CYBERSECURE CODER (CSC) Training Course

Upon completing this training, participants will be able to:

• Explain the principles of application security and common vulnerabilities
• Outline ABAP programming best practices and the management of SY-SUBRC
• Gain an understanding of injection vulnerabilities
• Describe various security testing tools
• Explain the functions of ATC and CVA

Course Format

• Interactive lectures and discussions.
• Extensive exercises and practical practice.
• Hands-on implementation within a live-lab environment.

This programme explores the core principles of secure coding that are vital for web application developers. Participants will learn secure programming concepts by examining code samples, identifying security vulnerabilities, and applying effective remediation strategies.

The course features demonstrations of real-world attacks and techniques to mitigate them, helping students build confidence in enhancing the security posture of their applications.

Duration: 3 days
Target Audience: Developers seeking to expand their expertise in secure coding practices.

Learning Outcomes
• Participants will acquire knowledge in:
• Web Application Security.
• Common Web Application Risks.
• Penetration Testing of Demo Web Applications.
• Data Validation.
• Authentication.
• Session Management.
• Secure SDLC.

Progress in computing and engineering is propelling technological advancement, ranging from blockchain and artificial intelligence to gene editing and the Internet of Things. These developments present opportunities to enhance productivity and improve human welfare. However, as recent scandals have shown, these innovations also introduce novel risks. Technology professionals are under growing pressure to address ethical issues, striking a balance between privacy, accuracy, fairness, and safety. This course equips learners with practical tools to manage ethical risks in emerging data-driven technologies, leveraging theory, regulatory frameworks, and industry best practices. Participants will develop the skills necessary to navigate ethical dilemmas within their roles and organisations.

This programme focuses on network defence and incident response strategies, techniques, and procedures, aligned with industry frameworks such as NIST 800-61 r.2 (Computer Security Incident Handling), US-CERT’s NCISP (National Cyber Incident Response Plan), and Presidential Policy Directive (PPD) 41 on Cyber Incident Coordination Policy. It is particularly suitable for candidates assigned to monitor and detect security incidents within information systems and networks, as well as those responsible for executing standardised responses to such events. The course introduces tools, tactics, and procedures to manage cybersecurity risks, identify various common threats, assess organisational security, collect and analyse cybersecurity intelligence, and remediate and report incidents as they arise. It offers a comprehensive methodology for individuals tasked with defending their organisation’s cybersecurity.

This programme is designed to assist students in preparing for the CertNexus CyberSec First Responder (Exam CFR-310) certification examination. The knowledge and skills acquired and practised here will form a significant part of your preparation. Furthermore, this course and the subsequent certification (CFR-310) satisfy all requirements for personnel needing DoD directive 8570.01-M position certification baselines:

• CSSP Analyst

• CSSP Infrastructure Support

• CSSP Incident Responder

• CSSP Auditor

Course Objectives: In this programme, you will learn to understand, assess, and respond to security threats, and operate a system and network security analysis platform. You will:

• Compare and contrast various threats and classify threat profiles

• Explain the purpose and use of attack tools and techniques

• Explain the purpose and use of post-exploitation tools and tactics

• Explain the purpose and use of social engineering tactics

• Given a scenario, conduct ongoing threat landscape research and utilise data to prepare for incidents

• Explain the purpose and characteristics of various data sources

• Given a scenario, utilise appropriate tools to analyse logs

• Given a scenario, use regular expressions to parse log files and locate meaningful data

• Given a scenario, use Windows tools to analyse incidents

• Given a scenario, use Linux-based tools to analyse incidents

• Summarise methods and tools used for malware analysis

• Given a scenario, analyse common indicators of potential compromise

• Explain the importance of best practices in preparing for incident response

• Given a scenario, execute the incident response process

• Explain the importance of concepts unique to forensic analysis

• Explain general mitigation methods and devices

Target Student: This programme is primarily designed for cybersecurity practitioners preparing for or currently performing job functions related to protecting information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. It is ideal for roles within federal contracting companies and private sector firms whose mission or strategic objectives require the execution of Defensive Cyber Operations (DCO) or DoD Information Network (DODIN) operation and incident handling. The focus is on the knowledge, abilities, and skills necessary to defend those information systems in a cybersecurity context, including protection, detection, analysis, investigation, and response processes.

