and abstractions that make it easier to program concurrent and distributed (read: cloud) applications it offers a slew of benefits from Static compilation with no dependencies, a strong standard library, a full development environment, and the ability to build for multiple architectures with no minimal hassle.

This course will provide software developers and DevOps Engineers with working knowledge of fundamental concepts and advanced features of the GO programming language.

Topics Include:

• Identifying and preventing SQL injection attacks
• Understanding cross-site scripting
• Properly configuring browser cookies
• Understanding and preventing session hijacking attacks
• Knowing how to avoid cross-site request forgery vulnerabilities
• Understanding the difference between symmetric and asymmetric cryptography
• Implementing transport layer security
• Working with hashes and key derivation functions

*Indicates that the course is still in production and subject to change

This course explores the foundation of .NET, the CLR’s native security infrastructure (Code Access Security), and the ASP.NET security infrastructure.

Topics include:

• Differences between managed and unmanaged code
• Access control functions in Windows
• Code Access Security (CAS) functions in .NET
• Interactions between Windows access control and CAS
• Key aspects of ASP.NET security and understand the Level 2 Security Transparency Model

With a primary focus on .NET secure error handling and secure logging,  this  course describes secure coding techniques to avoid information disclosure and other vulnerabilities.

Topics include:

• Avoiding dangerous patterns when using CAS
• Avoiding common .NET security pitfalls
• Ensuring application fail safely

This secure coding course presents best practices and techniques for secure SAP application development using Java and ABAP.

Topics include:

• Key application security principles, vulnerabilities and mitigations
• Validating input in SAP applications
• Protecting data using encryption
• Conducting security code analysis and code reviews

This secure coding course introduces database application developers to key industry best practices for data security.

Topics include:

• Secure query construction
• Secure communication and storage
• Creating safe stored procedures to prevent SQL Injection
• How to secure data at rest and data in transit using Oracle Database features

This secure coding course explores protecting sensitive data and ensuring the integrity of applications running on the Microsoft SQL Server Engine and Azure SQL Database.

Topics include:

• The security function of roles in controlling user and principal access to SQL Server securables
• Exercising fine-grained controls that adhere to the Principle of Least Privilege
• Leveraging the security features of Microsoft’s Azure SQL Database to protect sensitive data and ensure the integrity of your applications

In this course, you will learn how to ensure compliance with PCI DSS Requirement 3 for protecting cardholder data.

On successful completion of this course, you should have the knowledge and skills required to:

• Identify information that qualifies as sensitive account data
• Minimize exposure of sensitive information
• Ensure the proper handling of sensitive data

In this course, you will learn to ensure compliance with PCI DSS Requirement 4 for Encrypting Transmission of Cardholder Data. Coverage includes techniques for spotting missing encryption and using Transport Layer Security (TLS).

On successful completion of this course, you should have the knowledge and skills required to:

• Implement Strong Transport Cryptography; Understand Cipher Suites
• Select Strong Cipher Suites
• Properly use Valid TLS Certificates
• Maintain Certificate and Key Inventory, Wireless Technologies, and End User Messaging

In this course, you will learn to ensure compliance with PCI DSS Requirement 6 for Developing & Maintaining Secure Systems and Applications. Learners will understand the importance of following secure coding best practices, completing yearly developer training, and protecting sensitive data.

On successful completion of this course, you should have the knowledge and skills required to:

• Follow industry standards and best practices
• Consider information security issues throughout the entire software development lifecycle, from initial design to deployment
• Identify and address common software attacks and vulnerabilities
• Define and follow software engineering techniques

In this course, you will learn to ensure compliance with PCI DSS Requirement 11 for Regularly Test Security Systems and Processes. Learners will understand the importance of following industry-accepted approaches for application and network-layer penetration tests. They will recognize the importance of conducting vulnerability scans to identify and address threats and vulnerabilities as well as documenting the organizations approach for assessing and addressing risks from any exploitable vulnerabilities discovered.

On successful completion of this course, you should have the knowledge and skills required to meeting PCI’s Secure Software Framework, including:

• Test Planning
• Vulnerability Scanning
• Penetration Testing
• Intrusion Detection
• Change Detection and Wireless Networks

This course introduces fundamentals of how to defend AJAX-enabled Web applications, including the difference between regular and AJAX-enabled web applications, AJAX security checks against challenges, and common attacks against AJAX-enabled applications.

Topics include:

• Architectural differences between regular web applications and AJAX-enabled applications
• Identifying threats to AJAX applications: cross-site scripting (XSS), cross-site request forgery (CSRF), and injection attacks
• Implementing countermeasures against attacks: protecting client resources, validating input, protecting web services requests, preventing request forgeries, and securing data access.

This course examines the security vulnerabilities, threats, and mitigations for AWS cloud computing services and provides best practices for securing Web applications by leveraging AWS platform security features.

Topics include:

• AWS security features: Key Management Service (KMS), Hardware Security Module (HSM), Identity and Access Management (IAM), and CloudWatch
• How to leverage security features built into Common Amazon Cloud services such as Simple Storage Service (S3), Elastic Compute Cloud (Amazon EC2), Elastic Block Store (EBS), Amazon Glacier, Relational Database Service (RDS), DynamoDB, Elastic MapReduce (EMR), and Amazon Machine Images (AMI)

This course examines key Azure security platforms and services that you can use to improve the security of your applications.

Topics include:

• Security vulnerabilities, threats, and mitigations for Azure cloud computing services
• How to identify common security threats to cloud-based applications
• Secure coding best practices to mitigate threats
• How to leverage built-in Azure features for an extra layer of defense

This secure coding course introduces the fundamentals of secure web services development.

Topics include:

• Common web services threats that put your application at risk
• Impact of web services attacks
• Secure development best practices to protect web services

In this course, you will learn about best practices and techniques for secure application development with Ruby on Rails. After completing this course, you will be able to identify and mitigate injection vulnerabilities, such as SQL injection and cross-site scripting, build strong session management into your Rails applications, and prevent other common vulnerabilities, such as cross-site request forgery and direct object access.

Topics include:

• How to identify and mitigate injection vulnerabilities: SQL Injection (SQLi) and cross-site scripting (XSS)
• How to build strong session management into your rails applications
• Preventing common vulnerabilities such as cross-site request forgery (CSRF) and direct object access

In this course, you will learn about best practices and techniques for secure application development with Python. After completing this course, you will be able to understand various types of injection vulnerabilities, including SQL injection and cross-site scripting. You will also be able to understand how to build strong session management into your Python web applications and how to prevent common vulnerabilities, such as cross-site request forgery, direct object access, and others.

Finally, you will be able to recognize file system threats to web applications, including vulnerabilities with path traversal, temporary files, and insecure client redirects.

Topics include:

• Types of Injection Vulnerabilities including SQL Injection (SQLi) and Cross-Site Scripting (XSS).
• File system threats to web applications including vulnerabilities with path traversal, temporary files, and insecure client redirects
• How to build strong session management into your python web applications
• Preventing common vulnerabilities such as cross-site request forgery (CSRF), direct object access, and others

In this course, you will learn important concepts for secure PHP scripting. After completing this course, you will be able to use quotation marks correctly, discuss techniques for handling return codes and exceptions, canonicalize paths to identify the correct files, identify dangerous functions to avoid, apply techniques for preventing or mitigating different injection vulnerabilities, recognize that regular expressions must be handled carefully to avoid DoS attacks, and describe techniques to protect sensitive data in transit.

Topics covered:

• Key defensive coding principles such as proper session management, error handling, authentication, authorization, data storage, and use of encryption
• Avoiding and mitigating vulnerabilities such as SQL Injection (SQLi), Cross-Site Scripting (XSS), File Inclusion, Command Injection, Cross-Site Request Forgery (CSRF) and Null Byte attacks

In this secure coding course, you will learn about system configuration, injection attacks, session management, package management, and the AngularJS framework, all within the context of Node.js security.

Topics include:

• Best practices for Node.js server and system configuration
• Types of injection attacks and mitigation techniques
• Proper settings for session cookie security
• Mitigating cross-site request forgery (CSRF) attacks
• Leveraging popular static analysis tools for Node.js
• Understand why templates and expressions are vulnerable to injection
• Methods, services, elements, and parameters that should not be used with untrusted data
• Best practices for loading templates

In this secure coding course, you will learn about the impact of incorrect script development or lax security measures.

Topics include:

• Outcomes of vulnerable scripts
• Common scripting vulnerabilities such as SQL Injection (SQLi)
• Security issues related to permissions and privileges
• Impact of different types of resource

In this secure coding course, you will learn about how shell scripting languages compare with more modern interpreted languages with respect to security features, and defensive coding techniques, and dealing with common differences between platforms that can alter script behavior.

Topics incude:

• Information security principles including least privilege and defense in depth
• The importance of data validation and how to validate using input, array indices, and environment variables
• Using file system operations safely to protect
• Preventing or mitigating cached secret disclosure
• The importance of up-to-date communication security techniques
• Operating system (OS) system portability issues

In this secure coding course, you will learn about the importance of error and exception handling in shell scripts and interpreted languages such as Perl, Python, Bash and Ruby.

Topics covered:

• Techniques for handling errors and exceptions in shell scripts and interpreted languages
• Common syntax pitfalls and dangerous functions to avoid
• Techniques for preventing/mitigating different vulnerabilities including different types of injection

Perceived as being difficult to fix in comparison to other programming languages Perl is commonly known as “the duct-tape of the Internet.” This general-purpose programming language is currently being used for a wide range of tasks as it takes the best features from other languages.

In this course, you will learn about best practices for secure scripting in Perl, features of Perl’s taint mode, handling errors in Perl, protecting files, preventing format string and injection vulnerabilities, using regular expressions carefully, and protecting sensitive data in transit with Transport Layer Security (TLS).

