We’ve been busy here at CMD+CTRL and have several new releases coming out this quarter. From a new cyber range to new and updated courses and labs—our training can help transform your security posture and sharpen skills across every role in your organization. We are also adding new features and enhancements to make it easier than ever for administrators to manage user experience and requirements. Read on to learn more.
Forescient 2.0—Cloud-based Cyber Range for Azure Users
With the launch of CMD+CTRL’s newest cyber range, Forescient 2.0, Microsoft Azure users now have access to our innovative cloud security training designed for cloud developers, engineers, DevOps professionals, and other stakeholders in SDLC roles. Our cyber ranges immerse learners in the industry’s most authentic environments, where players exploit their way through hundreds of vulnerabilities that lurk in business applications today.
The Forescient 2.0 cyber range is a dynamic training tool that challenges users to find and resolve development, configuration and integration challenges across multiple servers, services, accounts and a web interface. It prepares participants to think like an attacker to better defend against the latest cybersecurity threats in the Microsoft Azure cloud environment. Participants are guided through a mission-based storyline by an intelligent chatbot named Crowd Control that offers real-time guidance as users navigate through their training, facing challenges that reflect real-world attacks mapped to the MITRE ATT&CK® Framework, including cloud misconfigurations, data exposure, spear phishing, denial of service, and more
Forescient 2.0 will be available on Monday, December 16, 2024
Quarterly Training Catalog Release—Courses and Labs
CMD+CTRL’s quarterly update to our training catalog provides our customers with the most up-to-date training, focused on current technology and threat trends to help prevent vulnerabilities and protect data across multiple development languages and platforms. This latest release is focused on combating Improper Authentication, Stack-based Buffer Overflow in C applications, and the effective use of exploit frameworks and tools like Mimikatz. Additionally, our latest offerings cover a broad spectrum of security challenges from defending C++ applications against null pointer dereference to securing TypeScript applications from SQL Injection and Cross-Site Scripting (XSS) vulnerabilities.
Whether you're focused on cryptography in Java, securing memory management in C, or protecting data in .NET Core applications, this updated collection provides the essential resources needed to bolster your software security efforts and safeguard against the ever-evolving threat landscape.
This content release includes:
- 3 New Courses focused on mitigating OWASP Mobile Top 10 risks, securing ASP.NET Core applications, and protecting data in C# for .NET Core
- 2 Updated Courses focused on Java cryptography and secure C memory management
- 8 IDE Code Correct Skill Labs to find and correct vulnerabilities from Null Pointer Dereference, SQL Injection, Cross-site Scripting (XSS), Improper Authentication, and Stack-based Buffer Overflow
- 3 Exploit Framework Skill Labs to provide learners with a collection of tools to detect and exploit known vulnerabilities from Web Application Scanning, Mimikatz, and Command Line Interface
This new content will be available to learners starting from Wednesday, November 13, 2024.
Want more details? Below you’ll find more information on the specific content being released, including a complete list of the courses.
Courses
This release of CMD+CTRL courses provides learners with a comprehensive understanding of the latest challenges faced by organizations in mitigating vulnerabilities across various platforms, with a focus on practical guidance to address the OWASP Mobile Top 10, securing ASP.NET Core applications, and protecting data in C# for .NET Core. These courses are designed to help professionals implement secure coding best practices, safeguard data, and reduce risk across various stages of the software development lifecycle.
The following courses are being added to the catalog:
- DES 270—Mitigating OWASP Mobile Top 10 Risks
- COD 310—Securing ASP.NET Core Applications
- COD 325—Protecting Data in C# for .NET Core
The following courses are being updated:
- COD 283—Java Cryptography
- COD 302—Secure C Memory Management
Skill Labs
CMD+CTRL Labs help transform new concepts into tangible skills through hands-on, practical examples of real-world threat scenarios. Skill Labs provide learners with an active training experience, complementing Courses and Learn Labs, and reinforcing the skills they’ve learned.
Each Skill Lab will be accessible only via the CMD+CTRL Base Camp platform. All labs are hosted via a secure Virtual Machine to give learners the tools to respond to and fix software security issues in a safe, simulated environment. These new secure coding labs utilize IDE to both find and correct insecure code based on the following vulnerabilities:
Go Applications
Learners will get a deep dive into some of the most critical security issues facing Go applications today, including SQL Injection, Cross-Site Scripting (XSS), Improper Authentication, and other vulnerabilities. Each lab focuses on a specific vulnerability and assesses the learner’s ability to defend against it. Learners will gain a thorough understanding of the vulnerability and will be equipped with practical defense strategies. Go Application Skill Labs equip learners to protect Go applications against a variety of security vulnerabilities, ensuring they can build more secure, reliable, and trustworthy software solutions.
