Introduction to Security Journey
In this first lesson, we introduce you to security levels and the path from Security White to Black Belt. We provide a short demo of all the Security Dojo's excellent features and review tips for success with the Security Journey platform.
Introduction to Security
We begin with a basic but important idea: defining security. We expand into the three supporting tiers of security and visualize how to implement application security. We also explain the difference between builders, breakers, and defenders.
Core Security Concepts
After introducing Security and Security Journey, now we dive into core security concepts. To succeed as a security person, you need to know the vocabulary. You'll learn the three foundational building blocks of security, the differences between a vulnerability, exploit, and attack, the stages of a security framework, and the distinctions between the red, blue, and purple teams.
There are many different types of attacks. We lay the foundation for some of the basic types. To recognize and mitigate an attack, you must understand attack methods. We'll walk through the steps attackers go through as they attempt to compromise a product or system. We'll uncover four basic classes of attacks, and we'll talk about the negative results of a successful attack.
A small amount of knowledge about common adversaries can allow you to shut the door on them. We'll explore five primary types of cyber adversaries and their attack motivation. We'll explain the various layers of the Internet and how attackers use them and uncover an Advanced Persistent Threat group's common traits.
Secure Development Lifecycle
The foundation of an application security program is a Secure Development Lifecycle (SDL). Explore the benefits of SDL and the commonalities of world-renowned SDLs. The standard SDL phases and goals for each stage are exposed. A secure development lifecycle standardizes an organization's approach to product and application security.
Privacy & Customer Data Protection
The protection and privacy of customer data is the top line principle of application security. Analyze the differences between security and privacy, the types of data that must be protected, and the relevant legislation impacting privacy. If you do not protect your customers' data, those customers will go elsewhere.
We're busting the security myths that most people believe and adding a dose of reality. Analyze common security myths and learn to counter security objections. Myths are a misdirection of fact; many will argue against security by claiming these myths are the truth.
The front page is a terrible place to see your organization's security breach or failure. We want to teach your people to avoid the front page. We'll unpack the business impacts of a data breach and then dive deeply into three historical, damaging security events and the lessons to be learned from each one. We study past breaches to prevent issues in the future.
The Threat Landscape is Threats x Devices x Attackers and is always expanding. New attackers are waking up every day and targeting new devices using various threats. We'll consider the significant threats on technology's bleeding edge, including cloud, mobile, and IoT.
Threat Landscape: Cloud
Cloud computing has become a mainstay of all organizations, and with the cloud comes a unique set of security threats. We'll identify the specific security issues of cloud computing, list the categories of threats to cloud computing, and unpack each one.
Software Supply Chain
Understand the threats posed by third-party/open source software and how to deal with this type of risk in your product correctly. Open source and third-party software contain security vulnerabilities, and everyone in your organization needs to understand the depth of the problem. Securing third-party software is your responsibility.
Culture and Mindest
There is a direct correlation between your security culture's strength and the security of your applications and products. We'll consider the reality of security culture and its impact on all job roles, examine the security mindset and describe how you can apply it to your career, and understand what a security champion is and why you need to become one.
Prioritization of security is crucial. See how to give your people time to "do security." Examine the security behaviors and activities that a developer, tester, and manager must perform. Application and product security begin with a resource management decision.
The business and the security team appear to have different priorities, but through translating security, we find that we all have the same goal. We'll review the various terms that are specific to Executives, Program/Product Managers, and the Developer/Tester, and translate business language into security language.
Dealing with Vulnerabilities
Vulnerabilities exist in all products and applications. Daily, the discovery of new vulnerabilities occurs. Examine the need for a response process, why researchers hunt for vulnerabilities and understand the PSIRT process. The security incident response process cleans up vulnerabilities.
OWASP is THE open-source resource for awareness documents, processes, measurement, tools, conferences, and local meetups. We'll explain what OWASP is and the services it provides, identify the most popular OWASP projects, and the function of each, and identify the primary purposes of OWASP projects.
Security at Home
Our homes are our castles, and castles need physical and cybersecurity. We'll explore the physical and cybersecurity threats impacting our families, provide you preventative and reactive physical strategies, and six tips for protecting your cyber home.
Trends in Application Security: 2020-2021
The world of application and product security changes every year, and practitioners must stay updated on trends and new attacks, tools, and projects. We'll explore recent application security trends and look at modern standards, tools, and projects worth testing and implementing.