In this secure coding course, you will learn important concepts for secure Python scripting including techniques for error and exception handling.

Topics Covered:

• Avoiding uncontrolled format string vulnerabilities
• Defending against Regular Expression Denial of Service (DoS) attacks
• Protecting sensitive data in transit
• Techniques for preventing/mitigating different vulnerabilities including different types of injection

In this secure coding course, you will learn important concepts for secure Ruby scripting, techniques for preventing/mitigating different vulnerabilities including different types of injection, and protecting sensitive data in transit.

Topics covered:

• Validating command-line parameters
• Using quotation marks correctly
• Using unmask to set default file permissions
• Protecting files and canonicalizing paths
• Defending against Regular Expression Denial of Service (DoS) attacks

Microservices have become widely popular, replacing complicated XML-based schemas and service-oriented architectures (SOA) because of the ability to create separate, well-defined, individual components within a system. By leveraging python microservices, complex applications can be broken down into these components to ease further development and deployment.

This course will provide cloud developers, python developers, and software architects with a working knowledge of possible attacks, how to secure interaction between services and an understanding of how to implement basic principles to ensure the security of python microservices.

Topics Include:

• Techniques for handling return codes and exceptions
• Canonicalizing paths to identify the correct files
• Identifying dangerous functions
• Applying techniques for mitigating injection vulnerabilities
• How to securely handle regular expressions
• How to protect sensitive data

This secure coding course covers countermeasures for security vulnerabilities on mainframe systems such as input validation, parameterized APIs, strong cryptography, and memory management issues.

Topics include:

• Identifying vulnerabilities and threats to mainframe applications and data
• Mitigating SQL injection threats using safe prepared statements and parameterized APIs
• Validating all input
• Using exec* functions instead of system functions to mitigate the risk of command injection
• Using key derivation functions to protect stored password
• Encrypting sensitive data at rest using AES-256
• Protecting sensitive data in transit with TLS
• Preventing deadlocks by using the ENQ and DEQ commands
• Avoiding manual memory management in order to prevent buffer overflow conditions

In this secure coding course, you will learn about Java’s policy-driven security model and how to leverage it to build more secure applications.

Topics include:

• Java security model components
• Functions of the Java security manager and access controller
• Java security policies and the Java security policy files

This secure coding course explores the key concepts of public key cryptography and teaches you how to use the Java keytool command-line utility for creating and managing keys and keystores.

Topics include:

• How public and private key pairs work together to encrypt and decrypt data for secure transfer and to create and verify digital signature
• Generating secure encryption keys and identifying related issues such as pseudo random number generators (PRNGs), key derivation functions, and initialization vectors
• Selecting an appropriate symmetric encryption algorithm, cipher mode, and authenticated encryption mode

In this course, you will learn about secure Java coding practices, including techniques for avoiding Denial of Service (DoS) and regular expression DoS attacks, and guidelines for secure error handling and logging. You will also become familiar with the dangers of unreleased resources, null references, and XML external entity (XXE) attacks

Topics include:

• Denial of Service and designing your application to handle or avoid such situations
• Guidelines for secure error handling and logging
• Identify the dangers of unreleased resources, null references, and XML external entity attacks

Widely adopted amongst the software development community because of the versatility it provides, securing angular applications comes with a steep learning curve. While component-based architecture is one of the key benefits of using angular, managing components can be complicated. This course is designed to develop the skills required to design, build, and maintain secure Angular applications following software assurance best practices.

Upon successful completion of this course, learners will have the knowledge and skills required to meet Secure Angular.js compliance requirements, including:

• Securing AngularJS templates to help mitigate threats from expression Injection and dynamically loading templates from untrusted sources
• Ensuring that both the server and the client cooperate to eliminate these threats and potential security issues that need to be blocked
• Implementing Content Security Policies and secure routing

This JavaScript library has become a popular choice in the market because of its ability to help solve web development challenges. The framework makes it painless to create interactive user interfaces, design simple views, and reactively update to changes. This course is designed to develop the skills required to securely build user interfaces using multiple components and implement best practices to avoid common attacks.

Upon successful completion of this course, learners will have the knowledge and skills required to meet Secure React.js User Interfaces compliance requirements, including:

• Creating secure React components
• Avoiding vulnerable third-party React component libraries
• Preventing React component injection attacks
• Using and serializing JSON

This secure operations and maintenance course introduce best practices for server hardening.

Topics Include:

• Minimizing unnecessary privileges and functionality
• Being current with dependencies and server software
• Protecting connections and data in transit

This course focuses on C-language buffers. Upon completion of this course you will learn good memory management techniques and coding best practices to help you avoid buffer & integer overflows, format string vulnerabilities, and race conditions.

Topics include:

• Mitigating buffer overflows and race conditions
• Preventing memory management, format string, injection and integer overflow vulnerabilities
• Protecting data in memory

This secure coding course focuses on memory manipulation and allocation techniques for C-language software development.

Topics include:

• Key concepts of dynamic memory management
  Common mistakes that lead to Out of Range Memory Access
• Best practices to mitigate memory management vulnerabilities
• How to ensure that “freed” or “deleted” data in memory is no longer accessible

In this secure coding course, you will review common C application vulnerabilities, how they manifest in code; as well as techniques and libraries that you can use to mitigate the risk of attack.

After completing this course, you will be able to mitigate risk from the following vulnerabilities:

• Format string attacks
• Integer overflows
• Path Traversal issues
• Command injection
• SQL injection

This secure coding course presents key concepts of public key cryptography, the risks of improper encryption, and defensive coding techniques to protect sensitive data.

Topics include:

• Generating strong encryption keys and identifying related issues such as pseudo random number generators (PRNGs), key derivation algorithms, and initialization vectors
• Selecting an appropriate symmetric encryption algorithm, cipher mode, and authenticated encryption mode
• Common libraries that support symmetric cryptography
• How public and private key pairs work together both to encrypt and decrypt data for secure transfer and to create and verify digital signatures
• Best practices to mitigate memory exposure vulnerabilities

This course provides an overview of code security issues that affect ASP.NET MVC applications. You will also understand how other vulnerabilities can be mitigated with careful and complete input validation.

After completing this course, you will be able to understand model validation and its strengths and weaknesses, understand and prevent unique attacks, such as under-posting and over-posting, and implement protective measures against SQL injection, cross-site scripting, cross-site request forgery, and malicious URL redirects.

This course teaches the fundamentals of authentication and authorization in ASP.NET Web API, and the roles they play in the OWIN pipeline.

After completing this course, you will understand:

• Web API pipeline and where each component sits on that path
• Authentication and authorization filters and the role of each in your Web API application
• Different authentication options and how to implement them in your application
• The importance of secure communication and the use of Transport Layer Security (TLS) to create secure data exchange tunnels.

In this secure coding course, you will learn how to code defensively to prevent iOS security vulnerabilities.

Topics Include:

• Mitigation approaches and Implementing Secure Coding Best Practices
• How to leverage iOS and Swift security services to mitigate threats
• Pros and Cons of Biometrics such as Touch ID and Face ID

This secure coding course describes techniques for creating secure iOS applications.

Topics include:

• Common vulnerabilities such as exposure of authentication credentials, sensitive data, and other secrets; custom URL scheme abuse; and XML eXternal Entity (XXE) Injection
• Techniques for mitigating vulnerabilities including protecting data at rest with the Data Protection and Common Crypto APIs, mitigating sensitive data exposure in background snapshots, preventing custom URL scheme abuse, and mitigating XXE Injection

In this secure coding course, you will learn how to code defensively to protect data on iOS

Topics Include:

• Protecting data in transit and at Rest
• App Transport Security (ATS and default settings
• Use of Valid Certificates and Certificate Pinning
• Using URL Loading System to establish Network Connections
• iOS Cryptography Framework and Data Protection Features

In this secure coding course, you will learn how to protect data on Android applications using Java.

Topics include:

• Protecting Data in transit using Transport Layer Security (TLS)
• Protecting Data at rest using Symmetric Key Encryption
• Using Android KeyStor to Protect Data
• Dangers of External Storage on Android

In this secure coding course, you will learn to meet Android security quality standards using Java.

Topics include:

• Restricting access to Interprocess Communications and shared data
• Applying the Principle of Least Privilege and deferring permissions
• Avoiding disclosure of sensitive data
• Reducing attack vectors for Cross-Site Scripting (XSS)
• Keeping all libraries and dependencies current

This secure coding course describes methods that will produce secure C# applications.

Topics include:

• Common security vulnerabilities such as Canonicalization Issues and Integer Overflows
• Unique features of C# and the .NET Framework that can be used to mitigate them
• Understand where and when canonicalization issues and integer overflows are likely to occur
• Avoiding common pitfalls

This secure coding course presents SQL Injection vulnerabilities and the features of the .NET Framework that can be used to mitigate them.

Topics include:

• Where and when SQL injection is likely to occur
• Avoiding common pitfalls when defending against SQL injection
• Defense-in-Depth Strategies and best practices for mitigating injection vulnerabilities

This secure coding course describes techniques to protect data both in transit and at rest in C# applications using strong cryptography.

Topics include:

• How to protect data using the Data Protection API (DPAPI)
• Avoiding common cryptographic pitfalls
• Protecting sensitive data in transit
• Alternatives to Transport Layer Security (TLS)

This secure coding course presents XML Injection vulnerabilities and the features of the .NET Framework that can be used to mitigate them.

Topics include:

• Where and when XML injection is likely to occur
• Avoiding common pitfalls when defending against XML injection
• Defense-in-Depth Strategies and best practices for mitigating injection vulnerabilities

In this secure coding course, you will learn about common client-side vulnerabilities and threats to jQuery applications, and techniques for mitigating them.

Additional topics include:

• How to implement new HTML5 security features to secure jQuery applications
• Best practices to secure local storage and implement Transport Layer Security

In this secure coding course, you will learn about security risks introduced by HTML5.

