To remain current with technology and threat trends, we update our training every quarter. While we enjoy showing off our new content, it’s just as important for our customers to understand why we separate and conjoin and how learners consume certain topics. Customer feedback, internal SME reviews, and research on industry and technology trends also help shape our content roadmap.
The way software is built and managed continues to evolve. As this happens, the need to address cybersecurity across various job functions grows with it. New threats, cloud-native applications, and increased dependence on 3rd-party software & APIs mandate teams who build and operate software adopt an offensive-minded approach. This quarterly release focuses on those attack and test techniques teams need to safeguard their software and infrastructure.
Consolidated related OWASP and CWE content
New risks, weaknesses, vulnerabilities, and exploit techniques are constantly evolving. As these frameworks start to overlap, we strive to eliminate redundancy and provide the most focused content possible.
Addition of a Software Development Testing (SDT) category
As development teams continue to take on more test functions, we’ve created a new genre of courses to keep pace. These courses provide software engineers the knowledge needed to identify and eliminate vulnerabilities before releasing code to QA & Test Teams.
Addition of the MITRE ATT&CK Framework
Our focus on how hackers employ exploitation techniques to break into systems drove the introduction of two new course categories: Attack (ATK) and CyberSecurity (CYB). As software’s tentacles continue to creep into organizational infrastructure, these categories help organizations “shift right” to examine exposure points from an external perspective.
To meet the growing needs of teams that build, operate, and defend software systems, we now have the following category types for our 220+ online courses:
- ATK – Understand attack techniques on software systems and infrastructure
- AWA – Increase awareness of key security topics and best practices
- CYB – Defend applications, servers, systems, networks, and data from malicious attacks
- COD – Code defensively across technologies and test for code-level flaws
- DES – Eliminate flaws through secure application, software, or system design
- DSO – infuse Security into DevOps practices and its tech ecosystem
- ENG – implement security/risk controls and activities
- SDT – test for vulnerabilities during software development
- TST – exploit vulnerabilities in deployed software and IT environments
New Courses
ATK 201 Using the MITRE ATT&CK Framework
The desire to adopt the MITRE ATT&CK Framework continues to grow, yet organizations struggle to convert plans into action. The MITRE ATT&CK Framework is a knowledge base of globally observed adversary tactics and techniques. This course teaches developing threat models, mapping threats, classifying attacks, and training both red and blue teams. Many of these attacks are referenced in the NIST Cybersecurity Framework, so there is an additional benefit for those following that framework.
CYB 301 Fundamentals of Ethical Hacking
Hackers’ techniques continue to evolve; therefore, organizations deploying web/cloud-based applications must train employees to test for vulnerabilities through various penetration techniques. The first of many new courses in our cybersecurity line (CYB), this course introduces common activities performed during “ethical hacking,” a basic foundation of attack and penetration testing. It covers common techniques found in the MITRE ATT&CK framework and provides examples of hacking tools. It has a broad range of appeal, from software development to system testing and vulnerability assessment.
This course is also a great complement to our penetration testing and MITRE ATT&CK framework courses.
SDT 311-326 Software Development Testing Series
With the recent update to CWE Sans Top 25 Software Errors and pending updates to OWASP Top 10 lists, we launched a new series that includes 16 new courses – 7 created from reconciling content found in previous courses, and 9 comprised of new content. All changes are based on an increased transition to more specific weaknesses as opposed to abstract class-level flaws.
SDT 311 – 317: New courses based primarily on existing content/courses:
| New Course: | Replaces: |
|---|---|
| SDT 311 Testing for Inter Overflow or Wraparound | COD 349 Testing for Integer Overflow or Wraparound |
| SDT 312 Testing for Improper Limitation of a Pathname to a Restricted Directory | COD 338 Testing for Path Traversal |
| SDT 313 Testing for Cross-Site Request Forgery (CSRF) | COD 337 Testing for Cross-Site Request Forgery (CSRF) |
| SDT 314 Testing for Unrestricted Upload of File with Dangerous Type | COD 337 Testing for Unrestricted Upload of File with Dangerous Type |
| SDT 315 Testing for Incorrect Permission Assignment for Critical Resource | COD 342 Testing for Incorrect Permission Assignment for Critical Resource |
| SDT 316 Testing for Hard-coded Credentials | COD 337 Testing for Unrestricted Upload of File w/ Dangerous Type |
| SDT 317 Testing for Improper Control of Generation of Code | COD 343 Testing for Use of a Potentially Dangerous Function COD 347 Testing for Open Redirect |
SDT 318 – 326: New Software Error Course based on new content:
We shoulder the burden of continually monitoring OWASP, CWE, NIST, and other frameworks to ensure your teams focus on the most critical and current software flaws. Many of these new modules are technology-agnostic; however, they all represent modern, persistent threats to software deployed across web, cloud, mobile, IoT, and embedded systems:
- SDT 318 Testing for Insufficiently Protected Credentials (CWE-522)
- SDT 319 Testing for Out-of-bounds Read (CWE-125)
- SDT 320 Testing for Out-of-bounds Write (CWE-787)
- SDT 321 Testing for Uncontrolled Resource Consumption (CWE-400)
- SDT 322 Testing for Improper Privilege Management (CWE-269)
- SDT 323 Testing for Improper Input Validation (CWE-20)
- SDT 324 Testing for Improper Restriction of Operations w/in the Bounds of a Memory Buffer (CWE-119)
- SDT 325 Testing for NULL Pointer Dereference (CWE-476)
- SDT 326 Testing for Use After Free (CWE-416)
What’s on the Horizon
Next quarter we’ll begin to offer an Enterprise Training Portal (ETP) to select customers. The portal will improve both the user and admin experiences with a wholly unified gateway to our training platform. We also have some exciting new cloud and infrastructure courses coming.
Planned features and improvements include:
Skills Assessments – Skill computation, learner profiles, competency insight, and progress maps to provide personalized journeys with user-by-user context
Integrated reporting – Track training progress with robust dashboards that provide instant access to past performance, skills improvement recommendations, training status, and competency benchmarks
Learner recognition – Badges, awards, and certifications based on completed activities, as well as AI- identified continued learning opportunities
Learning Labs – Interactive environment with hands-on simulations and challenges based on the learner’s distinct area of cybersecurity work. Three different categories round out the exercises:
- Identify & Detect: Challenge-based vulnerability assessment labs with interactive walk-throughs of MITRE ATT&CK techniques
- Protect & Defend: Mitigating control and ”find-the-fix” labs that require the completion of hands-on exercises without forcing the user to change the learning environment
- Best Practices: Mission-based approach where the learner must determine if an application is vulnerable to an attack and then apply best practices to prevent it
Cloud & DevOps Ecosystem coverage – Includes Securing Google Cloud Platform (GCP) applications & data, DevSecOps in GCP, Cloud Penetration Testing, OWASP API & Cloud Security Top 10 Series, Securing Terraform Infrastructure & Resources, and more.
