Software security is no longer just about writing secure code. Everyone who provisions, operates, analyzes, or defends software systems needs job-specific guidance. That’s why we’ve taken a role-based approach, following guidance provided by resources like the NICE Framework – making it easy to acquire appropriate training for your teams.
Based on customer feedback, industry trends, and assessment results from our CMD+CTRL cyber range, our training library grew last year to cover expanding cybersecurity work roles, emerging technologies and deployment platforms, and foreign languages. Here are just some of the updates we made in 2019:
Cloud, Containers, and Microservices
With the explosion of new features and, as a result, attack surfaces, we developed a series of courses to help teams better defend architecture, code, and infrastructure in cloud-based systems. They focus on securely provisioning and configuring microservices, containers, and orchestration.
As attackers get more sophisticated, defenders need to keep pace. In addition to our How to Test for OWASP Top Ten and Testing for CWE series, we released courses that help teams test for TLS, memory corruption, hardcoded secrets, wireless networks, and network infrastructure vulnerabilities. We also released our first course on Network & Application Vulnerability Scanning as organizations struggle to get the breadth of coverage with automated tools.
NIST Risk Management Framework (RMF)
This series helps organizations implement a unified information security program. Our first two courses help teams learn about and start to adopt NIST SP 800-37 Rev 2. Subsequent courses launching soon will provide more contextual and technical guidance for organizations seeking to architect and engineer data security processes for IT Systems.
While dozens of our courses already align with DevOps activities, we released our first DevOps-specific course that describes the key benefits, challenges, and approaches of DevOps. We’ll build upon this foundation in 2020 with role- and activity-specific DevOps security courses.
Significant updates were made to our IoT Series to help teams secure interfaces, communications, network services, firmware, and authentication/authorization schemes.
Over 20 platform-, technology- and language-specific courses were updated, and we released new courses for GO, PHP, and Python Microservices. Support for new technologies, attack vectors, and syntax are the focus here. You’ll also notice improved interactivity as well as code-rich simulations and exercises.
PCI Secure SLC Standard
With the release of new PCI Standards in 2019 and the retirement of PA-DSS looming, organizations need to understand and adopt the PCI Software Security Framework (SSF). So we introduced training for both Secure Software Standard and Secure SLC Standard.
Foreign language support
A very exciting development for us – 25 of our most popular courses are now available in Chinese, Spanish, and French:
- Software Security Concepts
- Applying OWASP 2017 Mitigating Injection
- Applying OWASP 2017 Mitigating Broken Authentication
- Applying OWASP 2017 Mitigating Sensitive Data Exposure
- Applying OWASP 2017 Mitigating XML External Entities
- Applying OWASP 2017 Mitigating Broken Access Control
- Applying OWASP 2017 Mitigating Security Misconfiguration
- Applying OWASP 2017 Mitigating Cross-Site Scripting
- Applying OWASP 2017 Mitigating Insecure Deserialization
- Applying OWASP 2017 Mitigating Use of Components with Known Vulnerabilities
- Applying OWASP 2017 Mitigating Insufficient Logging and Monitoring
- How to Perform a Security Code Review
- Testing for CWE SANS Top 25 Software Errors
- Testing for OWASP 2017: Injection
- Testing for OWASP 2017: Broken Authentication
- Testing for OWASP 2017: Sensitive Data Exposure
- Testing for OWASP 2017: XML External Entities
- Testing for OWASP 2017: Broken Access Control
- Testing for OWASP 2017: Security Misconfiguration
- Testing for OWASP 2017: Cross-Site Scripting
- Testing for OWASP 2017: Insecure Deserialization
- Testing for OWASP 2017: Use of Components with Known Vulnerabilities
- Testing for OWASP 2017: Insufficient Logging and Monitoring
What’s coming in 2020?
In addition to supporting our current catalog, our 2020 releases feature courses on the secure operations of software-based systems and infrastructure, DevSecOps, and industry frameworks & standards.
Want more detail? Check out our course updates in-depth.