Additional topics include:

• Threats to HTML5 such as cross-site scripting (XSS), cross-site request forgery (CSRF), clickjacking, and threats to user privacy
• Secure coding techniques to mitigating HTML5 threats

This secure coding course describes important HTML5 security features and how to leverage them to produce more robust applications.

Topics include:

• Implementing Same-Origin Policy, Content Security Policy, Cross-Origin Resource Sharing, and IFrame Sandboxing
• Understanding the limitations of Same-Origin Policy
• Employing best practices to avoid common attacks on HTML5 applications

In this course, you will learn about new features that raise security issues in HTML5 forms, security issues surrounding local data storage, best practices for HTML5 connectivity with the WebSocket API and Server-ent Events, and best practices for the Web Workers, History, Geolocation, and Drag and Drop APIs.

In this course, you will learn about best practices for securing connections used by applications that leverage HTML5.

As a prime option for building android applications because of its interoperability with java code, maintainability, reliability, and ability to boost team efficiency, Kotlin is being widely adopted but comes with its own set of challenges as does any technology. This course is designed to ensure learners avoid common mistakes and pitfalls as they leverage vital features and build secure mobile applications using this general-purpose programming language.

Upon successful completion of this course, learners will have the knowledge and skills required to meet privacy compliance requirements, including:

• Enforcing secure communication by safeguarding the data that you exchange between your app and other apps, or between your app and a website, thereby improving your app’s stability and protecting the data that you send and receive.
• Using intents to defer permissions
• Storing all private user data within the device’s internal storage (which is sandboxed per app)
• Ensuring the device deletes all files when the user uninstalls an app

This secure coding course describes ways to remediate and prevent SQL Injection (SQLi) vulnerabilities in your Java application.

Topics Include:

• Identifying data types that require encryption
• Best practices for encryption methods
• Avoiding common encryption errors

This secure coding course describes ways to mitigate security risks from Path Traversal Attacks in your Java application.

Topics Include:

• Identifying Path Traversal Attacks and understanding how they work
• Normalizing, canonicalizing, and validating file paths
• Implementing countermeasures to prevent Path Traversal Attacks

This course discusses protecting data at rest and in transit in Java applications. Several code examples are provided to illustrate key concepts.

After completing this course, you will be able to protect data at rest appropriate cryptographic techniques and protect data in transit with appropriate cryptographic techniques.

Backends are designed for applications that need faster performance, large amounts of addressable memory, and continuous or long-running background processes. The versatility of Java enables developers to design and deliver the right business solutions however their efficiency requires distinctive experiencer and great expertise.

This course aims to provide software developers and DevOps Engineers with the next level understanding of best practices for developing back end frameworks using Java while developing skills necessary to handle user input and build secure systems.

Topics Include:

• The Function of OAuth2 and JWT
• How to leverage the JAAS API
• The advantages of the Spring Security framework
• Validating Length Before Applying RegEx
• Protecting  Sensitive Data in Transit Using TLS
• How to identify and protect against SQLi, HQLi, XXE, CSRF, and RegEx DoS attacks

This secure coding course describes ways to identify and prevent Information disclosure in your Java application.

Topics Include:

• Identifying common Java information disclosure issues
• Protecting Java applications through improved error messaging
• Best practices for preventing information disclosure
• Audit error handling for information disclosure vulnerability

This secure coding course describes ways to identify and prevent race conditions in your Java application.

Topics Include:

• Common Java race condition issues
• Security risks introduced by race conditions
• Secure protection of temp files
• Best practices for preventing race condition issues

This secure coding course describes ways to write code to identify and mitigate risks from integer overflows.

Topics Include:

• Common Integer Overflow security risks and prevention methods
• Precondition Testing, Upcasting, and BigInteger Objects
• Google Guava
• Common Integer Overflow Pitfalls

The OWASP API Security Top 10 defines the most critical Application Programming Interface (API) security risks and vulnerabilities, recognizing the changing security landscape as organizations embrace digital transformation. This API security course provides an understanding of API-specific issues that should be on an organization’s security radar with a focus on strategies to mitigate these unique vulnerabilities and security risks of APIs based on the crucial role they play in application architecture.

Upon successful completion of this course, learners will understand:

• The purpose and scope of the OWASP API Security Top 10
• The unique risks and attack vectors when exposing APIs to the public
• Best practices for secure coding to mitigate common API vulnerabilities
• How to eliminate or mitigate these vulnerabilities

The CSA Top 11 Threats to Cloud Computing provides guidelines on what secure practices organizations should focus on when planning and establishing cloud environments. Naturally, as more and more organizations deploy cloud-based solutions, new security risks and challenges are introduced. This course provides an understanding of cloud-based security threats organizations should consider and focuses on unique mitigation strategies that should be explored when using a cloud-based infrastructure.

Upon successful completion of this course, learners will understand:

• The purpose and scope of the CSA Top 11 Threats to Cloud Computing
• The unique risks and attack vectors of cloud environments
• Best practices for secure coding to mitigate common cloud vulnerabilities
• How to eliminate or mitigate these vulnerabilities

In this course, you will learn how to mitigate the risks associated with A03:2021 Injection, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Keep data separate from commands and queries
• Implement multi-factor authentication
• Require weak-password checks
• Limit login attempts

In this course, you will learn how to mitigate the risks associated with A07:2021 Identification and Authentication Failures, as defined by the Open Web Application Security Project (OWASP).
After completing this course, you will have the knowledge and skills required to:

• Define and identify the common types of identification and authentication errors
• Mitigate brute force and password spraying attacks while implementing techniques to limit exposure to those attacks
• Enact strong password policies, using industry best practices, to achieve optimal password strength, proper storage, and secure processes

In this course, you will learn how to mitigate the risks associated with A02:2021 Cryptographic Failures, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand:

• The three main goals of cryptography
• How to secure data at rest and data in transit
• How to identify common cryptographic failures
• How to mitigate sensitive data exposure

In this course, you will learn how to mitigate the risks associated with A04:2021 Insecure Design, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand:

• How the secure software development lifecycle improves software security
• How to use secure design patterns
• The importance of threat modeling
• How to prevent excessive resource consumption

In this course, you will learn how to mitigate the risks associated with A01:2021 Broken Access Control, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand:

• Implement access control policies
• Assess the effectiveness of current access controls
• Employ secure coding practices to ensure users cannot act outside intended permissions

In this course, you will learn how to mitigate the risks associated with A05:2021 Security Misconfiguration, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will have the knowledge and skills required to:

• Define and identify security misconfiguration vulnerabilities
• Mitigate misconfiguration vulnerabilities using attack surface and defense-in-depth strategies
• Secure operating systems, web servers, and databases against common misconfiguration attacks

In this course, you will learn how to mitigate the risks associated with A10:2021 Server-Side Request Forgery (SSRF), as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will have the knowledge and skills required to:

• Define and identify Server-Side Request Forgery (SSRF) vulnerabilities
• Recognize the conditions that lead to SSRF vulnerabilities in web applications
• Understand the common attacks and techniques used to exploit SSRF vulnerabilities

In this course, you will learn how to mitigate the risks associated with A08:2021 Software and Data Integrity Failures, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will have the knowledge and skills required to:

• Define and identify software and data integrity failures
• Understand the risks of serialization, deserialization, and mitigation techniques
• Protect stored data using message authentication codes and digital signatures
• Implement best practices to limit software and data integrity failures

In this course, you will learn how to mitigate the risks associated with A06:2021 Vulnerable and Outdated Components, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Monitor applications for out of date components
• Triage and apply updates for known vulnerabilities
• Apply secure coding practices over the lifetime of an application

In this course, you will learn how to mitigate the risks associated with A09:2021 Security Logging and Monitoring Failures, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Ensure all login, access failures, and input validation failures are logged
• Implement sufficient user context to identify suspicious behavior
• Allow sufficient time so malicious accounts can be tracked for forensic analysis
• Apply best practices for secure application logging

In this course, you will learn how to mitigate the risks associated with Improper Platform Usage which might include Android intents, platform permissions, misuse of TouchID, the keychain, or some other security control that is part of the mobile operating system.

After completing this course, you will be able to:

• Identify the most common security flaws in mobile apps related to improper platform usage
• Understand how an attacker might exploit such vulnerabilities in your software
• Eliminate or mitigate exposure to these common security threats

In this course, you will learn how to mitigate the risks associated with Insecure Data Storage which includes threat agents such as an adversary that has attained a lost/stolen mobile device; malware or another repackaged app acting on the adversary’s behalf that executes on the mobile device.

After completing this course, you will be able to:

• Identify the most common security flaws in mobile apps related to insecure data storage
• Understand how an attacker might exploit such vulnerabilities in your software
• Eliminate or mitigate exposure to these common security threats

In this course, you will learn how to mitigate the risks associated with Insecure Communication which might include threat agents such as an adversary that shares local network (compromised or monitored Wi-Fi); carrier or network devices (routers, cell towers, proxy’s, etc); or malware on your mobile device.

After completing this course, you will be able to:

• Identify the most common security flaws in mobile apps related to insecure communication
• Understand how an attacker might exploit such vulnerabilities in your software
• Eliminate or mitigate exposure to these common security threats

In this course, you will learn how to mitigate the risks associated with Insecure Authentication which is typically exploited through automated attacks that use available or custom-built tools.

After completing this course, you will be able to:

• Identify the most common security flaws in mobile apps related to Insecure Authentication
• Understand how an attacker might exploit such vulnerabilities in your software
• Eliminate or mitigate exposure to these common security threats

In this course, you will learn how to mitigate the risks associated with Insufficient Cryptography which includes threat agents such as anyone with physical access to data that has been encrypted improperly, or mobile malware acting on an adversary’s behalf.

