CYBERSECURE CODER (CSC) Training Course

By the end of this training, participants will be able to:

• Explain application security and common vulnerabilities
• Describe best practices for ABAP programming and handling SY-SUBRC
• Understand injection vulnerabilities and how to mitigate them
• Describe various security testing tools and their applications
• Explain the concepts of ATC (Abap Test Cockpit) and CVA (Code Vulnerability Analysis)

Format of the Course

• Interactive lectures and discussions to enhance understanding
• Extensive exercises and practical sessions for hands-on learning
• Hands-on implementation in a live-lab environment to apply concepts in real-time

This course delves into essential secure coding topics that are pertinent to a wide range of web application developers. It will teach participants the principles of secure programming, including how to analyze specific pieces of code, identify security vulnerabilities, and implement effective fixes for those issues.

Throughout the course, you will observe demonstrations of real-world attacks and learn strategies to prevent them, thereby gaining confidence in enhancing the security of your applications.

Duration: 3 days
Target Audience: Developers seeking to deepen their expertise in secure coding.

Upon Completion
• Participants will acquire knowledge in:
• Web Application Security.
• Common Web Application Risks.
• Demonstrations of Web Application Penetration Testing.
• Data Validation.
• Authentication.
• Session Management.
• Secure Software Development Life Cycle (SDLC).

Advances in computing and engineering are driving technological progress, from blockchain and AI to gene editing and IoT, offering opportunities for productivity and human well-being. Yet, these innovations also bring new risks, as recent scandals highlight. Technology professionals face increasing pressure to address ethical concerns, balancing privacy, accuracy, fairness, and safety. This course provides practical tools to manage ethical risks in emerging data-driven technologies, drawing from theory, regulations, and industry practices. Learners will gain skills to navigate ethical dilemmas in their roles and organizations.

This course delves into network defense and incident response methods, tactics, and procedures, aligning with industry frameworks such as NIST 800-61 r.2 (Computer Security Incident Handling), US-CERT’s NCISP (National Cyber Incident Response Plan), and Presidential Policy Directive (PPD) 41 on Cyber Incident Coordination Policy. It is particularly suitable for professionals responsible for monitoring and detecting security incidents in information systems and networks, as well as executing standardized responses to these incidents. The course introduces tools, tactics, and procedures to manage cybersecurity risks, identify various types of common threats, evaluate the organization's security, collect and analyze cybersecurity intelligence, and remediate and report incidents as they occur. This comprehensive methodology is designed for individuals tasked with defending their organization’s cybersecurity.

This course is tailored to help students prepare for the CertNexus CyberSec First Responder (Exam CFR-310) certification examination. The knowledge and skills gained in this course can significantly contribute to your preparation. Additionally, this course and subsequent certification (CFR-310) meet all requirements for personnel needing DoD directive 8570.01-M position certification baselines:

• CSSP Analyst

• CSSP Infrastructure Support

• CSSP Incident Responder

• CSSP Auditor

Course Objectives: In this course, you will gain an understanding of security threats and learn to operate a system and network security analysis platform. You will:

• Compare and contrast various threats and classify threat profiles

• Explain the purpose and use of attack tools and techniques

• Explain the purpose and use of post-exploitation tools and tactics

• Explain the purpose and use of social engineering tactics

• Given a scenario, perform ongoing threat landscape research and use data to prepare for incidents

• Explain the purpose and characteristics of various data sources

• Given a scenario, use appropriate tools to analyze logs

• Given a scenario, use regular expressions to parse log files and locate meaningful data

• Given a scenario, use Windows tools to analyze incidents

• Given a scenario, use Linux-based tools to analyze incidents

• Summarize methods and tools used for malware analysis

• Given a scenario, analyze common indicators of potential compromise

• Explain the importance of best practices in preparation for incident response

• Given a scenario, execute the incident response process

• Explain the importance of concepts unique to forensic analysis

• Explain general mitigation methods and devices

Target Student: This course is primarily designed for cybersecurity practitioners who are preparing for or currently performing job functions related to protecting information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. It is ideal for professionals within federal contracting companies and private sector firms whose mission or strategic objectives require the execution of Defensive Cyber Operations (DCO) or DoD Information Network (DODIN) operation and incident handling. This course focuses on the knowledge, abilities, and skills necessary to defend information systems in a cybersecurity context, including protection, detection, analysis, investigation, and response processes.

