Cyber Security Body of Knowledge (CyBOK) Training Course

This instructor-led, live training in US (online or onsite) is aimed at system administrators who wish to use 389 Directory Server to configure and manage LDAP-based authentication and authorization for government systems. By the end of this training, participants will be able to: - Install and configure 389 Directory Server. - Understand the features and architecture of 389 Directory Server. - Learn how to configure the directory server using both the web console and command-line interface (CLI). - Set up and monitor replication for high availability and load balancing. - Manage LDAP authentication using SSSD to enhance performance. - Integrate 389 Directory Server with Microsoft Active Directory.

This instructor-led, live training in [location] (online or onsite) is aimed at system administrators who wish to use Microsoft Active Directory for managing and securing data access. By the end of this training, participants will be able to: - Set up and configure Active Directory. - Establish a domain and define user and device access rights. - Manage users and machines through Group Policies. - Control access to file servers. - Set up a Certificate Service and manage certificates. - Implement and manage services such as encryption, certificates, and authentication for government operations.

This three-day course provides an overview of securing C/C++ code to protect against malicious users who may exploit vulnerabilities related to memory management and input handling. The course covers the fundamental principles of writing secure code for government applications, ensuring that participants understand best practices in safeguarding software integrity and functionality.

Even experienced Java programmers may not fully master all the security services provided by Java, nor are they always aware of the vulnerabilities relevant to web applications written in this language.

This course introduces the security components of Standard Java Edition and delves into the security issues of Java Enterprise Edition (JEE) and web services. Before discussing specific services, the course covers the fundamentals of cryptography and secure communication. Various exercises focus on declarative and programmatic security techniques in JEE, as well as transport-layer and end-to-end security for web services. Practical exercises allow participants to use the discussed APIs and tools firsthand.

The course also examines the most frequent and severe programming flaws in the Java language and platform, along with web-related vulnerabilities. It covers both language-specific issues and problems arising from the runtime environment. Each vulnerability and associated attack is demonstrated through straightforward exercises, followed by recommended coding guidelines and mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding for government applications
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Understand the security principles of web services
• Learn to utilize various security features in the Java development environment
• Gain a practical understanding of cryptography
• Understand the security solutions offered by Java EE
• Learn about common coding mistakes and how to avoid them
• Receive information on recent vulnerabilities in the Java framework
• Acquire practical knowledge in using security testing tools
• Access sources and further readings on secure coding practices

Audience

Developers

Description

The Java language and the Runtime Environment (JRE) were designed to be free from the most problematic common security vulnerabilities experienced in other languages, such as C/C++. However, software developers and architects should not only know how to use the various security features of the Java environment (positive security), but also be aware of the numerous vulnerabilities that are still relevant for Java development (negative security).

The introduction of security services is preceded by a brief overview of the foundations of cryptography, providing a common baseline for understanding the purpose and operation of the applicable components. The use of these components is presented through several practical exercises, where participants can try out the discussed APIs for themselves.

This course also covers the most frequent and severe programming flaws of the Java language and platform, including both typical bugs committed by Java programmers and language- and environment-specific issues. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding for government
• Learn Web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Learn to use various security features of the Java development environment
• Gain a practical understanding of cryptography
• Learn about typical coding mistakes and how to avoid them
• Receive information on recent vulnerabilities in the Java framework
• Obtain sources and further readings on secure coding practices

Audience

Developers

Several programming languages are currently available to compile code for the .NET and ASP.NET frameworks. These environments provide robust tools for security development; however, developers must understand how to apply architectural and coding-level techniques to implement effective security measures and mitigate vulnerabilities. This course is designed to equip developers with practical skills through numerous hands-on exercises. Participants will learn how to prevent untrusted code from executing privileged actions, secure resources using strong authentication and authorization methods, facilitate remote procedure calls, manage sessions, explore different implementations for specific functionalities, and more. The course begins by introducing common programming issues that can arise when using .NET. It then delves into the vulnerabilities of ASP.NET, covering various environment settings and their implications. The discussion on ASP.NET-specific vulnerabilities addresses general web application security challenges as well as unique issues such as attacks on ViewState and string termination attacks. Participants attending this course will: - Understand fundamental concepts of security, IT security, and secure coding for government. - Learn about Web vulnerabilities beyond the OWASP Top Ten and how to prevent them. - Gain proficiency in using various security features of the .NET development environment. - Acquire practical knowledge in utilizing security testing tools. - Identify typical coding mistakes and learn strategies to avoid them. - Stay informed about recent vulnerabilities in .NET and ASP.NET. - Receive resources and further readings on secure coding practices. Audience: - Developers for government and private sector projects.

The Combined SDL Core Training provides an in-depth understanding of secure software design, development, and testing through the Microsoft Secure Development Lifecycle (SDL). It offers a foundational overview of the key components of SDL, followed by practical techniques for identifying and addressing security flaws early in the development process.