After completing this course, you will be able to:

• Identify the most common security flaws in mobile apps related to insufficient cryptography
• Understand how an attacker might exploit such vulnerabilities in your software
• Eliminate or mitigate exposure to these common security threats

In this course, you will learn how to mitigate the risks associated with Insecure Authorization which allows an adversary to execute functionality they should not be entitled to using an authenticated but lower-privilege user of the mobile app.

After completing this course, you will be able to:

• Identify best practices for implementing secure authorization for Mobile Internet of Things
• How to mitigate the threat of Insecure Authorization
• Identify and mitigate Insecure Direct Object Reference (IDOR) vulnerabilities

In this course, you will learn how to mitigate the risks associated with poor code quality, including threat agents such as entities that can pass untrusted inputs to method calls made within mobile code.

After completing this course, you will be able to:

• Identify Uncontrolled Format String and Classic Buffer Overflow
• Recognize their potential impact
• Apply coding best practices to avoid them
• Find these weaknesses in your mobile application’s source code
• Test your application to detect them

In this course, you will learn how to mitigate the risks associated with code tampering. Typically, an attacker will exploit code modification via malicious forms of the apps hosted in third-party app stores. The attacker may also trick the user into installing the app via phishing attacks.

After completing this course, you will be able to:

• Identify code tampering vulnerabilities
• Defend against code tampering attacks

In this course, you will learn how to mitigate risks associated with reverse engineering in which an attacker will typically download the targeted app from an app store and analyze it within their local environment using a suite of different tools.

After completing this course, you will be able to:

• Describe what kinds of knowledge reverse engineering may reveal to an attacker
• List mitigation techniques for reverse engineering

In this course, you will learn how to mitigate the risks associated with extraneous functionality. Typically, an attacker seeks to understand extraneous functionality within a mobile app in order to discover hidden functionality in backend systems. The attacker will typically exploit extraneous functionality directly from their own systems without any involvement by end-users.

After completing this course, you will be able to:

• Identify Extraneous Functionality
• Understand how an attacker might exploit this vulnerability in your software
• Mitigate exposure to this threat

In this course, you will learn how to mitigate the risks associated with the use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.

When you have completed this course, you will be able to:

• Identify best practices for implementing secure authentication for the Internet of Things
• Identify and mitigate password weaknesses in your applications

In this course, you will learn how to mitigate the risks associated with unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.

After you have completed this course, you will be able to:

• Identify best practices to protect network services on IoT devices, including:
  • Only open necessary ports
  • Do not overexpose ports
  • Block unusual traffic
  • Mitigate DoS vulnerabilities
  • Mitigate memory corruption vulnerabilities|Disable outdated protocols

In this course, you will learn how to mitigate the risks associated with insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.

After completing this course, you will be able to:

• Identify common threats to IoT web interfaces
• Apply best practices to mitigate these threats

In this course, you will learn how to mitigate the risks associated with a lack of ability to securely update the device. This includes lack of firmware validation on a device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.

After you have completed this course, you will be able to:

• List the steps of a typical update process
• Describe how to protect update connections
• Explain how to protect the update server
• List the steps to securely sign and verify an update
• Evaluate whether Secure Boot is necessary for your device at this time
• Identify types of sensitive data that should not be included in updates
• Securely implement transport encryption for an Internet of Things (IoT) system

In this course, you will learn how to mitigate the risks associated with the use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.

After you have completed this course, you will be able to identify and mitigate threats posed by insecure and outdated components.

In this course, you will learn how to mitigate the risks associated with a user’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.

After completing this course, you will learn to:

• Identify threats to personal information
• Identify ways to protect personal information

In this course, you will learn how to mitigate the risks associated with a lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.

After completing this course, you will be able to:

• Identify missing encryption
• Recognize the potential impact of this security defect
• Apply best practices to prevent insecure data transfer and storage

In this course, you will learn how to mitigate the risks associated with a lack of ability to securely update the device. This includes lack of firmware validation on a device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanism.

After completing this course, you will be able to:

• Monitor and Track Assets
• Monitor, Handle and Retain Information
• Monitor and Control System and Network Access

In this course, you will learn how to mitigate the risks associated with devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.

After you have completed this course, you will be able to understand insecure default settings and their mitigation techniques.

In this course, you will learn how to mitigate the risks associated with a lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.

After completing this course, you will be able to:

• Understand fail-safe defaults
• Use best practices for hardening

This infrastructure security course provides essential guidance on implementing specific account management security controls at the hardware and software level to facilitate compliance with applicable regulatory requirements.

Topics include:

• How to define and control network access
• Creating a separation of duties policy
• Building and managing segregation of resources strategies
• Monitoring system access
• Using digital certificates for authentication

This infrastructure security course provides guidance to system designers and developers on how to implement session management controls at the software level. These techniques enhance security of web applications and facilitates compliance with applicable regulatory requirements.

Topics include:

• Securing session identifiers
• Implementing Transport Layer Security (TLS) so sensitive data is always transmitted over secure channels
• Ensuring client browsers send cookies over HTTPS connections

This infrastructure security course teaches designers and developers how to implement software-level access controls on mobile devices to mitigate threats, protect privacy, and comply with applicable regulatory requirements.

Topics include:

• Identifying threats to mobile devices
• The importance of protecting user privacy and confidentiality
• Methods for encrypting data at rest and data in transit
• Implementing application code signing to ensure software integrity

This infrastructure security course trains program managers, system designers, and developers on proper security practices for defining and implementing IT system configuration management.

Topics include:

• Key configuration practices and configuration change control
• Security impact analysis
• Access restrictions for change
• Principle of least functionality
• Information system component inventory

This infrastructure security course provides essential guidance on information system risk assessment techniques. Individuals responsible for information systems, IT security, risk management, or oversight responsibilities will find this course valuable. It teaches how to define and manage the purpose, scope, roles, and coordination among organizational entities to help ensure appropriate risk assessment and compliance with applicable regulatory requirements.

Topics include:

• Security categorization
• Risk assessment
• Vulnerability scanning
• The system development lifecycle
• Security engineering principles
• Developer security testing and evaluation
• Development process, standards, and tools
• Developer security architecture and design
• Component authenticity

This infrastructure security course provides essential guidance to program managers, system designers and developers on how to identify systems affected by software flaws, assess potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel.

Topics  include:

• Flaw remediation
• Malicious code protection
• Information system monitoring
• Software, firmware, and information integrity
• Information input validation
• Error handling
• Information handling and retention
• Information output filtering
• Memory protection

This infrastructure security course provides training to individuals with information security implementation and operational responsibilities for developing and disseminating an organization-wide security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance mapping.

Topics include:

• Establishing rules of behavior
• Security concept of operations
• Personnel security policies and procedures
• Position risk designations
• Personnel screening
• Access agreements

This infrastructure security course provides essential guidance to individuals with information security implementation and operational responsibilities on how to build and communicate an information security program plan to facilitate compliance with applicable regulatory requirements.

Topics include:

• Identifying information security resources
• Performing an information system inventory
• Creating a critical infrastructure plan
• Risk management strategy
• Insider threat program
• Training and developing contacts with security groups and associations

This infrastructure security course teaches incident response policy development and the associated controls to help ensure appropriate communication and action throughout your organization.

Topics include:

• Incident response testing
• Incident handling
• Incident monitoring
• Incident reporting

This infrastructure security course trains information system owners, system administrators, and information system security officers on how to build and communicate effective audit policies and controls.

Topics include:

• Documenting security audits
• Implementing audit controls
• Using audit tools
• Generating audit reports

This infrastructure security course provides guidance for developing and implementing personnel security policies and associated controls to help ensure appropriate screening, on-boarding, and off-boarding of staff.

Topics include:

• Position risk designation
• Personnel screening and termination
• Personnel transfer and access agreement

This infrastructure security course teaches those responsible for information security how to develop identification and authentication policy and controls. The course spans personnel, devices, and information systems.

Topics include:

• Identification and authentication of users inside and outside your organization
• Device identification and authentication
• Identifier management
• Authenticator management and feedback
• Cryptographic module authentication
• Service identification and authentication
• Adaptive identification and authentication
• Processes for re-authentication

This infrastructure security course educates those responsible for developing physical and environmental protection policies how to create effective controls and comply with applicable regulatory requirements.

Topics include:

• Physical access authorizations and control
• Access control for transmission medium and output devices
• Monitoring physical access
• Information leakage, asset monitoring and tracking

This infrastructure security course provides direction to program managers, system designers, developers, information security engineers, and systems integrators responsible for new information systems development or systems undergoing major upgrades.

Topics include:

• System development life cycle
• Developer security testing and evaluation
• Development process, standards, and tools
• Developer security architecture
• Design and component authenticity

This infrastructure security course imparts guidance to system designers and developers on implementing specific security controls at the software level to protect applications and comply with applicable regulatory requirements.

Topics include:

• Implementing defense-in-depth
• Separation of system and user functionality
• Securing components
• Validating input
• Encoding output

This infrastructure security course delivers training to personnel in information systems, information security, systems design, software development, and IT operations on essential data security techniques. Focus is primarily on cryptographic controls at the information systems level and compliance with applicable regulatory requirements.

Topics include:

• Asymmetric key algorithms
• Using hash functions to protect data integrity
• Proper password storage for authentication purposes
• Encrypting file transfers and downloads
• Adding salt values before hashing
• Using Certificate Authorities

This infrastructure security course offers guidance to individuals with information security implementation and operational responsibilities for developing system maintenance procedures and controls.

Topics include:

• Controlled maintenance
• Maintenance tools
• Non-local maintenance
• Timely maintenance

This infrastructure security course describes the development and dissemination of an organization-wide information media protection policy that addresses scope, roles, responsibilities, and coordination among organizational entities to facilitate compliance with applicable regulatory requirements.