In addition, the course ensures that all members of an IT team—regardless of size, rank, or budget—understand their role in cyber defense, incident response, and incident handling processes.

Android is an open platform designed for mobile devices like smartphones and tablets. It offers a wide range of security features to facilitate the development of secure software, although it lacks some security aspects found in other mobile platforms. This course provides a thorough overview of these features, highlighting the most critical shortcomings related to the underlying Linux system, file management, the general environment, and the use of permissions and other Android development components.

Common security pitfalls and vulnerabilities are discussed for both native code and Java applications, along with recommendations and best practices to avoid and mitigate them. Many issues are illustrated with real-life examples and case studies. Additionally, we provide a brief overview of how to use security testing tools to identify any programming errors that could impact security.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about the security solutions available on Android
• Discover how to use various security features of the Android platform
• Gain insights into recent vulnerabilities in Java on Android
• Understand typical coding mistakes and how to avoid them
• Learn about native code vulnerabilities on Android
• Realize the severe consequences of insecure buffer handling in native code
• Comprehend architectural protection techniques and their limitations
• Access sources and further readings on secure coding practices

Audience

Professionals

Implementing a secure networked application can be challenging, even for developers who have previously used various cryptographic tools like encryption and digital signatures. To help participants understand the role and usage of these cryptographic elements, the course starts by laying a solid foundation on the main requirements of secure communication—secure acknowledgment, integrity, confidentiality, remote identification, and anonymity. It also highlights typical problems that can compromise these requirements and presents real-world solutions.

Since cryptography is a critical aspect of network security, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement are covered. Instead of delving into complex mathematical theories, these elements are discussed from a developer's perspective, with practical use-case examples and considerations related to the implementation of cryptographic techniques, such as public key infrastructures. The course also introduces security protocols across various secure communication areas, focusing on widely-used protocol families like IPSEC and SSL/TLS.

The course addresses typical crypto vulnerabilities associated with certain algorithms and cryptographic protocols, including BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE, and similar issues, as well as the RSA timing attack. For each vulnerability, practical considerations and potential consequences are explained without delving into deep mathematical details.

Given that XML technology is central for data exchange in networked applications, the security aspects of XML are thoroughly covered. This includes the use of XML within web services and SOAP messages, along with protection measures like XML signature and XML encryption. The course also explores weaknesses in these protection measures and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand the basic concepts of security, IT security, and secure coding
• Grasp the requirements of secure communication
• Learn about network attacks and defenses at different OSI layers
• Gain a practical understanding of cryptography
• Comprehend essential security protocols
• Understand recent attacks against cryptosystems
• Receive information on recent related vulnerabilities
• Grasp the security concepts of Web services
• Access sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course provides an overview of securing C/C++ code to protect against malicious users who might exploit various vulnerabilities related to memory management and input handling. The course focuses on the principles of writing secure code.

Even experienced Java programmers often do not fully grasp the various security services provided by Java, nor are they always aware of the different vulnerabilities that can affect web applications written in Java.

This course covers more than just the security components of Standard Java Edition; it delves into the security challenges of Java Enterprise Edition (JEE) and web services. Before discussing specific services, the course lays a foundation in cryptography and secure communication. Practical exercises focus on declarative and programmatic security techniques in JEE, as well as transport-layer and end-to-end security for web services. Through hands-on exercises, participants can explore the discussed APIs and tools firsthand.

