This document discusses upskilling engineers in cybersecurity. It recommends determining engineers' current security knowledge level, generating interest in security topics, and managing ongoing learning to improve knowledge over time. Specific steps include leveraging capture-the-flag exercises for hands-on learning, mapping performance to online courses, and tracking individual progress. Attending webinars about how attackers audit software and common attack vectors can also help engineers learn. Both free and commercial options for online training and security challenges are listed. The goal of upskilling is to create a culture where engineers are security-conscious in their roles without needing expert knowledge.
Microlearning - Learning Technologies 2017 Summer Forum Alex Mackman
Microlearning involves delivering short bursts of learning content, typically 1-5 minutes, using spaced learning techniques to help embed knowledge. It adapts continuously to the learner's needs and can be delivered anywhere through mobile devices. Microlearning can improve workforce performance through benefits like increasing voluntary participation, accessibility anywhere, and just-in-time learning. While not a replacement for all learning, microlearning is well-suited for scenarios like updating staff knowledge and addressing forgetting curves. Effective microlearning requires a mobile-first platform that can deliver personalized, responsive content on a scheduled basis.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
The document discusses continuous threat modeling and what works. It begins by introducing the speaker and stating the talk will cover level setting on threat modeling, how security is currently done wrong and training is wrong, and how continuous threat modeling can help solve these issues. It then defines threat modeling and discusses how security is currently failing due to lack of threat modeling adoption, training developers, and testing tool limitations. It proposes conducting threat modeling for every story using subject areas, checklists, and maintaining findings to help security become continuous. Tools like PyTM are presented that can help automate and integrate threat modeling into the development process.
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
This document provides an overview of a course on security in software engineering. The course goals are to explain the need for computer security, how to meet security requirements using established techniques, and how to address risks through novel technologies. The course introduces security best practices and techniques for evaluating security solutions. It is taught by Dr. Nada Hany Sherief and provides contact information. The grading system and course timeline are outlined. Course material includes a textbook, lectures, and assignments available online. The document concludes with definitions from the glossary.
This session provides an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discusses the emerging delivery, adoption and organizational lessons learned that are driving further adoption.
This document outlines a secure software development course. The course goals are to explain computer security needs and requirements, introduce security best practices, and present techniques for evaluating security solutions. It will be graded through exams, assignments, and a final exam. The course material will include a delivered textbook. The timeline shows the course content by week, covering topics like risk assessment, secure design patterns, threat modeling, and security testing. The document also provides the lecturer's contact information and defines key terms like information security risks and software security.
Supply Chain Security for Developers.pdfssuserc5b30e
https://teachingcyber.gumroad.com/
The Software Supply Chain Security for Developers course takes you from little or no knowledge and shows you how to build security into development projects with practical demonstrations. You will learn the principles of configuring environments in a practical way using minimal lectures and focusing on step by step demonstrations. There are very few courses like this that get straight into the practicalities application security and devsecops. With this capability, you will be able to provide professional and consistent service to your company or clients and help secure your organisation. You will learn to implement security using GitHub and Azure DevOps.
This is a fast-growing area, specialist developers with skills in security are in high demand and using the skills here will enable your career, giving you cyber security experience in Azure DevOps, GitHub and command line. If you are a beginner, this course is for you as it will give you the foundations in a practical way, not theoretical. If you are an experienced practitioner you are now becoming aware of conducting supply chain assessments, this course is absolutely essential for you.
Some of the key areas you will learn are:
Software Supply Chain Security
Building software supply supply chain security into the development using GitHub
Building software supply chain security into the development using Azure DevOps
Practical application security skills
Increase knowledge and skills around DevSecOps
This course will give you the grounding you need to help you learn, retain and replicate the security skills necessary to build and improve your DevSecOps processes. The lectures are to the point and concise because your time, like many practitioners, is precious. All demos can be followed using your own software accounts and replayed time and again as your one-stop security reference.
https://teachingcyber.gumroad.com/
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
The document discusses implementing a Secure Software Development Lifecycle (SDLC) to help organizations build more secure software. It describes the key steps in the SDL process, including requirements, design, implementation, verification, release and response. Implementing an SDL can help minimize security issues and related costs through practices like threat modeling, secure coding and security testing throughout the development cycle. The challenges of adoption and ways to build a security culture are also addressed.