Topics include:

• Best practices for media protection
• Controls for marking, storage, and transport of media
• Media sanitization and downgrading

The MiTRE ATT& CK Framework is a knowledge base of globally observed adversary tactics and techniques. This course provides an understanding of behaviors that may be used for developing threat models, mapping threats, classifying attacks, or training both red and blue teams.

Topics Include:

• The purpose of the ATT&CK Framework
  Structures, tactics, and techniques within the framework
• Using the ATT&CK Framework to detect and analyze threats
• Mitigation best-practices for preventing attacks

This course introduces you to the Integration and Testing phases of the software development lifecycle, including the roles of Code Review, Fault Injection, Vulnerability Scanning, Penetration Testing, and Static Analysis.

Topics Include:

• Pros and cons of performing a code review
• Resources available when conducting a code review
• Identifying vulnerabilities that may have been missed by other secure testing techniques
• Utilizing fault injection
• Vulnerability Scanning and Penetration Testing
• Pros and cons of static analysis

Proactive cyber threat hunting tactics have evolved to use new threat intelligence on previously collected data to identify and categorize potential threats in advance of attack. Learn to leverage NIST and MITRE ATT&CK security frameworks to protect your organization against cyber-attacks.

After completing this course, learners should have the knowledge and skills needed to understand:

• Basics of Cyber Threat Hunting & Threat Analytics
• Evolution of Cyber Threat Hunting as a Domain of Practice
• How Threat Hunting fits into the cyber risk management lifecycle
• Tactics, Techniques, Procedures, and the MITRE ATT&CK Framework
• Practical “Starting Points” for building a Cyber Threat Hunting Program

As hackers continue to evolve their techniques organizations must train their employees to test their defenses through various penetration techniques. This course introduces common activities performed during the process of Ethical Hacking and provides a basic foundation of common attack techniques and examples of hacking tools.

Topics Include:

• Understanding authorization and scope that define ethical hacking
• Implementing the penetration testing process
• Fundamentals of attacker techniques and the ATT& CK framework
• An overview of hacking skills and tools knowledge domain

This course explains how software developers and testers can determine if their web applications are vulnerable to A03:2021 Injection, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Keep data separate from commands and queries
• Implement multi-factor authentication
• Require weak password checks
• Limit login attempts

This course explains how software developers and testers can determine if their web applications are vulnerable to A07:2021 Identification and Authentication Failures, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Use secure coding best practices to confirm user identity
• Implement strong authentication mechanisms
• Protect user sessions and session data

This course explains how software developers and testers can determine if their web applications are vulnerable to A02:2021 Cryptographic Failures, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Identify common cryptographic failures
• Mitigate sensitive data exposure
• Define your organization’s cryptography environment and testing methods
• Apply best practices and ensure compliance

This course explains how software developers and testers can determine if their web applications are vulnerable to A04:2021 Insecure Design, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to test for failures with common secure design issues, including:

• The secure software development lifecycle
• Using secure design patterns
• Performing threat modeling
• Preventing excessive resource consumption

This course explains how software developers and testers can determine if their web applications are vulnerable to A01:2021 Broken Access Control, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Identify common access control flaws
• Mitigate access control failures
• Define mitigation measures to protect against broken access control
• Apply best practices and ensure compliance

This course explains how software developers and testers can determine if their web applications are vulnerable to A05:2021 Security Misconfiguration, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to:

• Identify common vulnerabilities caused by security misconfiguration
• Develop and implement an effective testing strategy to evaluate attack surfaces
• Conduct manual and automated tests against insecure installation processes
• Identify targeted operating systems, web servers, and databases

This course explains how software developers and testers can determine if their web applications are vulnerable to A10:2021 Server-Side Request Forgery (SSRF), as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will have the knowledge and skills required to:

• Recognized user input potentially exploitable for executing SSRF attacks
• Exploit SSRF vulnerabilities, mapping normally unreachable networks
• Understand how to bypass detection and validation code
• Gain access to cloud metadata

This course explains how software developers and testers can determine if their web applications are vulnerable to A08:2021 Software and Data Integrity Failures, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will have the knowledge and skills required to:

• Understand and Identify software and data integrity failures
• Know the risks of deserialization vulnerabilities and how to test for them
• Protect stored data using message authentication codes and digital signatures
• Implement best practices to limit software and data integrity failures

This course explains how software developers and testers can determine if their web applications are vulnerable to A06:2021 Vulnerable and Outdated Components, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to test your application for flaws related to known insecure components and apply mitigation measures to protect against them.

This course explains how software developers and testers can determine if their web applications are vulnerable to A09:2021 Security Logging and Monitoring Failures, as defined by the Open Web Application Security Project (OWASP).

After completing this course, you will understand how to test your application for insufficient logging and monitoring flaws and apply mitigation measures to protect against them.

An integer overflow or wraparound may often be intended behavior; however, it can also introduce other weaknesses and security consequences. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-190 by the 2020 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Techniques for finding Integer Overflow issues through code review
• Application of secure coding best practices to prevent these attacks
• Testing to detect Integer Overflow or Wraparound

Many file operations are intended to take placed within a restricted directory, however, the software does not properly neutralize special elements within a pathname which results in various security consequences. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-22 by the 2020 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Techniques for finding path traversal issues through code review
• Application of secure coding best practices to prevent these attacks
• Testing to detect this security weakness

Cross-Site Request Forgery (CSRF) occurs when a web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-352 by the 2020 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Techniques for finding CSRF issues through code review
• Application of secure coding best practices to prevent these attacks
• Testing to detect this security weakness

Unrestricted Upload of File with Dangerous Type vulnerabilities allows attackers to upload malicious code. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-434 by the 2021 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Techniques for finding Unrestricted Upload vulnerabilities in an application source code
• Application of secure coding best practices to prevent these attacks
• Testing to detect this security weakness

The use of insecure settings for access permissions allows attackers to perform unauthorized access either to some part of the system or to an application-controlled resource. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-732 by the 2020 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Techniques for finding Incorrect Permission Assignment for critical
  resource in an application source code
• Application of secure coding best practices to prevent these attacks
• Testing to detect this security weakness

Applications that use authentication need a method for storing credentials that is secure because when a hacker recovers credentials, they can use them to authenticate with the application or to access external services. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-798 by the 2020 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Techniques for finding Hard-Coded credentials in source code
• Application of secure coding best practices to prevent these attacks
• Testing to detect this security weakness

When user input can influence dynamically generated code to influence program flow or execute arbitrary code the attack is often referred to as code injection. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-94 by the 2020 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Understanding various forms of this attack and their similarities
• Techniques for finding Hard-Coded credentials in source code
• Application of mitigation techniques for limiting the impact
• Leveraging various tools used to test for code injection vulnerabilities

Much of the security we rely upon at some point comes down to the passwords we use to authenticate an application. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-522 by the 2020 CWE Top 25.

Topics include:

• Understanding the applicability and impact of this weakness in depth
• Using appropriate security mechanism to protect credentials
• Applying methods of prevention, testing, and mitigation to defend against Insufficiently Protected Credentials

Out-of-bounds Read is a security defect that can allow attackers to read sensitive information from other memory locations or cause a crash. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-125 by the 2020 CWE Top 25.

Topics include:

• Identifying Out-of-bounds Read errors
• Recognizing the impact of this vulnerability
• Application of secure coding best practices
• Testing to detect errors

Out-of-bounds Write can result in corruption of data, a crash, or code execution. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-787 by the 2020 CWE Top 25.
Topics include:

• Identifying Out-of-bounds Write errors
• Recognizing the impact of this vulnerability
• Application of secure coding best practices
• Testing to detect errors

Uncontrolled Resource consumption occurs when software does not properly control the allocation and maintenance of limited resources such as memory, file system storage, database connection pool entries, and CPU. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-400 by the 2020 CWE Top 25.

Topics include:

• Identifying Uncontrolled Resource Consumption
• Recognizing the impact of this vulnerability
• Application of secure coding best practices
• Testing to detect this vulnerability

Improper Privilege Management occurs when software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-269 by the 2020 CWE Top 25.

Topics include:

• Identifying main threats that lead to abusing the privilege
• Recognizing the impact of this vulnerability
• Best practices for defending against unmanaged privileges
• Testing to detect Improper Privilege Management

Input validation is used to check potentially dangerous inputs but when software does not validate this input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-20 by the 2020 CWE Top 25.

Topics include:

• Identifying malicious input
• Recognizing the impact of this vulnerability
• Strategies for defending against Improper Input Validation
• Testing for Improper Input Validation weaknesses

Improper Restriction of Operations within the Bounds of a Memory Buffer allows attackers to execute arbitrary code, alter the intended control flow, read sensitive information, or cause a system to crash. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-119 by the 2020 CWE Top 25.

Topics include:

• Identifying Out of Range Memory Access errors
• Recognizing the impact of this vulnerability
• Applying preventative measures to avoid this weakness
• Common code mitigation strategies
• Using a multi-pronged approach to test for Improper Restriction of Operations with the Bounds of a Memory Buffer

NULL pointer dereferences issues can occur through a number of flaws, including race conditions and simple programming omissions. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-476 by the 2020 CWE Top 25.

Topics include:

• Recognizing the impact of this vulnerability
• Defending Against NULL Pointer Dereference
• Best practices for preventing NULL Pointer Dereference
• Testing techniques for spotting NULL Pointer Dereference
• Mitigation strategies for this weakness

The use of previously-freed memory can have any number of adverse consequences, but these errors have two common and sometimes overlapping causes. This course introduces ways to identify and mitigate this security weakness, referenced as CWE-416 by the 2020 CWE Top 25.

Topics include:

• Identification of Use After Free Errors
• Recognizing the impact of this vulnerability
• Defending against Use After Free weaknesses
• Methods of Prevention
• Testing techniques for spotting Use After Free
• Secure coding best practices for mitigating this vulnerability

This course introduces security testing concepts and processes that will help testers/QA teams analyze an application from a security perspective to conduct more effective security testing.

