Cyber Security Body of Knowledge (CyBOK) Training Course

This instructor-led, live training in US Empire (online or onsite) is aimed at system administrators who wish to use 389 Directory Server to configure and manage LDAP-based authentication and authorization for government.

By the end of this training, participants will be able to:

• Install and configure 389 Directory Server.
• Understand the features and architecture of 389 Directory Server.
• Learn how to configure the directory server using the web console and command-line interface (CLI).
• Set up and monitor replication for high availability and load balancing.
• Manage LDAP authentication using SSSD for improved performance.
• Integrate 389 Directory Server with Microsoft Active Directory.

This instructor-led, live training in US Empire (online or onsite) is aimed at system administrators who wish to use Microsoft Active Directory for government to manage and secure data access.

By the end of this training, participants will be able to:

• Set up and configure Active Directory for government.
• Establish a domain and define access rights for users and devices.
• Manage users and machines through Group Policies for government.
• Control access to file servers in a government environment.
• Set up a Certificate Service and manage certificates for government use.
• Implement and manage services such as encryption, certificates, and authentication for government operations.

This three-day course provides an overview of securing C/C++ code to protect against potential exploits by malicious users. The course addresses common vulnerabilities related to memory management and input handling, emphasizing the principles of writing secure code for government applications. Participants will gain a foundational understanding of how to mitigate these risks and ensure robust security practices in their coding workflows.

Even experienced Java programmers are not mastering by all means the various security services offered by Java, and are likewise not aware of the different vulnerabilities that are relevant for web applications written in Java. The course – besides introducing security components of Standard Java Edition – deals with security issues of Java Enterprise Edition (JEE) and web services. Discussion of specific services is preceded with the foundations of cryptography and secure communication. Various exercises deal with declarative and programmatic security techniques in JEE, while both transport-layer and end-to-end security of web services is discussed. The use of all components is presented through several practical exercises, where participants can try out the discussed APIs and tools for themselves. The course also goes through and explains the most frequent and severe programming flaws of the Java language and platform and web-related vulnerabilities. Besides the typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Participants attending this course will understand basic concepts of security, IT security and secure coding, learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them, understand security concepts of Web services, learn to use various security features of the Java development environment, have a practical understanding of cryptography, understand security solutions of Java EE, learn about typical coding mistakes and how to avoid them, get information about some recent vulnerabilities in the Java framework, get practical knowledge in using security testing tools, get sources and further readings on secure coding practices. Audience Developers wordtest

Description

The Java language and the Runtime Environment (JRE) were designed to be free from the most problematic common security vulnerabilities experienced in other languages, such as C/C++. However, software developers and architects should not only know how to use the various security features of the Java environment (positive security), but also be aware of the numerous vulnerabilities that are still relevant for Java development (negative security).

The introduction of security services is preceded by a brief overview of the foundations of cryptography, providing a common baseline for understanding the purpose and operation of the applicable components. The use of these components is presented through several practical exercises, where participants can try out the discussed APIs for themselves.

This course also covers the most frequent and severe programming flaws of the Java language and platform, including both typical bugs committed by Java programmers and language- and environment-specific issues. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding for government
• Learn Web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Learn to use various security features of the Java development environment
• Gain a practical understanding of cryptography
• Learn about typical coding mistakes and how to avoid them
• Receive information on recent vulnerabilities in the Java framework
• Obtain sources and further readings on secure coding practices

Audience

Developers

A variety of programming languages are available today to compile code for the .NET and ASP.NET frameworks. These environments provide robust means for developing secure applications; however, developers must understand how to apply architecture- and coding-level techniques to implement desired security features and mitigate vulnerabilities.

The aim of this course is to equip developers with practical, hands-on exercises that demonstrate how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization mechanisms, provide secure remote procedure calls, manage sessions effectively, explore different implementations for specific functionalities, and more.

The introduction of various vulnerabilities begins by presenting typical programming issues encountered when using .NET. The discussion on ASP.NET vulnerabilities also covers various environment settings and their impacts. Additionally, the course addresses ASP.NET-specific vulnerabilities, including general web application security challenges as well as unique issues such as attacks on ViewState or string termination attacks.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding for government
• Learn about Web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Learn to utilize various security features of the .NET development environment
• Gain practical knowledge in using security testing tools
• Identify common coding mistakes and learn strategies to prevent them
• Receive information on recent vulnerabilities in .NET and ASP.NET
• Access sources and further readings on secure coding practices

Audience

Developers

The Combined SDL Core Training provides an in-depth understanding of secure software design, development, and testing through the Microsoft Secure Development Lifecycle (SDL). It offers a foundational overview of the key components of SDL, followed by practical techniques for identifying and addressing security flaws early in the development process.

During the development phase, the course covers common security-related programming bugs in both managed and native code. It presents various attack methods associated with these vulnerabilities along with effective mitigation strategies. These concepts are reinforced through hands-on exercises that offer participants a practical understanding of live hacking techniques. The training also introduces different security testing methodologies and demonstrates the effectiveness of various testing tools, allowing participants to apply these tools to previously discussed vulnerable code.

