Q1 CMD+CTRL UPDATE: 2 NEW COURSES AND 9 NEW LABS

Security Innovation is proud to add two new courses and nine new labs to the CMD+CTRL training catalog for Q1 2024. Concentrating primarily on AI Privacy and Risk, .NET Programming, Secure Android Development, Secure Coding labs based on CWE Top 25 vulnerabilities, and Host Vulnerability Scanning. All new content will be available to learners on February 14, 2024.

This content release includes:

  • (2) New Courses
  • (8) IDE Code Correct Skill Labs
  • (1) MITRE ATT&CK® Skill Lab
  • (3) Updated Courses

New CMD+CTRL Courses

As always, CMD+CTRL courses grant learners a foundational understanding of the latest issues faced by software development organizations. This quarter, we focus on .NET Programming and Generative Artificial Intelligence.

COD 215 – Mitigating .NET Application Vulnerabilities

According to CWE, the most common and dangerous threats to .NET applications since 2021 include Injection Attacks, Deserialization, Integer Overflows, Insecure Security State, Error Handling, and Logging. The impact on your organization of successful attacks includes Code Execution, Bypass, Privilege Escalation, Denial of Service, and Information Leakage. Our yearly review of content presented opportunity to updated outdated training to be clear and concise with all new content aligned to .NET6, which is supported as the “long-term support (LTS) release” by Microsoft until 2025, and ASP.nET 7 Core Security which was released in 2023.

This course ensures your .NET development team has the skill and knowledge to identify these weaknesses and apply industry-standard practices to protect applications and their data.

CYB 213 – Generative AI Privacy & Cybersecurity Risk

In October of 2023, the US Federal Government issued a landmark Executive Order to address the risks of Artificial Intelligence (AI). One of the primary objectives is to "develop standards, tools, and tests to help ensure that AI systems are safe, secure, and trustworthy." In the same week, the EU finalized an AI Act to "regulate the development and use of Artificial Intelligence (AI) systems in the EU, including in the EU institutions, bodies, offices and agencies (EUIs)."

This course ensures that your organization's Cyber Defense team has knowledge of Generative AI attack vectors and recommended mitigations. Coverage includes how to identify and mitigate the cybersecurity risks associated with the Large Language Models (LLMs) that power text-based AI tools such as ChatGPT, along with the security risks inherent to system integration.

New CMD+CTRL Skill Labs

Our eight new secure coding Skill Labs are available only in CMD+CTRL Base Camp and use an IDE to find and correct insecure code based on vulnerabilities related to a null pointer dereference path traversal and integer overflow.

Additionally, we are introducing two new labs based on tactics used by adversaries related to credential access and mitigations, such as vulnerability scanning and audit, as described by the MITRE ATT&CK® Framework.

LAB 201, 202, 203, 204 – Defending Applications Canonicalization

When applications make security decisions based on untrusted input data that has not been canonicalized, malicious users can use these weaknesses to perform malicious actions, such as traversing file system directories, bypassing checks for restricted resources, and redirecting file system operations to unintended resources that may result in severe damages to your organization. Secure coding mitigations include resolving path traversal characters, removing extraneous duplicate characters, resolving embedded environment variables, and anchoring to a fixed location.

The Defending Applications Against Canonicalization Issues Skill Lab uses an interactive simulation to train developers to identify and mitigate canonicalization vulnerabilities before they negatively impact your organization.

Learners will understand how to fix canonicalization issues in Python applications by correctly converting filesystem paths constructed based on user input to canonical forms before validation. The learner will also receive hands-on experience testing for Path Traversal vulnerabilities, which is necessary to identify the vulnerable code and the solution.

This Lab is available in 4 coding languages: Java, Python, Node.js, and C#.

LAB 205, 206, 207, 208 – Defending Applications Against XPath Injection

XPath injection vulnerabilities occur when an application concatenates untrusted input into XPath expressions. The exact impact of XPath Injection depends on the purpose of the XPath expression in the application, but usually, the impact is either information disclosure or authentication bypass.

The Defending Applications Against XPath Injection Skill Lab uses an interactive simulation to train developers to identify and mitigate XPath Injection vulnerabilities before they negatively impact your organization.

Learners will demonstrate the ability to defend applications against XPath Injection attacks and receive hands-on experience implementing effective mitigation. This includes testing for XPath Injection vulnerabilities and using parameterized access methods instead of concatenating untrusted data into XPath expressions.

This Lab is available in 4 coding languages: Java, Python, Node.js, and C#.

LAB 319 - ATT&CK: Exfiltration Over C2 Channel

One of the most common post-exploitation activities for attackers and penetration testers is exfiltrating data from compromised systems. The Exfiltration Over C2 Channel lab provides a realistic environment to learn and practice using a common backdoor and industry-standard penetration testing tools to exfiltrate data from a target system.

Learners will understand how to use a backdoor to exfiltrate data over the command and control channel by leveraging a post-exploitation framework in a controlled environment to see how in-memory payloads can be used to execute system commands and download a file from a target system.

 


To learn more about Skill and Learn Labs, click here.

Please follow this link to get more information about course updates and enhancement details.