Topics include:

• Classes of security vulnerabilities and testing approaches that target them
• Manual and automated test techniques
• Identifying common security issues
• Threat modeling, approaches and how they apply to the design phase of the SDLC
• Vulnerability scanning, penetration testing, static analysis, and code review

Serving as a comprehensive way of testing for cybersecurity vulnerabilities Penetration Testing provides insight into a network, application, device, and/or physical security through the lens of an attacker to discover weaknesses and identify areas of improvement within your security posture. This course introduces concepts of penetration testing and provides an understanding of the stages of penetration testing as they relate to industry standards.

After completing this course, you will be able to:

• Conduct penetration testing according to an industry-standard methodology
• Identify the steps in a typical penetration testing process

Performing vulnerability scans is a necessary first step to evaluating the security of an organization’s network and helping protect organizational data and assets; this includes assessing, mitigating, and reporting on any security vulnerabilities that exist in an organization’s systems and software.

Topic includes:

• Enumerating Platforms, Software Flaws, and improper configurations
• Formatting Checklists and test procedures
• Measuring vulnerability impact
• Analyzing vulnerability scan reports and results from security control assessments

Ensuring developers understand application security needs can be overwhelming, but leveraging OWASP ASVS organizations can test and prove applications meet specific levels of security. This course is designed to equip Privacy and Cybersecurity Management with the knowledge required to provide development teams with a basis for testing web application technical security controls and a list of requirements for secure development in adherence to the Application Security Verification Standard (ASVS) 3.0 standard.

Upon successful completion of this course, learners will have the knowledge and skills required to meet ASVS compliance requirements, including:

• Using the ASVS to audit applications and to establish both internal and procurement metrics
• Understanding the role of ASVS Levels and Threat profiles
• Providing the necessary guidance and training to ensure your organization meets ASVS requirements.

Reliance on IT systems, regulatory compliance, and the evolving cyberthreat landscape are key indicators of the importance of Infrastructure penetration testing. Infrastructure Penetration tests can help inform cybersecurity strategies, validate existing security controls, and identify weaknesses in need of improvement. This course provides learners with the skills and knowledge necessary to perform penetration tests that simulate how attackers might attempt to compromise the organization’s infrastructure.

After completing this course you will be able to:

• Perform pretest identification of potential vulnerabilities based on pretest analysis
• Leverage automated scanning tools
• Establish a baseline indication of the potential attack surface of the environment
• Interpret the results of automated tools to determine what additional testing is needed
• Perform host discovery, port scanning, and network segmentation checks
• Analyze the results of the penetration test are then compiled into a report

Applications store, process, and transmit data making them susceptible and vulnerable to hackers who can identify and exploit vulnerabilities. Penetration testing of these applications acts as a safeguard to reduce vulnerabilities and attack surface. This course provides learners with the skills and knowledge necessary to perform penetration tests that simulate how attackers might attempt to compromise the software applications.

After completing this course you will be able to:

• Conduct planning and reconnaissance
• Scan to understand how the target application will respond to various intrusion attempts
• Gain access using web application attacks, such as cross-site scripting, SQL injection, and backdoors, to uncover a target’s vulnerabilities
• Maintain access to determine if the vulnerability can be used to achieve a persistent presence in the exploited system
• Analyze the results of the penetration test are then compiled into a report

Google Cloud Platform (GCP) offers many security features/services under a shared-responsibility model. Still, there are numerous ways an external attacker can gain access to your cloud environments, thus driving the need for in-depth assessments. This course covers the fundamentals of Penetration Testing within Google Cloud Platform for common GCP vulnerabilities and misconfigurations that can leave your cloud environments exposed.

After completing this course, you will be able to:

• Prepare, plan, and conduct penetration testing in accordance with industry-standard methodologies
• Identify general cloud attack vectors as well as recognize weaknesses specific to the Google Cloud Platform
• Use standard tools, techniques, and open-source software for testing Google Cloud Platform resources
• Create and implement a plan for securing the cloud-based on industry best practices

Amazon Web Services (AWS) offers a range of cloud hosting services, but AWS only permits security testing of user-operated services. Performing a penetration test in AWS requires adequate planning and expert knowledge of how AWS methodologies differ from traditional pen testing and what can be performed. This course covers the fundamentals of penetration testing within Amazon Web Services. It provides an understanding of how to evaluate AWS cloud services and the types of tools and tests permitted.

After completing this course, you will be able to:

• Prepare, plan, and conduct penetration testing in accordance with industry-standard methodologies
• Identify general cloud attack vectors as well as recognize weaknesses specific to the AWS cloud platform
• Use common tools, techniques, and open-source software for testing AWS resources
• Create and implement a plan for securing the cloud based on industry best practices

Conducting penetration testing of assets such as web applications, networks, and network devices in the Azure environment requires knowledge of Microsoft Azure methodologies and the common types of penetration tests allowed. This course covers the fundamentals of penetration testing within the Azure cloud while explaining how to evaluate Azure services and ensure your Azure cloud infrastructure is designed and configured according to best practices.

After completing this course, you will be able to:

• Prepare, plan, and conduct penetration testing in accordance with industry-standard methodologies
• Identify general cloud attack vectors as well as recognize weaknesses specific to the Azure cloud platform
• Use standard tools, techniques, and open-source software for testing Azure resources
• Create and implement a plan for securing the cloud-based on industry best practices

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. However, flaws in TLS protocol include weak cryptographic primitives, or specific implementation errors, cross-protocol vulnerabilities, or any combination of each. This course teaches how to identify vulnerabilities, detecting acceptance of unencrypted connections, and testing configurations.

After completing this course, you will be able to:

• Identify typical TLS misconfiguration vulnerabilities
• Detect network services accepting unencrypted connections
• Test web server TLS configuration

Stemming from improperly sanitized or completely unsensitized input injection flaws allow attackers to relay malicious code through an application to another system. This course teaches how to identify and test for these vulnerabilities within your code.

After completing this course, you will be able to:

• Identify common injection vulnerabilities
• Test for command injection vulnerabilities
• Detect code and XML injection vulnerabilities
• Exploit command and code injection vulnerabilities

Used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution SQL Injection allows attackers to conduct a number of malicious activities to data including but not limited to becoming administrators of the database server. This course teaches how to identify, test, and exploit these vulnerabilities.

After completing this course, you will be able to:

• Test for the presence of SQL Injection vulnerabilities
• Exploit SQL Injection vulnerabilities
• Identify the common tools and techniques used to exploit SQL Injection vulnerabilities

Occurring when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs. This type of programming error can lead to a program crash or strange and bizarre program behavior. This course teaches how to identify, test, and exploit these vulnerabilities.

After completing this course, you will be able to:

• Identify common memory corruption vulnerabilities
• Test for buffer overflows + Exploit known memory corruption vulnerabilities
• Understand advanced techniques for finding memory corruption vulnerabilities

Authorization is the process of enforcing policies; determining what types of qualities of activities, resources, or services a user is permitted. Authorization vulnerabilities include forceful browsing and privilege escalation. This course teaches how to identify, test, and exploit these vulnerabilities.

After completing this course, you will be able to:

• Identify common authorization vulnerabilities
• Test application access controls
• Exploit authorization vulnerabilities

Cross-site Scripting (XSS) is a client-side code injection attack where the attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. This course teaches how to identify, test, and exploit these vulnerabilities.

After completing this course, you will be able to:

• Define the types of Cross-Site Scripting vulnerabilities
• Test applications for Cross-Site Scripting vulnerabilities
• Exploit Cross-Site Scripting vulnerabilities

All modern applications rely on certain secrets to run from database connection strings to API keys or cryptographic keys. Keeping these secrets is critical to the security of the application as they typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the software administrator. This course teaches how to identify and test for the use of hard-coded credentials.

After completing this course, you will be able to:

• Determine whether an application contains hard-coded authentication credentials
• Determine whether an application contains hard-coded cryptographic keys
• Find plain-text secrets in application binaries
• Find leaked secrets in code repositories
• Identify techniques for advanced testing of application code for the presence of hard-coded secrets

Wireless networks have security issues that are vulnerable to various attacks. Organizations need to proactively search out any weakness in security if they are to avoid unauthorized access to network resources and data leakage. This course introduces tools and techniques while teaching how to Identify and test for common attacks.

After completing this course, you will be able to:

• Test for the presence of unauthorized wireless networks
• Identify common attacks on wireless networks
• Identify the common tools and techniques for testing wireless networks

Essential to every organization; Infrastructure penetration testing provides an opportunity to know about the current situation of a company and analyze existing potential breach points. The process includes all internal computer systems, associated external devices, internet networking, cloud, and virtualization testing. This course teaches how to perform Network Infrastructure penetration tests, perform necessary scans, and test controls.

After completing this course, you will be able to:

• Perform network-layer penetration tests
• Test network segmentation controls
• Perform a network scan to discover active devices
• Perform a port scan on a host to identify exposed network services

Building authentication and session management schemes correctly is a difficult task often presenting flaws that may equally difficult to Identify. Common authentication attacks consist of brute force, insufficient authentication, and weak password recovery validation. These types of attacks target and attempt to exploit the authentication process a web site uses to verify the identity of a user, service, or application. This course teaches how to execute attacks, identify vulnerabilities, and verify controls.

After completing this course, you will be able to:

• Identify common authentication vulnerabilities
• Verify authentication controls
• Execute dictionary attacks

The Defending Java Applications Against Credentials in Code Medium lab assesses the learner’s ability to fix code that contains unprotected credentials such as a password or cryptographic key.

After completing this lab, they will understand how to avoid exposing credentials in code medium.

The Defending Python Applications Against Credentials in Code Medium lab assesses the learner’s ability to fix code that contains unprotected credentials such as a password or cryptographic key.