C and C++ Applications
These Labs highlight specific vulnerabilities such as Null Pointer Dereference and Stack-based Buffer Overflow, which are common issues in C and C++ applications. By concentrating on defending against these vulnerabilities, learners are introduced to practical security practices within software development. While the focus is on C and C++, the concepts of memory management, pointer safety, and defensive programming are applicable across other programming languages. For those looking to delve deeper into areas like systems programming, operating systems, or even cybersecurity, these labs serve as an educational guide emphasizing the critical aspects of secure programming in C and C++ and equipping learners with the knowledge to write safer, more robust applications.
TypeScript
This release expands our TypeScript labs to cover specific threats such as SQL Injection, Cross-Site Scripting, and Improper Authentication. Learners will gain an understanding of the nature of SQL injection attacks, how they can affect TypeScript applications, and techniques to prevent such vulnerabilities within their code. These labs will examine the risks when applications incorporate untrusted data into database queries without proper sanitization, the impact it can have on TypeScript applications, and best practices for defending TypeScript applications against SQL Injection. Learners will discover the importance of proper authentication mechanisms, how incorrect authentication can compromise TypeScript applications, covering methods to ensure that applications have strong authentication checks in place.
Exploitation Frameworks
The Exploitation Frameworks Labs are designed to teach learners about various cybersecurity practices, focusing specifically on the use of an exploit framework to perform tasks such as Web Application Scanning, Mimikatz, and Command Line Interface. Labs cover how to use popular penetration testing tools to scan web applications for known vulnerabilities. Participants will learn how to use Mimikatz to harvest credentials and use them for lateral movement and privilege escalation within compromised systems. Learners will also gain practical experience in using exploitation frameworks through command-line interfaces to attack vulnerable applications.
New Skill Labs
Here is a comprehensive list of the Skill Labs that are being added to the catalog as part of this release:
- LAB 350—Defending Go Applications Against SQL Injection
- LAB 352—Defending Go Applications Against Cross-Site Scripting
- LAB 354—Defending Go Applications Against Improper Authentication
- LAB 348—Defending C++ Applications Against Null Pointer Dereference
- LAB 355—Defending C Applications Against Stack-based Buffer Overflow
- LAB 349—Defending TypeScript Applications Against SQL Injection
- LAB 351—Defending TypeScript Applications Against Cross-Site Scripting
- LAB 353—Defending TypeScript Applications Against Improper Authentication
- LAB 633—Using an Exploit Framework for Web Application Scanning
- LAB 638—Using Mimikatz
- LAB 639—Using an Exploit Framework via Command Line Interface
New Features & Enhancements
We’re introducing two new features designed to make life easier for administrators and learners: Detailed Journey and Pathway Reports for monitoring learner performance and SSO User Profile Sync for automated updates, streamlined admin tasks and enhanced user support.
We’ve also added a series of updates that work together to create a more user-friendly, engaging, and efficient experience for learners and administrators. With the ability to use longer journey names, quickly add team members to a cyber range, and new improvements to notification templates, we’ve given you more control over the learning environment.
We also have additional enhancements coming later in the quarter.
As of Monday, December 16th, 2024, administrators will have the ability to allow their users to opt out of final assessments or complete test out assessments, skipping the content they already know. There will also be additional assessment Zoho Reports, making it easier to generate detailed reports on individual responses to assessments.
And on Tuesday, December 31, 2024, new capabilities for dynamic user profile creation will make it easier and more efficient to configure new user profiles and assignments. We’re also improving our Journey Enrollments, making it easier to complete bulk actions with multi-select options, a familiar interface, and accidental deletion protection through a confirmation screen.
Deprecations
With the release of OWASP Mobile Top 10 List for 2024, we are deprecating some of the courses on the OWASP Mobile Top 10 List for 2016, while launching DES 270 - Mitigating OWASP Mobile Top 10 Risks to enhance mobile app security awareness among developers and organizations.
Here is the complete list of deprecated courses:
- DES 271 OWASP M1: Mitigating Improper Platform Usage
- DES 272 OWASP M2: Mitigating Insecure Data Storage
- DES 273 OWASP M3: Mitigating Insecure Communication
- DES 274 OWASP M4: Mitigating Insecure Authentication
- DES 275 OWASP M5: Mitigating Insufficient Cryptography
- DES 276 OWASP M6: Mitigating Insecure Authorization
- DES 277 OWASP M7: Mitigating Client Code Quality
- DES 278 OWASP M8: Mitigating Code Tampering
- DES 279 OWASP M9: Mitigating Reverse Engineering
- DES 280 OWASP M10: Mitigating Extraneous Functionality
Looking for more? Check out our entire course catalog or contact us to learn more.