Additionally, the programme ensures that all members of an IT team—regardless of size, rank, or budget—understand their role in the cyber defence, incident response, and incident handling process.

Developing secure networked applications can be challenging, even for developers who have previously worked with cryptographic building blocks like encryption and digital signatures. To help participants grasp the role and application of these cryptographic primitives, the course first establishes a solid foundation on the core requirements of secure communication—namely secure acknowledgement, integrity, confidentiality, remote identification, and anonymity. It also addresses typical threats that can undermine these requirements alongside practical, real-world solutions.

Given that cryptography is a critical component of network security, the course examines essential algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement. Rather than focusing on complex mathematical theory, these topics are approached from a developer's perspective, featuring typical use-case examples and practical considerations such as public key infrastructures. The course introduces security protocols used across various domains of secure communication, offering an in-depth look at widely adopted protocol families like IPSEC and SSL/TLS.

Common cryptographic vulnerabilities are discussed in the context of both specific algorithms and protocols. Topics include BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE, and the RSA timing attack. For each issue, the practical implications and potential consequences are explained without delving into deep mathematical details.

Finally, since XML technology is central to data exchange in networked applications, the course covers XML security aspects. This includes the use of XML in web services and SOAP messages, along with protective measures like XML signature and XML encryption. The course also examines weaknesses in these protections and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Understand the requirements of secure communication
• Learn about network attacks and defences at different OSI layers
• Have a practical understanding of cryptography
• Understand essential security protocols
• Understand some recent attacks against cryptosystems
• Get information about some recent related vulnerabilities
• Understand security concepts of Web services
• Get sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course provides an introduction to safeguarding C/C++ code from malicious actors who might exploit vulnerabilities related to memory management and input handling. The curriculum focuses on the fundamental principles of writing secure code.

Even seasoned Java developers do not necessarily master every security service offered by Java, nor are they always aware of the various vulnerabilities relevant to web applications written in Java.

The course, while introducing the security components of Standard Java Edition, also addresses security issues concerning Java Enterprise Edition (JEE) and web services. Before discussing specific services, the course covers the foundations of cryptography and secure communication. Various exercises focus on declarative and programmatic security techniques in JEE, alongside discussions on both transport-layer and end-to-end security for web services. Participants can apply these concepts through practical exercises, allowing them to test out the discussed APIs and tools themselves.

The course also examines and explains the most common and severe programming flaws in the Java language and platform, as well as web-related vulnerabilities. Beyond typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems arising from the runtime environment. All vulnerabilities and relevant attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Understand the security concepts of web services
• Learn to use various security features of the Java development environment
• Gain a practical understanding of cryptography
• Understand the security solutions of Java EE
• Learn about typical coding mistakes and how to avoid them
• Get information about some recent vulnerabilities in the Java framework
• Acquire practical knowledge in using security testing tools
• Obtain sources and further readings on secure coding practices

Audience

Developers

Description

The Java language and the Java Runtime Environment (JRE) were engineered to minimise exposure to the most prevalent and dangerous security vulnerabilities found in other languages such as C/C++. Nevertheless, software developers and architects must not only master the application of Java's security features (positive security) but also remain vigilant about the numerous vulnerabilities that continue to affect Java development (negative security).

The course introduces security services by first providing a concise overview of cryptographic foundations, establishing a shared understanding of the purpose and operation of relevant components. Participants will explore the practical application of these components through hands-on exercises, allowing them to experiment with the discussed APIs.

The course also examines and explains the most common and severe programming flaws associated with the Java language and platform. This includes both typical errors made by Java programmers and issues specific to the language and its environment. All vulnerabilities and associated attacks are demonstrated through accessible exercises, followed by recommended coding guidelines and mitigation strategies.

Participants attending this course will

• Grasp the fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and understand how to avoid them
• Gain proficiency in using various security features within the Java development environment
• Develop a practical understanding of cryptography
• Identify typical coding mistakes and learn how to prevent them
• Gain insight into recent vulnerabilities affecting the Java framework
• Access sources and further reading materials on secure coding practices

Audience

Developers

Today, a variety of programming languages are available to compile code for the .NET and ASP.NET frameworks. While this environment offers robust tools for security development, developers must understand how to apply architecture- and coding-level programming techniques to implement desired security functionalities, avoid vulnerabilities, or limit their exploitation.