After completing this lab, they will understand how to avoid exposing credentials in code medium.

The Defending Node.js Applications Against Credentials in Code Medium lab assesses the learner’s ability to fix code that contains unprotected credentials such as a password or cryptographic key.

After completing this lab, they will understand how to avoid exposing credentials in code medium.

The Defending C# Applications Against Credentials in Code Medium lab assesses the learner’s ability to fix code that contains unprotected credentials such as a password or cryptographic key.

After completing this lab, they will understand how to avoid exposing credentials in code medium.

The Defending Java Applications Against Business Logic Error for Input Validation lab assesses the learner’s ability to fix business logic errors that leave your application vulnerable to manipulation by attackers.

After completing this lab, the learner will understand how to fix business logic code errors in Java Applications that may leave your application vulnerable to manipulation by attackers.

The Defending Python Applications Against Business Logic Error for Input Validation lab assesses the learner’s ability to fix business logic errors that leave your application vulnerable to manipulation by attackers.

After completing this lab, the learner will understand how to fix business logic code errors in Python Applications that may leave your application vulnerable to manipulation by attackers.

The Defending Node.js Applications Against Business Logic Error for Input Validation lab assesses the learner’s ability to fix business logic errors that leave your application vulnerable to manipulation by attackers.

After completing this lab, the learner will understand how to fix business logic code errors in Node.js Applications that may leave your application vulnerable to manipulation by attackers.

The Defending C# Applications Against Business Logic Error for Input Validation lab assesses the learner’s ability to fix business logic errors that leave your application vulnerable to manipulation by attackers.

After completing this lab, the learner will understand how to fix business logic code errors in C# Applications that may leave your application vulnerable to manipulation by attackers.

Inclusion of Sensitive Information in source code comments is a type of vulnerability that allows malicious actors who are able to view the source code to recover that sensitive information, such as credentials or information about the infrastructure, and leverage it for attacks. This lab involves mitigating the issue in vulnerable code that contains authentication credentials.

In this lab, the learner will use an IDE to fix a Hard-coded Secret vulnerability in the code of a static web page without making any unnecessary changes to the code or the system.

This lab simulates an Injection vulnerability found in the Gold Standard Cyber Range. The challenge includes a Web App developed in C# that fails to implement the security principle of “Establish Secure Defaults”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to validate input and improper use of user input in SQL statements”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep C# applications safe
• Demonstrate the skills needed to discover and exploit SQL Injection attacks
• Fix a vulnerable SQL query in C#

This lab simulates an Injection vulnerability found in the Gold Standard Cyber Range. The challenge includes a Web App developed in Python that fails to implement the security principle of “Establish Secure Defaults”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to validate input and improper use of user input in SQL statements”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep Python applications safe
• Demonstrate the skills needed to discover and exploit SQL Injection attacks
• Fix a vulnerable SQL query in Python

This lab simulates an Injection vulnerability found in the Gold Standard Cyber Range. The challenge includes a Web App developed in Node.js that fails to implement the security principle of “Establish Secure Defaults”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to validate input and improper use of user input in SQL statements”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep Node.js applications safe
• Demonstrate the skills needed to discover and exploit SQL Injection attacks
• Fix a vulnerable SQL query in Node.js

The Defending Java Applications Against Forceful Browsing lab assesses the learner’s ability to fix code that does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

After completing this lab, the learner will understand how to fix Java Forceful Browsing that may leave your application vulnerable to manipulation by attackers.

The Defending Python Applications Against Forceful Browsing lab assesses the learner’s ability to fix code that does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

After completing this lab, the learner will understand how to fix Python Forceful Browsing that may leave your application vulnerable to manipulation by attackers.

The Defending Node.js Applications Against Forceful Browsing lab assesses the learner’s ability to fix code that does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

After completing this lab, the learner will understand how to fix Node.js Forceful Browsing that may leave your application vulnerable to manipulation by attackers.

The Defending C# Applications Against Forceful Browsing lab assesses the learner’s ability to fix code that does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

After completing this lab, the learner will understand how to fix C# Forceful Browsing that may leave your application vulnerable to manipulation by attackers.

The Defending Against Weak Encryption Mode lab assesses the learner’s understanding of using secure encryption modes. After completing this lab, the learner will understand how to use secure encryption modes.

The Defending Against Weak PRNG lab assesses the learner’s understanding of using cryptographically strong Pseudo-Random Number Generators. After completing this lab, the learner will understand how to use cryptographically strong Pseudo-Random Number Generators.

This lab simulates a cross-site scripting vulnerability that can be found in an online banking application built using Java which fails to validate input and encode output. Using Visual Studio Code participants will determine whether the data is correctly encoded for the context in which it will appear in web application output. The objective of this lab is to find the cross-site scripting (XSS) vulnerability found in this Java web application and fix the issue.

Upon completion of this lab participants will:

• Apply strategic principles to keep web applications safe
• Demonstrate the skills needed to discover and exploit cross-site scripting attacks
• Fix a cross-site scripting vulnerability in Java

This lab simulates a cross-site scripting vulnerability that can be found in an online banking application built using Python which fails to validate input and encode output Using Visual Studio Code participants will determine whether the data is correctly encoded for the context in which it will appear in web application output. The objective of this lab is to find the cross-site scripting (XSS) vulnerability found in this Python web application and fix the issue.

Upon completion of this lab participants will:

• Apply strategic principles to keep web applications safe
• Demonstrate the skills needed to discover and exploit cross-site scripting attacks
• Fix a cross-site scripting vulnerability in Python

This lab simulates a cross-site scripting vulnerability that can be found in XYZ Range. Using Visual Studio Code participants will determine whether the data is correctly encoded for the context in which it will appear in web application output. The objective of this lab is to find the cross-site scripting (XSS) vulnerability found in this C# application and fix the issue.

Upon completion of this lab participants will:

• Apply strategic principles to keep web applications safe
• Demonstrate the skills needed to discover and exploit cross-site scripting attacks
• Fix a cross-site scripting vulnerability in C#

This lab simulates a cross-site scripting vulnerability that can be found in an online banking application built using Node.js which fails to validate input and encode output. Using Visual Studio Code participants will determine whether the data is correctly encoded for the context in which it will appear in web application output. The objective of this lab is to find the cross-site scripting (XSS) vulnerability found in this TECHNOLOGY web application and fix the issue.

Upon completion of this lab participants will:

• Apply strategic principles to keep web applications safe
• Demonstrate the skills needed to discover and exploit cross-site scripting attacks
• Fix a cross-site scripting vulnerability in Node.js

The Defending Against Parameter Tampering lab assesses the learner’s understanding of user authorization to prevent Parameter Tampering vulnerabilities. After completing this lab, the learner will understand how to use authorization to prevent Parameter Tampering vulnerabilities.

The Defending Against Plaintext Password Storage lab assesses the learner’s understanding of protecting stored authentication credentials. After completing this lab, the learner will understand how to protect stored authentication credentials.

The Defending Against Sensitive Information in Error Messages lab assesses the learner’s ability to prevent disclosing sensitive information in error messages.

In this lab the learner will fix a vulnerability that discloses sensitive information in error messages. The lab features an authentication page that discloses whether a specific username is valid or not when invalid authentication credentials are provided, thus allowing valid username enumeration.

This lab simulates a SQL Injection vulnerability that can be found in Shadow Bank which fails to validate input and consists of improper use of user input in SQL statements. Using Visual Studio Code participants will determine if the generated SQL query can be exploited. The objective of this lab is to fix the SQL Injection vulnerability found in this Java application and fix the issue.

Upon completion of this lab participants will:

• Apply strategic principles to keep Java applications safe
• Demonstrate the skills needed to discover and exploit SQL Injection attacks
• Fix a vulnerable SQL query in Java

The Defending Against Weak Encryption Mode lab assesses the learner’s understanding of using secure encryption modes. After completing this lab, the learner will understand how to use secure encryption modes.

The Defending Against Weak PRNG lab assesses the learner’s understanding of using cryptographically strong Pseudo-Random Number Generators. After completing this lab, the learner will understand how to use cryptographically strong Pseudo-Random Number Generators.

This lab simulates a Weak File Upload Validation vulnerability found in the LetSee Cyber Range. The challenge includes a Web App developed in Java that fails to implement the security principle of “Validate all Untrusted Input Before Using”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to validate input in file upload”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep Java applications safe
• Demonstrate the skills needed to discover XXE attacks
• Fix XXE vulnerabilities in Java

This lab simulates a Weak File Upload Validation vulnerability found in the LetSee Cyber Range. The challenge includes a Web App developed in C# that fails to implement the security principle of “Validate all Untrusted Input Before Using”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to validate input in file upload”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep C# applications safe
• Demonstrate the skills needed to discover XXE attacks
• Fix XXE vulnerabilities in C#

This lab simulates a Weak File Upload Validation vulnerability found in the LetSee Cyber Range. The challenge includes a Web App developed in Node.js that fails to implement the security principle of “Validate all Untrusted Input Before Using”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to validate input in file upload”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep Node.js applications safe
• Demonstrate the skills needed to discover XXE attacks
• Fix XXE vulnerabilities in Node.js

This lab simulates a Weak File Upload Validation vulnerability found in the LetSee Cyber Range. The challenge includes a Web App developed in Python that fails to implement the security principle of “Validate all Untrusted Input Before Using”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to validate input in file upload”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep Python applications safe
• Demonstrate the skills needed to discover XXE attacks
• Fix XXE vulnerabilities in Python

This lab simulates a Security Misconfiguration vulnerability found in the DigiExchange Cyber Range. The challenge includes a Web App developed in Java that fails to implement the security principle of “Validate all Untrusted Input Before Using”.