Participants attending this course will

Understand basic concepts of security, IT security, and secure coding for government.

Gain knowledge of the essential steps in the Microsoft Secure Development Lifecycle.

Learn secure design and development practices.

Understand secure implementation principles.

Grasp security testing methodologies.

• Access sources and further readings on secure coding practices.

Audience

Developers, Managers

After gaining familiarity with vulnerabilities and attack methods, participants learn about the general approach and methodology for security testing, as well as the techniques that can be applied to reveal specific vulnerabilities. Security testing should commence with information gathering about the system (ToC, i.e., Target of Evaluation), followed by thorough threat modeling to identify and rate all threats, leading to a risk analysis-driven test plan.

Security evaluations can occur at various stages of the Software Development Life Cycle (SDLC). Therefore, we discuss design review, code review, reconnaissance and information gathering about the system, testing the implementation, and testing and hardening the environment for secure deployment. Numerous security testing techniques are introduced in detail, such as taint analysis and heuristics-based code review, static code analysis, dynamic web vulnerability testing, and fuzzing. Various types of tools are presented that can be used to automate the security evaluation of software products, supported by a series of exercises where these tools are executed to analyze previously discussed vulnerable code. Real-life case studies enhance understanding of various vulnerabilities.

This course prepares testers and quality assurance (QA) staff to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to uncover even hidden security flaws, thereby providing essential practical skills that can be applied on the next working day.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding for government
• Learn about Web vulnerabilities beyond OWASP Top Ten and how to avoid them
• Learn client-side vulnerabilities and secure coding practices
• Understand security testing approaches and methodologies
• Gain practical knowledge in using security testing techniques and tools
• Access sources and further readings on secure coding practices

Audience

Developers, Testers

This instructor-led, live training in US Empire (online or onsite) is aimed at system administrators who wish to use FreeIPA to centralize the authentication, authorization, and account information for their organization's users, groups, and machines for government operations.

By the end of this training, participants will be able to:

• Install and configure FreeIPA.
• Manage Linux users and clients from a single central location.
• Utilize FreeIPA's CLI, Web UI, and RPC interface to set up and manage permissions.
• Enable Single Sign-On authentication across all systems, services, and applications for government use.
• Integrate FreeIPA with Windows Active Directory.
• Backup, replicate, and migrate a FreeIPA server.

In this instructor-led, live training in US Empire (online or onsite), participants will learn how to create an Indy-based decentralized identity system for government use.

By the end of this training, participants will be able to:

• Create and manage decentralized, self-sovereign identities using distributed ledgers for government applications.
• Enable interoperability of digital identities across domains, applications, and silos within public sector workflows.
• Understand key concepts such as user-controlled exchange, revocation, Decentralized Identifiers (DIDs), off-ledger agents, data minimization, etc., in the context of government operations.
• Use Indy to enable identity owners to independently control their personal data and relationships for government services.

This instructor-led, live training in US Empire (online or onsite) is aimed at system administrators who wish to utilize Okta for identity and access management for government.

By the end of this training, participants will be able to:

• Configure, integrate, and manage Okta within their organization.
• Integrate Okta into an existing application for enhanced security and efficiency.
• Implement multi-factor authentication to strengthen security protocols.

This instructor-led, live training in US Empire (online or onsite) is aimed at intermediate-level system administrators and IT professionals who wish to install, configure, manage, and secure LDAP directories using OpenLDAP for government environments.

By the end of this training, participants will be able to:

• Understand the structure and operation of LDAP directories.
• Install and configure OpenLDAP for various deployment environments, including those specific to government operations.
• Implement access control, authentication, and replication mechanisms that align with public sector security standards.
• Use OpenLDAP with third-party services and applications commonly utilized in government workflows.

This instructor-led, live training in US Empire (online or onsite) is aimed at system administrators who wish to use OpenAM to manage identity and access controls for web applications for government.

By the end of this training, participants will be able to:

• Configure the required server environment to begin setting up authentication and access controls using OpenAM.
• Implement single sign-on (SSO), multi-factor authentication (MFA), and user self-service features for web applications in a government context.
• Leverage federation services (OAuth 2.0, OpenID, SAML v2.0, etc.) to securely extend identity management across different systems or applications within the public sector.
• Utilize REST APIs to access and manage authentication, authorization, and identity services in alignment with government workflows and governance requirements.

This instructor-led, live training in US Empire (online or onsite) is aimed at system administrators who wish to utilize OpenDJ for managing their organization's user credentials in a production environment for government.

By the end of this training, participants will be able to:

• Install and configure OpenDJ effectively.
• Maintain an OpenDJ server, including monitoring, troubleshooting, and optimizing performance.
• Create and manage multiple OpenDJ databases efficiently.
• Backup and migrate an OpenDJ server securely.