During the development phase, the course covers common security-related programming bugs in both managed and native code. It presents various attack methods associated with these vulnerabilities along with effective mitigation strategies. These concepts are reinforced through hands-on exercises that offer participants a practical understanding of live hacking techniques. The training also introduces different security testing methodologies and demonstrates the effectiveness of various testing tools, allowing participants to apply these tools to previously discussed vulnerable code.

Participants attending this course will

Understand basic concepts of security, IT security, and secure coding for government.

Gain knowledge of the essential steps in the Microsoft Secure Development Lifecycle.

Learn secure design and development practices.

Understand secure implementation principles.

Grasp security testing methodologies.

• Access sources and further readings on secure coding practices.

Audience

Developers, Managers

After gaining familiarity with vulnerabilities and attack methods, participants will learn about the general approach and methodology for security testing, along with techniques that can be applied to uncover specific vulnerabilities. Security testing should begin with information gathering about the system (ToC, i.e., Target of Evaluation), followed by a thorough threat modeling process to identify and rate all threats, culminating in a risk analysis-driven test plan.

Security evaluations can occur at various stages of the Software Development Life Cycle (SDLC). Therefore, we discuss design reviews, code reviews, reconnaissance and information gathering about the system, testing the implementation, and securing the environment for deployment. The course introduces numerous security testing techniques in detail, such as taint analysis, heuristic-based code review, static code analysis, dynamic web vulnerability testing, and fuzzing. Various types of tools are presented to automate the security evaluation of software products, supported by exercises where these tools are used to analyze previously discussed vulnerable code. Real-life case studies enhance understanding of various vulnerabilities.

This course equips testers and quality assurance (QA) staff with the necessary skills to effectively plan and execute security tests, select and use appropriate tools and techniques to identify even hidden security flaws, providing essential practical skills that can be applied immediately in their work for government.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Learn about Web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Learn client-side vulnerabilities and secure coding practices
• Understand security testing approaches and methodologies
• Gain practical knowledge in using security testing techniques and tools
• Access sources and further readings on secure coding practices

Audience

Developers, Testers

This instructor-led, live training in US (online or onsite) is aimed at system administrators who wish to use FreeIPA to centralize authentication, authorization, and account information for their organization's users, groups, and machines. By the end of this training, participants will be able to: - Install and configure FreeIPA. - Manage Linux users and clients from a single centralized location. - Utilize FreeIPA’s command-line interface (CLI), web user interface (Web UI), and remote procedure call (RPC) interface to set up and manage permissions. - Enable Single Sign-On authentication across all systems, services, and applications for government use. - Integrate FreeIPA with Windows Active Directory. - Backup, replicate, and migrate a FreeIPA server.

In this instructor-led, live training in US (online or onsite), participants will learn how to create an Indy-based decentralized identity system for government use.

By the end of this training, participants will be able to:

• Create and manage decentralized, self-sovereign identities using distributed ledgers for government applications.
• Enable interoperability of digital identities across domains, applications, and silos within public sector workflows.
• Understand key concepts such as user-controlled exchange, revocation, Decentralized Identifiers (DIDs), off-ledger agents, data minimization, etc., in the context of government operations.
• Use Indy to enable identity owners to independently control their personal data and relationships for government services.

This instructor-led, live training (online or onsite) is designed for government system administrators who wish to utilize Okta for identity and access management. By the end of this training, participants will be able to: - Configure, integrate, and manage Okta for government. - Integrate Okta into an existing application within a government environment. - Implement security measures with multi-factor authentication to enhance cybersecurity for government systems.

This instructor-led, live training in US (online or onsite) is aimed at intermediate-level system administrators and IT professionals who wish to install, configure, manage, and secure LDAP directories using OpenLDAP for government. By the end of this training, participants will be able to: - Understand the structure and operation of LDAP directories. - Install and configure OpenLDAP in various deployment environments. - Implement access control, authentication, and replication mechanisms. - Integrate OpenLDAP with third-party services and applications.

This instructor-led, live training in [location] (online or onsite) is aimed at system administrators who wish to use OpenAM to manage identity and access controls for web applications. By the end of this training, participants will be able to: - Set up the necessary server environment to begin configuring authentication and access controls using OpenAM. - Implement single sign-on (SSO), multi-factor authentication (MFA), and user self-service features for web applications. - Utilize federation services (OAuth 2.0, OpenID, SAML v2.0, etc.) to securely extend identity management across different systems or applications. - Access and manage authentication, authorization, and identity services through REST APIs, ensuring compliance with security standards for government use.

This instructor-led, live training in [location] (online or onsite) is designed for system administrators who wish to utilize OpenDJ to manage their organization's user credentials in a production environment. By the end of this training, participants will be able to: - Install and configure OpenDJ. - Maintain an OpenDJ server, including monitoring, troubleshooting, and optimizing performance for government operations. - Create and manage multiple OpenDJ databases. - Backup and migrate an OpenDJ server.