Certified Security Champion (CSC)
I. Overview:
The Certified Security Champion course provides engineers with practical hands-on knowledge to help them in building more secure web applications. Students will learn to develop trustworthy web applications while avoiding common security pitfalls, using best practices and industry frameworks.
Cybersecurity is a wide-ranging topic that covers many areas including but not limited to cryptography, penetration testing, security testing in the software development life cycle, wireless security, denial of service attacks, threats, and vulnerabilities. This course focuses on secure application development with an emphasis on web-related security issues. A review of the OWASP Top 10 list is included.
In this intensive course, you’ll learn how to discover and fix vulnerabilities in application code. Throughout the course, students will be exposed to a wide variety of security topics, including SQL Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), XML External Entity Attacks (XXE), Cross-Site Request Forgery (CSRF), Open Redirects and many more. The course also focuses on various areas of infrastructure security, risk management, threat modelling, and agile collaboration techniques.
By the end of this course, you will develop practical security knowledge, that you can immediately begin applying at work.
Certified Security Champions can cut the cost of security vulnerability remediation by half and reduce time spent remediating vulnerabilities by 75%. By taking this course, learners are guaranteed to increase their organization’s security effectiveness.
The Certified Security Champions course is a must-take for everyone involved in web development. From Front-end developers to security auditors, this course will give you the knowledge and hands-on material you need to build more secure Web Applications. Dev and Sec folks are working more closely together than ever before, and this course will put everyone on the same page.
II. Duration: 40 hours
III. Objectives:
- Building solid foundations that are required to understand the application security landscape
- Building foundational knowledge required to work with infrastructure security
- Understanding the wide range of skills and abilities that are required to be a security champion
- Embedding security while creating, running, and maintaining modern applications
- Gaining abilities to apply practical application security skills in a real-world environment
- Gaining skills and knowledge to liaise with security and other departments to make everyone responsible for the security
- Gaining analytical abilities to observe and advise various security controls, and solutions to secure DevOps
- Understanding the fundamentals of assessing and managing risks
IV. Prerequisites:
- Foundational knowledge of software development life cycle
- Understanding of developing or testing web applications
V. Course outlines:
1. Module 1: AppSec Basics
- Introduction to Application Security
- HTTP Security Basics
- Introduction to Burp Suite
- OWASP Top 10 Basics
- Injection (SQL and other injections)
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF) and SSRF
- Broken Authentication and Session Management
- XML External Entities (XXE)
- Insecure Direct Object Reference (IDOR)
- Security Misconfiguration
- Unvalidated Requests and Forwards
- Hands-On Labs: SQL Injection
- Hands-On Labs: XSS and CSRF
- Hands-On Labs: SSRF
- Hands-On Labs: Local File Inclusion (LFI) and File Upload issues
2. Module 2: Secure Code Review
- What is Secure Code Review?
- How to approach Secure code review
- Tools of the trade
- Reviewing the code from a security perspective
- Input and output validation
- Authentication issues
- Authorization issues
- Security Misconfigurations
- Hands-On Labs: Input validation using industry best practices
- Hands-On Labs: Output encoding to prevent client-side attacks like XSS
- Hands-On Labs: Bruteforce attacks and secret questions
- Hands-On Labs: Information leakage with password reset workflows
- Hands-On Labs: Best practices in implementing role-based access control
- Hands-On Labs: Risks with unvalidated redirects and forwards
3. Module 3: Primer on Risk Management
- Introduction to Risk management
- Risk Assessment
- Risk Calculation
- Risk Treatment
- How to mitigate risks
- How to avoid risks
- How to transfer risks
- How to accept risks
- Plan, design, and implement a risk-management process
- Understand the current threat landscape
- Continuously improve security systems to reduce risk exposure
- Ensure business continuity while reducing the risks to the organization
4. Module 4: Threat Modeling
- What is Threat Modelling?
- Risk Management vs. Threat modeling
- STRIDE vs. DREAD approaches
- Threat Modeling Process and its challenges
- Decompose the application
- Identify the Threats
- Document and rate the threats, and risks
- Design and create defenses
- Classical Threat modeling tools and how they fit in CI/CD pipeline
- Hands-On Labs: Automate security requirements as code
- Hands-On Labs: Using ThreatSpec to achieve Threat Modelling as Code
5. Module 5: DevSecOps Basics
- DevOps Building Blocks – People, Process, and Technology
- DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
- Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost, and Visibility
- Overview of the DevSecOps critical toolchain
- Repository management tools
- Continuous Integration and Continuous Deployment tools
- Infrastructure as Code (IaC) tools
- Communication and sharing tools
- Security as Code (SaC) tools
- Common Challenges faced when using the DevOps principles
- Secure SDLC
- Overview of secure SDLC and CI/CD
- Review of security activities in secure SDLC
- Continuous Integration and Continuous Deployment
- Hands-On Labs: How to embed SCA tool into CI/CD pipeline
- Hands-On Labs: How to embed SAST tool into CI/CD pipeline
6. Module 6: Infrastructure as Code and Its Security
- Infrastructure as Code and its benefits
- Platform + Infrastructure Definition + Configuration Management
- Introduction to Ansible
- Benefits of Ansible
- Push and Pull based configuration management systems
- Modules, tasks, roles, and Playbooks
- Tools and Services that help to achieve IaC
- Hands-On Labs: Docker and Ansible
- Hands-On Labs: Using Ansible to create Golden images and harden Infrastructure
7. Module 7: Agile Communications, Collaboration, and Soft Skills
- The need for Agile communication and collaboration
- How to handle conflicting priorities among teams
- How to work security teams to find common ground
- Holding people accountable for security
- Staying empathetic and assertive
- Plan, design, and implement processes to resolve any issues among the teams
8. Practical DevSecOps Certification Process
- After completing the course, you can schedule the CSC exam on your preferred date.
Học trực tuyến
Học tại Hồ Chí Minh
Học tại Hà Nội