Certified Security Champion (CSC)

EDU Trainings s.r.o.

Popis kurzu

Obsah kurzu

Chapter 1: AppSec Basics


Introduction to Application Security.
HTTP Security basics.
Introduction to Burp Suite.
OWASP top 10 basics

Injection (SQL and other injections).
Cross-Site Scripting (XSS).
Cross-Site Request Forgery (CSRF) and SSRF.
Broken Authentication and Session Management.
XML External Entities (XXE).
Insecure Direct Object Reference (IDOR).
Security Misconfiguration.
Unvalidated Requests and Forwards.


Hands-on labs

SQL Injection.
XSS and CSRF.
SSRF.
Local File Inclusion (LFI) and File Upload issues.










Chapter 2: Secure Code Review


What is Secure Code Review?
How to approach Secure code review.
Tools of the trade.
Reviewing the code from a security perspective

Input and output validation.
Authentication issues.
Authorization issues.
Security Misconfigurations.


Hands-on labs

Input validation using industry best practices.
Output encoding to prevent client-side attacks like XSS.
Bruteforce attacks and secret questions.
Information leakage with password reset workflows.
Best practices in implementing role-based access control.
Risks with unvalidated redirects and forwards.






Chapter 3: Primer on Risk Management


Introduction to Risk management.
Risk Assessment.
Risk Calculation.
Risk Treatment

How to mitigate risks.
How to avoid risks.
How to transfer risks.
How to accept risks.


Plan, design, and implement a risk-management process.
Understand the current threat landscape.
Continuously improve security systems to reduce risk exposure.
Ensure business continuity while reducing the risks to the organization.








Chapter 4: Threat Modeling


What is Threat Modelling?
Risk Management vs. Threat modeling.
STRIDE vs. DREAD approaches.
Threat Modeling Process and its challenges

Decompose the application.
Identify the Threats.
Document and rate the threats, and risks.
DDesign and create defenses.


Classical Threat modeling tools and how they fit in CI/CD pipeline.
Hands-On Labs:

Automate security requirements as code.
Using ThreatSpec to achieve Threat Modelling as Code.










Chapter 5: DevSecOps Basics


DevOps Building Blocks – People, Process, and Technology.
DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS).
Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost, and Visibility.
Overview of the DevSecOps critical toolchain

Repository management tools.
Continuous Integration and Continuous Deployment tools.
Infrastructure as Code (IaC) tools.
Communication and sharing tools.
Security as Code (SaC) tools.


Common Challenges faced when using the DevOps principles.
Secure SDLC

Overview of secure SDLC and CI/CD.
Review of security activities in secure SDLC.
Continuous Integration and Continuous Deployment.


Hands-On Labs:

How to embed SCA tool into CI/CD pipeline.
How to embed SAST tool into CI/CD pipeline.










Chapter 6: Infrastructure as Code and Its Security


Infrastructure as Code and its benefits.
Platform + Infrastructure Definition + Configuration Management.
Introduction to Ansible.
Benefits of Ansible.
Push and Pull based configuration management systems.
Modules, tasks, roles, and Playbooks.
Tools and Services that help to achieve IaC.
Hands-On Labs:

Docker and Ansible.
Using Ansible to create Golden images and harden Infrastructure.










Chapter 7: Agile Communications, Collaboration, and Soft Skills


The need for Agile communication and collaboration.
How to handle conflicting priorities among teams.
How to work security teams to find common ground.
Holding people accountable for security.
Staying empathetic and assertive.
Plan, design, and implement processes to resolve any issues among the teams.

Certifikát Na dotaz.

Hodnotenie