Q4 CMD+CTRL UPDATE: 3 NEW COURSES AND 10 NEW LABS

Security Innovation is proud to add thirteen new courses and labs to the CMD+CTRL training catalog for Q4 2023. Concentrating primarily on alternative development methods, the next generation of Web Application Firewall, Secure Coding labs based on CWE Top 25 vulnerabilities, and MITRE ATT&CK® Enterprise Techniques and Mitigations; all new content will be available to learners on October 17, 2023.

This content release includes:

  • (3) New Courses
  • (8) IDE Code Correct Skill Labs
  • (2) MITRE ATT&CK® Skill Labs
  • (1) Updated Course

In addition, we've deprecated ten learn labs and replaced them with specific and more relevant use cases for each vulnerability category.

New CMD+CTRL Courses

As always, CMD+CTRL courses grant learners a foundational understanding of the latest issues faced by software development organizations. This quarter, we focus on leveraging Self-Service App Portals, Web Applications, and API Protection Services.

API 251 – Implementing Web Application and API Protection (WAAP)

API security breaches are rising, with nearly 2/3 of all cloud breach incidents involved in misconfigured APIs. With more than 70% of web traffic coming through APIs and studies suggesting that web app scanners miss 8 out of 10 API vulnerabilities, the release of API 251 – Implementing Web Application and API Protection (WAAP) is timely. Cloud web application and API protection services are the evolution of cloud web application firewall services, expanding scope and security depth. This course provides learners with the knowledge and skills to implement Web Applications and API Protection (WAAP) securely. Unlike a traditional firewall, a WAAP is a highly specialized security tool that protects web applications and APIs.

Mitigating LCNC (Low-Code/No-Code) Vulnerabilities

Gartner estimates that Low-Code/No-Code (LCNC) platforms will be used in over 65% of app developments by 2024. With a projected growth rate of 165% over two years, we see almost 80% of enterprise companies using citizen developers. As clients continue to leverage Self-Service App Portals, Security Innovation releases two courses introducing the most prominent security and privacy risks for low-code/no-code applications, the challenges involved, and how to overcome them as described by the OWASP Low-code/No-code Top 10 guidelines.

DES 361 – Mitigating LCNC (Low-Code/No-Code) Account Impersonation

This course provides learners the knowledge and skills to mitigate the risks associated with Low-code/No-code (LCNC) Account impersonation. It is designed for Software Developers, Vulnerability Assessment Analysts, and Systems Requirements Planners. The concepts discussed align with the OWASP Low-code/No-code Top 10 guidelines. Low-code/No-code applications can be embedded with a developer account, which is then used implicitly by any application user. This practice creates a direct path towards privilege escalation, allows an attacker to hide behind another user's identity, and circumvents traditional security controls.

DES 362 – Mitigating LCNC (Low-Code/No-Code) Authorization Misuse

Most no-code/low-code platforms leverage connections as first-class objects. This means relationships between applications, other users, or entire organizations. Applications can also be shared with users who do not have access to their underlying data. This course is designed to educate NICE Workforce's Software Developer, Cyber Defense Infrastructure Support Specialist, Vulnerability Assessment Analyst, and Systems Requirements Planner roles to mitigate the risks associated with LCNC Authorization Misuse.

New CMD+CTRL Skill Labs

Our eight new secure coding Skill Labs are available only in CMD+CTRL Base Camp and use an IDE to find and correct insecure code based on vulnerabilities related to a null pointer dereference path traversal and integer overflow.

Additionally, we are introducing two new labs based on tactics used by adversaries related to credential access and mitigations, such as vulnerability scanning and audit, as described by the MITRE ATT&CK® Framework.

LAB 287, 288 – Defending Applications Null Pointer Dereference

It was ranked 12th on the CWE Top 25 Most Dangerous Software weaknesses, allowing attackers to bypass security logic or cause an application to reveal valuable debugging information in planning subsequent attacks. The Defending Against Null Pointer Dereference lab assesses the learner's ability to fix code that contains a Null Pointer Dereference. This vulnerability occurs when the application dereferences a pointer that it expects to be valid but is NULL, typically causing a crash or exit. After completing this Lab, they will understand how to defend applications against null pointer dereference attacks that cause a crash or exit.

This Lab is available in 2 coding languages: Java and C#.

LAB 289, 290, 291, 292 – Defending Applications Against Path Traversal

Path Traversal is among the top vulnerabilities discovered in 2022 and ranked 8th on the CWE Top 25 Most Dangerous Software weaknesses. These attacks aim to access files and directories stored outside the web root folder. The Defending Against Path Traversal lab assesses the learner's ability to fix code that contains a Path Traversal vulnerability that allows an attacker to access files on your web server to which they should not have access. After completing this Lab, the learner will understand how to defend applications against path traversal attacks.

This Lab is available in 4 coding languages: Java, Python, Node.js, and C#.

LAB 293, 294 – Defending Applications Against Integer Overflow

With over 1113 vulnerabilities in the Common Vulnerability Exposure (CVE) database, it is no wonder Integer Overflow makes the CWE Top 25. The Defending Against Integer Overflow lab assesses the learner's ability to fix code that contains an Integer Overflow vulnerability, also known as wraparound. Ranked 14th in the CWE Top 25 list of the most common flaws, bugs, faults, and other errors, this vulnerability poses a significant security threat. Attacks involve exploiting bugs in software; when abused, it can lead to disastrous results, including infecting devices with spyware. After completing this Lab, the learner will understand how to defend Java applications against integer overflow attacks.

This Lab is available in 2 coding languages: Java and C#.

LAB 317 – ATT&CK: Testing for Plaintext Secrets in Files

Last year, reports indicated that 10M new secrets were detected, with hard-coded secrets increasing by 67%. This Lab uses the MITRE ATT&CK® framework to help learners understand how attackers may search local file systems and remote file shares for files containing insecurely stored credentials such as passwords, API keys, cryptographic keys, and other confidential data that an application needs to function but should not be exposed to unauthorized users. The Testing for Plaintext Secrets in Files lab assesses learners' ability to discover plaintext secrets in files.

After completing this Lab, the learner will understand how to search for improperly stored secrets in files.

LAB 318 – ATT&CK: Log Analysis

Log analysis addresses 27 MITRE ATT&CK® techniques and involves collecting, evaluating, and managing the data reported by your applications and infrastructure. The Log Analysis lab assesses the learner's ability to identify application and/or system log file vulnerabilities. Performing these audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses can help ensure compliance with security policies and industry regulations.

After completing this Lab, the learner will understand how to perform log analysis to detect anomalies.


To learn more about Skill and Learn Labs, click here.

Please follow this link to get more information about course updates and enhancement details.

Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.

Posts by Topic

View Full Topic List