The course also examines and explains the most common and severe programming flaws in the Java language and platform, along with web-related vulnerabilities. It covers both language-specific issues and problems arising from the runtime environment. All vulnerabilities and associated attacks are demonstrated through straightforward exercises, followed by recommended coding guidelines and mitigation techniques.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Comprehend the security principles of web services
• Learn to utilize various security features in the Java development environment
• Gain a practical understanding of cryptography
• Understand the security solutions provided by Java EE
• Learn about typical coding mistakes and how to avoid them
• Receive information on recent vulnerabilities in the Java framework
• Acquire practical knowledge in using security testing tools
• Get resources and further readings on secure coding practices

Audience

Developers

Description

The Java language and the Runtime Environment (JRE) were designed to be free from the most problematic common security vulnerabilities often encountered in languages like C/C++. However, software developers and architects should not only know how to leverage the various security features of the Java environment for positive security but should also be aware of the numerous vulnerabilities that remain relevant for Java development, which pertain to negative security.

Before delving into security services, a brief overview of cryptography fundamentals is provided to establish a common understanding of their purpose and operation. The use of these components is explored through several practical exercises where participants can experiment with the discussed APIs firsthand.

The course also covers and explains the most frequent and severe programming flaws in the Java language and platform. This includes both typical bugs made by Java programmers and issues specific to the language and environment. All vulnerabilities and relevant attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Learn about Web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Gain proficiency in using various security features of the Java development environment
• Acquire a practical understanding of cryptography
• Identify typical coding mistakes and learn how to avoid them
• Receive information about recent vulnerabilities in the Java framework
• Access sources and further readings on secure coding practices

Audience

Developers

A variety of programming languages are available today for compiling code to the .NET and ASP.NET frameworks. The environment offers robust tools for security development, but developers must understand how to apply architectural and coding-level techniques to implement effective security measures and minimize vulnerabilities or their exploitation.

This course aims to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources with strong authentication and authorization, facilitate remote procedure calls, manage sessions, explore different implementations for specific functionalities, and more.

The discussion on various vulnerabilities begins by highlighting typical programming issues that arise when using .NET. The examination of ASP.NET vulnerabilities also covers a range of environment settings and their impacts. Additionally, the course delves into ASP.NET-specific vulnerabilities, addressing both general web application security challenges and unique issues like attacking the ViewState or string termination attacks.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about Web vulnerabilities beyond the OWASP Top Ten and how to mitigate them
• Gain knowledge in utilizing various security features of the .NET development environment
• Acquire practical skills in using security testing tools
• Identify common coding mistakes and learn how to avoid them
• Stay informed about recent vulnerabilities in .NET and ASP.NET
• Access resources and further readings on secure coding practices

Audience

Developers

This course provides an introduction to common security concepts, offering an overview of the nature of vulnerabilities that can affect software regardless of the programming languages or platforms used. It explains how to manage the risks associated with software security across different phases of the development lifecycle. While avoiding deep technical details, it highlights some of the most significant and pressing vulnerabilities in various software development technologies and discusses the challenges of security testing. Additionally, it introduces techniques and tools that can be applied to identify any existing issues in code.

Participants attending this course will

• Gain an understanding of fundamental concepts related to security, IT security, and secure coding practices.
• Learn about web vulnerabilities on both the server and client sides.
• Recognize the serious consequences of insecure buffer handling.
• Stay informed about recent vulnerabilities in development environments and frameworks.
• Discover typical coding mistakes and how to avoid them.
• Understand various approaches and methodologies for security testing.

Audience

Managers

The Internet of Things (IoT) offers a broad array of benefits for various sectors, including industry, energy and utility companies, municipalities, healthcare, and consumers. It enables the collection of vast amounts of detailed data on almost anything worth measuring, such as public health and safety, environmental conditions, industrial and agricultural production, energy usage, and utility services. Advanced data analysis tools have been developed to handle the massive volumes of data generated by IoT, facilitating swift and well-informed decision-making.

However, implementing IoT systems can be complex and fraught with challenges. Solutions often involve devices and technologies from multiple vendors, necessitating a thorough understanding of software and hardware integration. Additionally, there are significant risks associated with security, privacy, and the safety of individuals whose environments are managed by these systems.

IT professionals typically have limited experience working with embedded systems, sensor networks, actuators, real-time systems, and other IoT components. This course provides a foundational understanding of how these components interact with more familiar IT systems, such as networks, cloud computing, and applications running on servers, desktops, and mobile devices.