The aim of this course is to equip developers with the ability to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, facilitate remote procedure calls, manage sessions, and introduce diverse implementations for specific functionalities, among other skills, through numerous hands-on exercises.

The introduction to various vulnerabilities begins by presenting typical programming problems encountered when using .NET. The discussion on ASP.NET vulnerabilities also covers various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities addresses not only general web application security challenges but also special issues and attack methods, such as attacking the ViewState or employing string termination attacks.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and understand how to avoid them
• Learn to utilise various security features of the .NET development environment
• Gain practical knowledge in using security testing tools
• Learn about typical coding mistakes and how to avoid them
• Gain information about some recent vulnerabilities in .NET and ASP.NET
• Access sources and further readings on secure coding practices

Audience

Developers

The course provides essential skills for PHP developers necessary to make their applications resistant to contemporary attacks through the Internet. Web vulnerabilities are discussed through PHP-based examples going beyond the OWASP top ten, tackling various injection attacks, script injections, attacks against session handling of PHP, insecure direct object references, issues with file upload, and many others. PHP-related vulnerabilities are introduced grouped into the standard vulnerability types of missing or improper input validation, incorrect error and exception handling, improper use of security features and time- and state-related problems. For this latter we discuss attacks like the open_basedir circumvention, denial-of-service through magic float or the hash table collision attack. In all cases participants will get familiar with the most important techniques and functions to be used to mitigate the enlisted risks.

A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5. A number of security-related extensions to PHP are introduced like hash, mcrypt and OpenSSL for cryptography, or Ctype, ext/filter and HTML Purifier for input validation. The best hardening practices are given in connection with PHP configuration (setting php.ini), Apache and the server in general. Finally, an overview is given to various security testing tools and techniques which developers and testers can use, including security scanners, penetration testing and exploit packs, sniffers, proxy servers, fuzzing tools and static source code analyzers.

Both the introduction of vulnerabilities and the configuration practices are supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to apply mitigation techniques and introducing the use of various extensions and tools.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
• Learn client-side vulnerabilities and secure coding practices
• Have a practical understanding of cryptography
• Learn to use various security features of PHP
• Learn about typical coding mistakes and how to avoid them
• Be informed about recent vulnerabilities of the PHP framework
• Get practical knowledge in using security testing tools
• Get sources and further readings on secure coding practices

Audience

Developers

This comprehensive core training offers a deep dive into secure software design, development, and testing, guided by the Microsoft Secure Development Lifecycle (SDL). It provides a foundational overview of the SDL's essential building blocks, followed by design techniques aimed at detecting and rectifying flaws during the early stages of the development process.

Focusing on the development phase, the course outlines common security-related programming bugs found in both managed and native code. It presents attack methods for the discussed vulnerabilities alongside their corresponding mitigation techniques. Through numerous hands-on exercises, participants engage in live hacking scenarios, making the learning process interactive and practical. The training introduces various security testing methods and demonstrates the effectiveness of different testing tools. Participants will gain a clear understanding of how these tools operate by applying them to vulnerable code examples discussed throughout the course.

By the end of this course, participants will be able to

Understand the fundamental concepts of security, IT security, and secure coding

Familiarize themselves with the essential steps of the Microsoft Secure Development Lifecycle

Adopt secure design and development practices

Comprehend the principles of secure implementation

Understand security testing methodologies

• Access resources and further reading materials on secure coding practices

Target Audience

Developers, Managers

The Internet of Things (IoT) offers a vast array of advantages for industries, energy and utility sectors, municipalities, healthcare providers, and end consumers. It enables the collection of data in immense volumes and intricate detail on nearly any measurable aspect, including public health and safety, environmental conditions, industrial and agricultural outputs, energy usage, and utility services. Advanced data analysis tools have been refined to handle the massive data streams generated by IoT, allowing organisations to make informed decisions swiftly.

However, deploying IoT systems can be complex and fraught with potential hazards. Solutions often involve integrating devices and technologies from various vendors, necessitating a solid grasp of both software and hardware, as well as strategies to unify them. This also includes managing risks related to security, privacy, and the safety of individuals whose working and living environments are controlled by these systems.

IT professionals frequently lack experience with embedded systems, sensor networks, actuators, real-time systems, and other components typical of IoT environments. This course establishes a foundation for understanding how these components interact with systems with which IT professionals are more familiar, such as networks, cloud computing platforms, and applications running on servers, desktops, and mobile devices.

