2023 Q3 Quarterly Release: 4 New Courses and 17 New Labs

Security Innovation is proud to add twenty-one new courses and labs to the CMD+CTRL training catalog for Q3 2023, available to learners on July 25, 2023.

We are concentrating primarily on NICE Framework Work Roles such as Software Developer and Network Operations Specialist. Focuses include Secure Software Development, Infrastructure Design, Systems Integration, Risk Management, Vulnerability Assessment, and several others

This content release includes:

  • (12) IDE Code Correct Skill Labs
  • (2) MITRE ATT&CK®️ Skill Labs
  • (3) Vulnerability Identification Learn Labs
  • (4) New Courses
  • (2) Updated Courses

In addition, we've deprecated COD 281 - Java Security Model based on Oracle's announcement of their deprecation of Java Security Manager.

New CMD+CTRL Courses

CMD+CTRL courses grant learners a foundational understanding of the latest issues faced by software development organizations. This quarter we focus on leveraging Artificial Intelligence, Cyber-Supply Chain Risk Management, Infrastructure-as-Code Security, and Java Programming.

COD 288 – Java Public Key Cryptography

Oracle announced its deprecation of Java Security Manager because it cannot address 19 of the 25 CWE most dangerous issues identified by industry leaders. While Java Public Key Infrastructure (PKI) is not a one-for-one replacement, many developers may opt to rely on this technology to provide similar functionality. Java offers tools and APIs with features that make it easier to develop and deploy PKI applications covered in this course.

This course provides learners the knowledge and skills to apply best practices for using Public Key Cryptography in Java. Public key cryptography is a critical framework for secure communications and data transfer in Java applications. It operates on the principles of asymmetric cryptography, which involves producing a bound pair of keys: one public and one private. The private key remains confidential, like a password, while the public key is made available to anyone, much like an email address. This dual-key system serves two purposes; the first is encryption, and the second is for digital signatures.

CYB 310 – Using Cyber Supply Chain Risk Management (C-SCRM) to Mitigate Threats to IT/OT

As GAO audits of over 20 different government agencies revealed the failure to implement all seven critical practices for managing supply chain risk Security Innovation developed a plan to address the one practice ignored by all; establish a process for conducting agency-wide assessments of supply chain risks with the release of this course.

This course introduces how to create and execute effective C-SCRM strategies to safeguard their organizations’ IT and OT systems against cyber risks originating in the supply chain via a mix of theoretical understanding and real-world experiences. Using Cyber Supply Chain Risk Management (C-SCRM) to mitigate the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains requires close coordination and information-sharing with reliable allies and constant monitoring for and evaluating security risks and openings.

Learners will gain a basic understanding of C-SCRM, including its central ideas, recommended procedures, and established norms.

CYB 311 – Threat Analysis with Artificial Intelligence (AI)

As Business Leaders seek to learn more about how AI’s role in cybersecurity enhances business value and how to integrate AI into organizational cybersecurity efforts, we’ve seen a shift in requests for content related to using Artificial Intelligence. As Executives from Cybersecurity, IT Information Security, and IT Operations teams continue to believe AI can allow them to respond to cyber-attacks faster and improve the accuracy and efficiency of cyber analysts, we’ve opted to focus on how AI is helping organizations protect themselves against cyber-attacks.

In this course, we discuss the fundamental components of AI, such as sandboxes and trained data, as well as the logic used in machine learning, neural networks, and deep learning.

The course is designed to provide learners with the knowledge and skills to understand AI logic and specific use cases of AI in the threat detection landscape and use AI for application development, malware analysis, and user behavior analytics.

ENG 320 – Using Software Composition Analysis (SCA) to Secure Open-Source Components

Industry analysts estimate that 90% of organizations rely on open-source in their applications today. The 2022 State of Open-Source Security report revealed that the average project introduces 49 vulnerabilities spanning 79 direct dependencies.

As organizations continue to use open-source app development to save money and time, it is estimated that open-source code makes up 90% of the code composition of applications. Software Composition Analysis (SCA) provides visibility into the open-source components and libraries incorporated into the software development teams create. SCA can help manage security and license-related risks.

This course provides learners with a fundamental understanding of using Software Composition Analysis (SCA) tools to integrate open-source software into new code securely.


Skill Labs

Our twelve new secure coding Skill Labs are available only in CMD+CTRL Base Camp and use an IDE to find and correct insecure code based on credential storage, input validation, and forced browsing vulnerabilities. Additionally, we are introducing two new labs based on techniques used by adversaries related to executing both Discovery and Command and Control tactics as described by the MITRE ATT&CK®️ Framework.