In this course, students will explore general strategies for planning, designing, developing, implementing, and maintaining an IoT system through various case studies. They will also assemble and configure an IoT device to function within a sensor network. Students will create an IoT device based on the ESP8266 microcontroller, incorporating common IoT features like analog and digital sensors, a web-based interface, MQTT messaging, and data encryption.

Course Objectives: This course aims to teach students how to apply Internet of Things technologies to solve real-world problems. By the end of the course, you will be able to:

• Plan an IoT implementation.
• Construct and program an IoT device.
• Communicate with an IoT device using both wired and wireless connections.
• Process sensor input and control actuators on an IoT device.
• Manage security, privacy, and safety risks in IoT projects.
• Manage an IoT prototyping and development project throughout its lifecycle.

Target Student: This course is designed for IT professionals with basic skills in computer hardware, software support, and development who wish to learn how to design, develop, implement, operate, and manage Internet of Things devices and related systems. The student should be interested in gaining deeper knowledge about embedded systems, microcontroller programming, IoT security, and the development lifecycle for IoT projects.

While students will gain hands-on experience assembling a prototype IoT device and using software development tools, these activities are closely guided. Therefore, prior experience in electronics assembly and programming is not required. This course also prepares students to take the CertNexus Certified Internet of Things (IoT) Practitioner (Exam ITP-110).

Artificial intelligence (AI) and machine learning (ML) have become essential tools for many organizations. When used effectively, these technologies provide actionable insights that drive critical decisions and enable the creation of exciting, new, and innovative products and services. This course will guide you through applying various approaches and algorithms to solve business problems using AI and ML, following a systematic workflow to develop robust solutions. You will learn to use open-source tools for developing, testing, and deploying these solutions while ensuring user privacy is protected. The course includes practical activities for each topic area.

Course Objectives: In this course, you will implement AI techniques to solve business problems. Specifically, you will:

• Define a general approach to solving a given business problem using applied AI and ML.
• Gather and refine datasets to prepare them for training and testing.
• Train and fine-tune a machine learning model.
• Finalize a machine learning model and present the results to the appropriate audience.
• Develop linear regression models.
• Create classification models.
• Build clustering models.
• Construct decision trees and random forests.
• Develop support-vector machines (SVMs).
• Build artificial neural networks (ANNs).
• Promote data privacy and ethical practices within AI and ML projects.

Target Student: This course is designed for individuals whose skills intersect software development, applied math and statistics, and business analysis. The target audience may be strong in one or two of these areas and looking to enhance their capabilities in the others, so they can effectively apply artificial intelligence (AI) systems, particularly machine learning models, to business problems.

For example, a programmer may want to develop additional skills to apply machine learning algorithms to business challenges, while a data analyst with strong math and statistics skills might seek to build technology expertise in machine learning. A typical student should have several years of experience with computing technology and some programming aptitude. This course also prepares students for the CertNexus® Certified Artificial Intelligence (AI) Practitioner (Exam AIP-110) certification.

This course is tailored for professionals aiming to showcase a vendor-neutral, cross-industry skill set that will empower them to design, implement, operate, and manage a secure IoT ecosystem.

Target Student: This course is intended for IoT practitioners who wish to enhance their skills and knowledge in IoT security and privacy. It is also suitable for students seeking the CertNexus Certified Internet of Things Security Practitioner (CIoTSP) certification and looking to prepare for Exam ITS-110.

Objectives:

In this course, you will identify many of the common risks involved in using conventional end-user technology, as well as ways to use it safely, to protect yourself from those risks.

You will:

• Identify security compliance measures.
• Address social engineering attempts.
• Secure devices such as desktops, laptops, tablets, smartphones, and more.
• Use the Internet securely.

Target Student

This course is designed for you as a non-technical end user of computers, mobile devices, networks, and the Internet, to enable you to use technology more securely to minimize digital risks.

This course is also designed for you to prepare for the Certified CyberSAFE credential. You can obtain your Certified CyberSAFE certificate by completing the Certified CyberSAFE credential process on the CHOICE platform following the course presentation.