Using Visual Studio Code, participants will analyze code to identify and mitigate instances of “Failure to universally validate policy constraints”. The objective of this lab is to find the vulnerable code and fix the weakness.

Upon completion of this lab participants will:

• Apply strategic principles to keep Java applications safe from security misconfiguration
• Demonstrate the skills needed to discover security misconfiguration
• Fix security misconfiguration in Java

The Defending Against Plaintext Password Storage lab assesses the learner’s understanding of protecting stored authentication credentials. After completing this lab, the learner will understand how to protect stored authentication credentials.

The Defending Against Weak Encryption Mode lab assesses the learner’s understanding of using secure encryption modes. After completing this lab, the learner will understand how to protect stored authentication credentials.

The Defending Against Weak PRNG lab assesses the learner’s understanding of using cryptographically strong Pseudo-Random Number Generators. After completing this lab, the learner will understand how to use cryptographically strong Pseudo-Random Number Generators.

The Defending Against Parameter Tampering lab assesses the learner’s understanding of user authorization to prevent Parameter Tampering vulnerabilities. After completing this lab, the learner will understand how to use authorization to prevent Parameter Tampering vulnerabilities.

The Defending Against Plaintext Password Storage lab assesses the learner’s understanding of protecting stored authentication credentials. After completing this lab, the learner will understand how to protect stored authentication credentials.

The Defending Against Parameter Tampering lab assesses the learner’s understanding of user authorization to prevent Parameter Tampering vulnerabilities. After completing this lab, the learner will understand how to use authorization to prevent Parameter Tampering vulnerabilities.

The Defending Against Plaintext Password Storage lab assesses the learner’s understanding of protecting stored authentication credentials. After completing this lab, the learner will understand how to protect stored authentication credentials.

The Defending Against Weak Encryption Mode lab assesses the learner’s understanding of using secure encryption modes. After completing this lab, the learner will understand how to use secure encryption modes.

The Defending Against Weak PRNG lab assesses the learner’s understanding of using cryptographically strong Pseudo-Random Number Generators.

After completing this lab, the learner will understand how to use cryptographically strong Pseudo-Random Number Generators.

The Defending Against Parameter Tampering lab assesses the learner’s understanding of user authorization to prevent Parameter Tampering vulnerabilities. After completing this lab, the learner will understand how to use authorization to prevent Parameter Tampering vulnerabilities.

The Defending Against Sensitive Information in Error Messages lab assesses the learner’s ability to prevent disclosing sensitive information in error messages.

In this lab the learner will fix a vulnerability that discloses sensitive information in error messages. The lab features an authentication page that discloses whether a specific username is valid or not when invalid authentication credentials are provided, thus allowing valid username enumeration.

The Defending Against Sensitive Information in Error Messages lab assesses the learner’s ability to prevent disclosing sensitive information in error messages.

In this lab the learner will fix a vulnerability that discloses sensitive information in error messages. The lab features an authentication page that discloses whether a specific username is valid or not when invalid authentication credentials are provided, thus allowing valid username enumeration.

The Defending Against Sensitive Information in Error Messages lab assesses the learner’s ability to prevent disclosing sensitive information in error messages.

In this lab the learner will fix a vulnerability that discloses sensitive information in error messages. The lab features an authentication page that discloses whether a specific username is valid or not when invalid authentication credentials are provided, thus allowing valid username enumeration.

The Sensitive Information in Log Files lab assesses the learner’s ability to fix code in Java applications that places sensitive information in log files.

After completing this lab, the learner will understand how to avoid disclosing sensitive information via application log files.

The Sensitive Information in Log Files lab assesses the learner’s ability to fix code in Python applications that places sensitive information in log files.

After completing this lab, the learner will understand how to avoid disclosing sensitive information via application log files.

The Sensitive Information in Log Files lab assesses the learner’s ability to fix code in Node.js that places sensitive information in log files.

After completing this lab, the learner will understand how to avoid disclosing sensitive information via application log files.

The Sensitive Information in Log Files lab assesses the learner’s ability to fix code in C# applications that places sensitive information in log files.

After completing this lab, the learner will understand how to avoid disclosing sensitive information via application log files.

The Deserialization of Untrused Data lab assesses the learner’s ability to fix code in Java applications that allows attackers to execute arbitrary code by deserializing untrusted data using unsafe deserializers.

After completing this lab, the learner will understand how to prevent and mitigate vulnerabilities associated with the use of unsafe deserializers.

The Deserialization of Untrused Data lab assesses the learner’s ability to fix code in Python applications that allows attackers to execute arbitrary code by deserializing untrusted data using unsafe deserializers.

After completing this lab, the learner will understand how to prevent and mitigate vulnerabilities associated with the use of unsafe deserializers.

The Deserialization of Untrused Data lab assesses the learner’s ability to fix code in Node.js applications that allows attackers to execute arbitrary code by deserializing untrusted data using unsafe deserializers.

After completing this lab, the learner will understand how to prevent and mitigate vulnerabilities associated with the use of unsafe deserializers.

The Deserialization of Untrused Data lab assesses the learner’s ability to fix code in C# applications that allows attackers to execute arbitrary code by deserializing untrusted data using unsafe deserializers.

After completing this lab, the learner will understand how to prevent and mitigate vulnerabilities associated with the use of unsafe deserializers.

The Server-Side Request Forgery lab assesses the learner’s ability to fix code that allows attackers to exploit Java applications to send HTTP requests to arbitrary URLs.

After completing this lab, the learner will understand how to prevent and mitigate Server-Side Request Forgery vulnerabilities.

The Server-Side Request Forgery lab assesses the learner’s ability to fix code that allows attackers to exploit Python applications to send HTTP requests to arbitrary URLs.

After completing this lab, the learner will understand how to prevent and mitigate Server-Side Request Forgery vulnerabilities.

The Server-Side Request Forgery lab assesses the learner’s ability to fix code that allows attackers to exploit Node.js applications to send HTTP requests to arbitrary URLs.

After completing this lab, the learner will understand how to prevent and mitigate Server-Side Request Forgery vulnerabilities.

The Server-Side Request Forgery lab assesses the learner’s ability to fix code that allows attackers to exploit C# applications to send HTTP requests to arbitrary URLs.

After completing this lab, the learner will understand how to prevent and mitigate Server-Side Request Forgery vulnerabilities.

The File and Directory Permissions Modification lab assesses the learner’s ability to modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. After completing this lab, the learner will understand how attackers may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.

The File and Directory Discovery lab assesses the learner’s ability to enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. After completing this lab, the learner will understand how attackers may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

This lab simulates a Cross-Site Scripting (XSS) vulnerability found in the AccountAll Cyber Range. The challenge includes an HR Back Office System that fails to implement the security principle of “Establish Secure Defaults”.

Leveraging a virtual machine, participants will apply ATT&CK Mitigation “M1051 Update Software” to fix the vulnerable Java Web Application Server Software.

The Brute Force: Password Cracking technique refers to attempting to recover authentication credentials from password hashes or other data sources that contain protected authentication credentials. This lab simulates a “Dictionary Attack”, which uses a so-called dictionary of common passwords to determine whether any of these common passwords match the hashes being cracked.

The objective of this lab is to execute the Password Cracking ATT&CK technique. To complete the lab, you will need to answer a question about a secret that you discover by successfully executing the appropriate ATT&CK technique.

The Exploitation of Remote Services technique refers to exploiting a vulnerability that is present in an online service provided by a target system. One of the defining characteristics of this technique is that the attacker has network access to the vulnerable service, either by the virtue of this service being exposed to a public network or because the attacker has already penetrated the network that the service is available on.

The objective of this lab is to execute the Exploitation of Remote Services ATT&CK technique. To complete the lab, you will need to answer a question about a secret that you discover by successfully executing the appropriate ATT&CK technique.

This lab simulates a Lack of Resources & Rate Limiting vulnerability found in the LetSee Cyber Range. The challenge includes an Online Marketplace app that fails to implement the security principle of “Establish Secure Defaults”.

Within a virtual machine, participants will analyze code to identify and mitigate instances of “Failure to enforce strong password policy”.

The objective of this lab is to apply ATT&CK Techniques T1190 Exploit Public-Facing Application” and “T1133 External Remote Services”.

This lab simulates a Security Misconfiguration vulnerability found in the AccountAll Cyber Range. The challenge includes an HR Back Office System that fails to implement the security principle of “Establish Secure Defaults”.

Leveraging a virtual machine, participants will analyze code to identify and mitigate instances of “Misconfiguration of default credentials”.

The objective of this lab is to apply ATT&CK Techniques T1190 Exploit Public-Facing Application” and “T1133 External Remote Services”.

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

The objective of this lab is to execute a “pass the hash” attack using stolen password hashes.

The Network Service Discovery lab assesses the learner’s ability to identify the network services that are running on a server.

In this lab the learner will enumerate the network services that are running on a target system. Attackers typically enumerate network services in order to discover vulnerable services that can be exploited.

The Network Share Discovery lab assesses the learner’s ability to identify the network shares on a file sharing server.

In this lab the learner will enumerate the network shares on on a target system. Attackers typically enumerate shared filesystem resources in order to gain unauthorized access to data.

The Create Account lab assesses the learner’s ability to create a user account on a compromised server.

In this lab the learner will create a user account on a compromised system. Attacker usually create user accounts on compromised systems to maintain persistence and/or to gain additional privileges.

The Unsecured Credentials lab assesses the learner’s ability to recover unsecured credentials on a compromised system

In this lab the learner will recover unsecured credentials on a compromised system. Unsecured authentication credentials can be leveraged for additional access.

The Data from Local System lab assesses the learner’s ability to recover valuable data from a compromised system.

After completing this lab, the learner will understand how attackers recover valuable data from compromised systems.

The Valid Accounts lab assesses the learner’s ability to leverage compromised credentials.

After completing this lab, the learner will understand how attackers leverage compromised credentials.