CMD+CTRL Security Blog

CMD+CTRL Training: Q3 2024 Release in Review

Written by CMD+CTRL Security | Aug 22, 2024 3:11:06 PM

The CMD+CTRL quarterly training catalog update provides our customers with up-to-date training, focused on current technology and threat trends to help prevent vulnerabilities and protect data across multiple development languages and platforms. This release is focused on combating server-side request forgery (SSRF) in Go applications to mitigate Use-After-Free (UAF) vulnerabilities in C and C++ applications. Additionally, the content releases address more nuanced challenges, such as incorrect authorization and deserialization of untrusted data, across different programming languages.

Whether you're looking to refine your expertise in securing applications or exploring new areas like Exploit Frameworks and Secure Software Deployment, this collection serves as an essential resource for enhancing the security posture of your software projects.

This content release includes:

  • 2 New courses focused on securing Kubernetes and secure software acceptance and deployment
  • 2 Updated courses focused on securing C run-time protection and mitigating C code vulnerabilities
  • 12 IDE Code Correct skill labs to find and correct vulnerabilities from server-side request forgery (SSRF), hard-coded credentials, cross-site request forgery (CSRF), path traversal, Use-After-Free (UAF), command injection, incorrect authorization, deserialization of untrusted data, and null pointer dereference
  • 4 Exploit Framework Skill Labs to provide learners with a collection of tools to detect and exploit known vulnerabilities from SQL Injection, Port Scanning, Server Message Block (SMB) Version Scanning, and Simple Network Management Protocol (SNMP) Scanning

All the new content will be available to learners starting on August 22, 2024.

Want more details? Below you’ll find more information on the specific content being released, including a complete list of the courses.

Courses

This release of CMD+CTRL courses provides learners with a comprehensive understanding of the latest challenges faced by organizations in securing Kubernetes, ensuring software acceptance and deployment, and mitigating vulnerabilities in C code. These courses are designed to help professionals implement secure coding best practices, safeguard data, and reduce risk across various stages of the software development lifecycle.

The following courses are being added to the catalog:

  • API 351 – Securing Kubernetes in the Build and Release Stage
  • DES 250 –Secure Software Acceptance and Deployment

The following courses are being updated in the catalog:

  • COD 202 – Secure C Run-Time Protection
  • COD 303 – Mitigating C Code Vulnerabilities

Skill Labs

CMD+CTRL Labs help to transform new concepts into tangible skills through hands-on, realistic examples of real-world threat scenarios. Skill Labs provide learners with an active training experience, complementing Courses and Learn Labs to reinforce the skills they’ve learned.

Each lab will only be accessible via the CMD+CTRL Base Camp platform. All labs are hosted via a secure virtual machine to give learners the tools to respond to and fix software security issues in a safe, simulated environment. These new secure coding labs require the use of an IDE to both find and correct insecure code based on the following vulnerabilities:

  • Go Applications - Learners will get a deep dive into some of the most critical security issues facing Go applications today, including SSRF, CSRF, and several other vulnerabilities. Each lab focuses on a specific vulnerability and assesses the learner’s ability to defend against it. By covering issues like hard-coded credentials and incorrect authorization, the labs educate developers on the importance of adopting secure coding practices. Learners will discover how to harden their Go applications against path traversal, command injection, and other attack vectors. Go Application Skill Labs teach learners to protect Go applications against a variety of security vulnerabilities, ensuring they can build more secure, reliable, and trustworthy software solutions.

  • C and C++ Applications - These Labs highlight specific vulnerabilities such as UAF and null pointer dereference, which are common issues in C and C++ applications. By concentrating on defending against these vulnerabilities, learners are introduced to practical security practices within software development. While the focus is on C and C++, the concepts of memory management, pointer safety, and defensive programming are applicable across other programming languages. For those looking to delve deeper into areas like systems programming, operating systems, or even cybersecurity, these labs serve as an educational guide emphasizing the critical aspects of secure programming in C and C++ and equipping learners with the knowledge to write safer, more robust applications.

  • TypeScript - This release expands our TypeScript labs to cover specific threats such as command injection, incorrect authorization, and deserialization of untrusted data. Learners will gain an understanding of the nature of command injection attacks, how they can affect TypeScript applications, and techniques to prevent such vulnerabilities within their code. These labs teach the importance of proper authorization mechanisms, how incorrect authorization can compromise TypeScript applications, and methods to ensure that applications have strong authorization checks in place. Learners will discover the risks associated with deserializing data from untrusted sources, the impact it can have on TypeScript applications, and best practices for safely handling data deserialization.

  • Exploitation Frameworks - The Exploitation Framework Labs are designed to teach learners about various cybersecurity practices, focusing specifically on the use of an exploit framework to perform tasks such as SQL injection, port scanning, SMB version scanning, and SNMP scanning. Labs cover how to conduct port scanning using an exploit framework, which is a way to discover open ports on a network. Participants will learn about scanning the SMB protocol to identify its version on networked devices and how to use an exploit framework to scan the SNMP to gather information about networked devices.

New Skill Labs

Here is a list of the Skill Labs that are being added to the catalog as part of this release:

  • LAB 329 – Defending Go Applications Against SSRF
  • LAB 333 – Defending Go Applications Against Hard-Coded Credential
  • LAB 338 – Defending Go Applications Against CSRF
  • LAB 339 – Defending Go Applications Against Path Traversal
  • LAB 343 – Defending GO Applications Against Command Injection
  • LAB 345 – Defending GO Applications Against Incorrect Authorization
  • LAB 340 – Defending C Applications Against Use-After-Free
  • LAB 341 – Defending C ++ Applications Against Use-After-Free
  • LAB 347 – Defending C Applications Against Null Pointer Dereference
  • LAB 342 – Defending TypeScript Applications Against Command Injection
  • LAB 344 – Defending TypeScript Applications Against Incorrect Authorization
  • LAB 346 – Defending TypeScript Applications Against Deserialization of Untrusted Data
  • LAB 626 – Using an Exploit Framework for SQL Injection
  • LAB 627 – Using an Exploit Framework for Port Scanning
  • LAB 628 – Using an Exploit Framework for SMB version Scanning
  • LAB 629 – Using an Exploit Framework for SNMP Scanning

Looking for more? Check out our entire course catalog or contact us to learn more.