Throughout this course, students will master general strategies for planning, designing, developing, implementing, and maintaining IoT systems. This is achieved through case studies and by assembling and configuring an IoT device to function within a sensor network. Students will build an IoT device based on an ESP8266 microcontroller, implementing common IoT features such as analog and digital sensors, a web-based interface, MQTT messaging, and data encryption.

Course Objectives: In this course, you will learn to apply Internet of Things technologies to address real-world challenges. You will:

• Plan an IoT implementation.

• Construct and programme an IoT device.

• Communicate with an IoT device via wired and wireless connections.

• Process sensor input and control actuators on an IoT device.

• Manage security, privacy, and safety risks in IoT projects.

• Oversee an IoT prototyping and development project through the entire development lifecycle.

Target Student: This course is tailored for IT professionals with foundational skills in computer hardware, software support, and development who wish to learn how to design, develop, implement, operate, and manage IoT devices and related systems. Participants are keen to deepen their knowledge of embedded systems, microcontroller programming, IoT security, and the IoT project development lifecycle.

Although students will gain hands-on experience assembling a prototype IoT device and utilising software development tools, these activities are closely guided, so prior experience in electronics assembly and programming is not required. This course prepares students for the CertNexus Certified Internet of Things (IoT) Practitioner (Exam ITP-110).

Artificial intelligence (AI) and machine learning (ML) have become indispensable components of the modern organizational toolkit. When leveraged effectively, these technologies deliver actionable insights that inform critical decision-making and empower businesses to launch exciting, innovative products and services. This course guides you through applying various AI and ML approaches and algorithms to address business challenges. You will learn to follow a structured workflow for developing robust solutions, utilise open-source and commercial tools to build, test, and deploy these solutions, and ensure they adhere to user privacy standards. Each topic area includes practical, hands-on activities.

Course Objectives: In this course, you will implement AI techniques to resolve business problems. You will:

• Define a general approach to solving a specific business problem using applied AI and ML.
• Collect and refine datasets to prepare them for training and testing.
• Train and tune a machine learning model.
• Finalise a machine learning model and present findings to the relevant stakeholders.
• Develop linear regression models.
• Develop classification models.
• Develop clustering models.
• Develop decision trees and random forests.
• Develop support-vector machines (SVMs).
• Develop artificial neural networks (ANNs).
• Advocate for data privacy and ethical practices within AI and ML projects.

Target Student: The skills covered in this course integrate three key areas—software development, applied mathematics and statistics, and business analysis. Ideal candidates for this course may possess strength in one or two of these areas and wish to broaden their expertise in the others, enabling them to apply artificial intelligence (AI) systems, particularly machine learning models, to business problems.

For instance, the target student might be a programmer seeking to expand their skills to apply machine learning algorithms to business issues, or a data analyst with strong mathematical and statistical capabilities who wishes to develop technical skills related to machine learning. A typical participant in this course should have several years of experience with computing technology and some aptitude in computer programming. This course is also designed to assist students in preparing for the CertNexus® Certified Artificial Intelligence (AI) Practitioner (Exam AIP-110) certification.

This programme is tailored for professionals aiming to validate a vendor-neutral, cross-industry skill set that empowers them to design, implement, operate, and/or manage a secure Internet of Things (IoT) ecosystem.

Target Audience: This course is intended for IoT practitioners seeking to enhance their expertise in IoT security and privacy. It is also ideal for candidates preparing for the CertNexus Certified Internet of Things Security Practitioner (CIoTSP) certification and the associated Exam ITS-110.

Objectives:

In this course, you will identify many of the common risks involved in using conventional end-user technology, as well as ways to use it safely, to protect yourself from those risks.

You will:

• Identify security compliance measures.
• Address social engineering attempts.
• Secure devices such as desktops, laptops, tablets, smartphones, and more.
• Use the Internet securely.

Target Student

This course is designed for you as a non-technical end user of computers, mobile devices, networks, and the Internet, to enable you to use technology more securely to minimise digital risks.

This course is also designed for you to prepare for the Certified CyberSAFE credential. You can obtain your Certified CyberSAFE certificate by completing the Certified CyberSAFE credential process on the CHOICE platform following the course presentation.