CMD+CTRL Training: Q2 2023 Release in Review

Three New Courses and Eighteen New Labs

Security Innovation is proud to add a combined twenty-one new courses and labs to the CMD+CTRL training catalog for Q2 2023. Available to learners on April 25, 2023, our new training content focuses on areas such as Secure Software Development, Infrastructure Design, Systems Integration, Risk Management, and Vulnerability Assessment.

This content release includes:

• (3) New Courses(12) IDE Code Correct Skill Labs 
• (2) MITRE ATT&CK Skill Labs 
• (4) Vulnerability Identification Learn Labs

In addition, we’ve reworked 6 courses to meet Security Innovation instructional design standards and eliminate redundancies.

New Course Offerings

As always, CMD+CTRL courses grant learners a foundational understanding of the latest issues faced by software development organizations. This quarter we focus on areas such as leveraging serverless computing and backend-as-a-service.

DES 219 – Securing Google’s Firebase Platform

Google Firebase offers an active Backend-as-a-Service (BaaS) for building dynamic web and mobile applications, but it has a few disadvantages. This course gives learners an understanding of how Firebase Security Rules leverage extensible, flexible configuration languages to define the data your users can access for Realtime Database, Cloud Firestore, and Cloud Storage. 

DES 261 – Securing Serverless Environments

Serverless computing has redefined how companies build, consume, and integrate cloud-native applications. This course introduces the best-practices that developers and cloud customers should follow when using a serverless architecture.

DES 262 – Securing Enterprise Low-Code Applications Platforms

Security Information & Event Management platforms have become a significant component in streamlining security workflows, but as powerful as these platforms can be, they can be inherently challenging. This course teaches learners the role of Security Information & Event Management (SIEM) in your organization’s overall security plan.

New CMD+CTRL Labs

CMD+CTRL Labs help to transform new concepts into tangible skills through hands-on, realistic examples of real-world threat scenarios. A new type of lab, Skill Labs (available only through the CMD+CTRL Base Camp learning portal), was added to the CMD+CTRL training program in early 2022 to provide learners with an active training experience complementing Courses and Learn Labs.

Skill Labs

Our twelve new secure coding Skill Labs are available only in CMD+CTRL Base Camp, and use an IDE to both find and correct insecure code based on vulnerabilities related to credential storage, input validation, and forced browsing. Additionally, we are introducing two new labs based on techniques used by adversaries related to execute both Discovery and Command and Control tactics as described by the MITRE ATT&CK® Framework. 

LAB 211, 212, 213, 214 – Defending Applications Against Credentials in Code Medium

The Defending Applications Against Credentials in Code Medium labs assesses the learner’s ability to fix code that contains unprotected credentials such as a password or cryptographic key.

This Lab is available in 4 coding languages:  Java, Python, Node.js, and C#.

LAB 215, 216, 217, 218 – Defending Applications Against Business Logic Error for Input Validation

The Defending Applications Against Business Logic Error for Input Validation labs assess the learner’s ability to fix business logic errors that leave your application vulnerable to manipulation by attackers.

This Lab is available in 4 coding languages:  Java, Python, Node.js, and C#.

LAB 224, 225, 226, 227 – Defending Java Applications Against Forceful Browsing

The Defending Applications Against Forceful Browsing labs assess the learner’s ability to fix code that does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

This Lab is available in 4 coding languages:  Java, Python, Node.js, and C#.

LAB 310 – ATT&CK: File and Directory Permissions Modification

This lab uses the MITRE ATT&CK® framework to help learners understand how attackers may attempt to discover services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation using tools that are brought onto a system.

LAB 310 – ATT&CK: File and Directory Discovery

This lab uses the MITRE ATT&CK® framework to help learners to understand how attackers leverage port and/or vulnerability scans to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

Learn Labs

Consistent with Security Innovation’s overarching “Beyond the Code” mantra, Learn Labs keep organizations safe by highlighting vulnerabilities that can be recognized by most anyone involved in the SDLC — not just those closest to the code. Our focus this quarter is on vulnerabilities that can be found on a Cloud Infrastructure and Cloud-Native Applications.

LAB 133 – Identifying Exposure of Sensitive Information Through Environmental Variables

This lab assesses the learner’s understanding of how such an existing vulnerability on a server hosting an ecommerce application can be discovered and exploited.

LAB 134 – Identifying Plaintext Storage of a Password

Here, the learner gains insight into how adversaries can exploit such vulnerabilities to steal secrets, gain unauthorized access, establish persistence, penetrate further into a system, and plan more damaging attacks.

LAB 135 – Identifying URL Redirection to Untrusted Site

Once completing this lab, the learner should understand how adversaries can exploit such vulnerabilities to send users to a malicious site via a legitimate-looking URL to compromise their machine with malware or steal their credentials.

LAB 136 – Identifying Improper Neutralization of Script in Attributes in a Web Page

This lab assesses the learner’s understanding of how an existing persistent cross-site scripting vulnerability in the email templates of a cloud-native marketing automation SaaS suite can be discovered and exploited.

Learn more about Skill and Learn Labs on our Training page.

All of the latest Learn Lab and Course enhancement details can be found here.