LAB 275, 276, 277, 278 - Defending Applications Against Command Injection

Available in: Java, Python, Node.js, and C#.

Studies suggest this vulnerability is #3 amongst the Top 5 most dangerous injection attacks allowing attackers to execute unexpected, dangerous commands directly on the operating system. The Defending Applications Against Command Injection labs assess the learner’s ability to fix code that allows an attacker to execute arbitrary operating system (OS) commands on the application server.

After completing this lab, learners will understand how to defend applications against command injection vulnerabilities that may fully compromise the application and all its data.

LAB 279, 280, 281, 282 - Defending Applications Against Dangerous File Upload

Available in: Java, Python, Node.js, and C#.

File upload vulnerabilities are a part of A04::2021-Insecure Design in the OWASP Top 10 with 130+ Upload reports from HackerOne as of July 2023. This type of server-side vulnerability enables an attacker to place a file of their choosing onto the target server and often goes together with directory traversal vulnerabilities.

These labs assess the learner's ability to fix code that fails to validate correctly, allowing an attacker to upload malicious files.

After completing this lab, the learner will understand how to defend Applications against dangerous file uploads that would enable attackers to place files onto a server and gain access forward using backdoor code.

LAB 283, 284, 285, 286 - Defending Applications Against RegEx DoS

Available in: Java, Python, Node.js, and C#.

Last year NETSCOUT reported 13 million DDoS attacks which is an 807% increase over time. Regular Expression Denial of Service attacks exploits the fact that most RegEx implementations may reach extreme situations that cause them to work very slowly, allowing attackers to make application/server resources inaccessible to end users.

The Defending Applications Against RegEx DoS labs assess the learner's ability to fix code that will enable attackers to capitalize on vulnerabilities RegEx engines face when matching regular expressions crashing the system or stopping the system from responding to user requests.

After completing this lab, the learner will understand how to fix code that contains a RegEx DoS vulnerability that may leave your application vulnerable to manipulation by attackers.

LAB 312 - ATT&CK: Testing for Network Services Identification

This lab uses the MITRE ATT&CK®️ framework to help learners understand how attackers may exploit Network Service Identification vulnerabilities to get a listing of services running on remote hosts and lock network infrastructure devices, including those vulnerable to remote software exploitation.

LAB 313 – ATT&CK: Vulnerability Identification using Vulnerability Databases

This lab uses the MITRE ATT&CK®️ framework to help learners to understand how attackers use a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment to shape follow-on behaviors, including whether they fully infect the target and/or attempt specific actions.

Learn Labs

Consistent with Security Innovation’s overarching “Beyond the Code” mantra, Learn Labs keep organizations safe by highlighting vulnerabilities that almost anyone involved in the SDLC can recognize- not just those closest to the code. This quarter, we focus on Cloud Infrastructure and Cloud-Native Applications vulnerabilities.

LAB 137 – Identifying Exposure of Sensitive Information Through Environmental Variables

Improper Authorization vulnerabilities may result in information exposures, denial of service, and arbitrary code execution. The weakness is introduced during the architecture, design, implementation, and operation stages.

This lab assesses the learner’s understanding of how such an existing vulnerability in a cloud-native marketing automation SaaS suite can be discovered and exploited. This vulnerability can lead to sensitive data exposure, arbitrary code execution, or other high-impact problems.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to access data or perform actions that otherwise they would not be able to if access control checks were implemented correctly.

LAB 138 – Identifying Authorization Bypass Through User-Controlled Key

Authorization Bypass Through a User-Controlled Key occurs when the system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Here, the learner learns how an existing Insecure Direct Object Reference vulnerability in an e-commerce application can be discovered and exploited via parameter tampering.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities to bypass authorization and read or modify another user’s data. If the user-controlled key identifies a role or session instead of referencing a resource, the adversary may gain privileges or assume another user’s identity.

LAB 139 – Identifying Use of a Key Past its Expiration Date

Use of a Key Past its Expiration Date diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

Once completing this exploit lab, the learner should understand how existing Credentials Management and Security Misconfiguration vulnerabilities in a cloud file storage application suite built on AWS can be discovered and exploited to gain unauthorized access to sensitive data.

After completing this lab, the learner will understand how adversaries can exploit such vulnerabilities, in this case, to steal code from a repository and modify it to use outdated credentials to access an otherwise private file.

To learn more about Skill and Learn Labs, click here.

Please follow this link to get more information about course updates and enhancement details.