Microlearning - Learning Technologies 2017 Summer Forum Alex Mackman
Microlearning involves delivering short bursts of learning content, typically 1-5 minutes, using spaced learning techniques to help embed knowledge. It adapts continuously to the learner's needs and can be delivered anywhere through mobile devices. Microlearning can improve workforce performance through benefits like increasing voluntary participation, accessibility anywhere, and just-in-time learning. While not a replacement for all learning, microlearning is well-suited for scenarios like updating staff knowledge and addressing forgetting curves. Effective microlearning requires a mobile-first platform that can deliver personalized, responsive content on a scheduled basis.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
The document discusses continuous threat modeling and what works. It begins by introducing the speaker and stating the talk will cover level setting on threat modeling, how security is currently done wrong and training is wrong, and how continuous threat modeling can help solve these issues. It then defines threat modeling and discusses how security is currently failing due to lack of threat modeling adoption, training developers, and testing tool limitations. It proposes conducting threat modeling for every story using subject areas, checklists, and maintaining findings to help security become continuous. Tools like PyTM are presented that can help automate and integrate threat modeling into the development process.
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
This document provides an overview of a course on security in software engineering. The course goals are to explain the need for computer security, how to meet security requirements using established techniques, and how to address risks through novel technologies. The course introduces security best practices and techniques for evaluating security solutions. It is taught by Dr. Nada Hany Sherief and provides contact information. The grading system and course timeline are outlined. Course material includes a textbook, lectures, and assignments available online. The document concludes with definitions from the glossary.
This session provides an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discusses the emerging delivery, adoption and organizational lessons learned that are driving further adoption.
This document outlines a secure software development course. The course goals are to explain computer security needs and requirements, introduce security best practices, and present techniques for evaluating security solutions. It will be graded through exams, assignments, and a final exam. The course material will include a delivered textbook. The timeline shows the course content by week, covering topics like risk assessment, secure design patterns, threat modeling, and security testing. The document also provides the lecturer's contact information and defines key terms like information security risks and software security.
Supply Chain Security for Developers.pdfssuserc5b30e
https://teachingcyber.gumroad.com/
The Software Supply Chain Security for Developers course takes you from little or no knowledge and shows you how to build security into development projects with practical demonstrations. You will learn the principles of configuring environments in a practical way using minimal lectures and focusing on step by step demonstrations. There are very few courses like this that get straight into the practicalities application security and devsecops. With this capability, you will be able to provide professional and consistent service to your company or clients and help secure your organisation. You will learn to implement security using GitHub and Azure DevOps.
This is a fast-growing area, specialist developers with skills in security are in high demand and using the skills here will enable your career, giving you cyber security experience in Azure DevOps, GitHub and command line. If you are a beginner, this course is for you as it will give you the foundations in a practical way, not theoretical. If you are an experienced practitioner you are now becoming aware of conducting supply chain assessments, this course is absolutely essential for you.
Some of the key areas you will learn are:
Software Supply Chain Security
Building software supply supply chain security into the development using GitHub
Building software supply chain security into the development using Azure DevOps
Practical application security skills
Increase knowledge and skills around DevSecOps
This course will give you the grounding you need to help you learn, retain and replicate the security skills necessary to build and improve your DevSecOps processes. The lectures are to the point and concise because your time, like many practitioners, is precious. All demos can be followed using your own software accounts and replayed time and again as your one-stop security reference.
https://teachingcyber.gumroad.com/
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
The document discusses implementing a Secure Software Development Lifecycle (SDLC) to help organizations build more secure software. It describes the key steps in the SDL process, including requirements, design, implementation, verification, release and response. Implementing an SDL can help minimize security issues and related costs through practices like threat modeling, secure coding and security testing throughout the development cycle. The challenges of adoption and ways to build a security culture are also addressed.
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
The document provides guidance on best practices for secure IoT product development. It discusses the top 5 security considerations which include implementing secure firmware updates, authentication and encryption on product interfaces, independent security assessments, securing companion mobile apps/gateways, and implementing a secure root of trust. It also highlights lessons learned from privacy and security issues with IoT products like baby monitors, fitness trackers, medical devices, drones, critical infrastructure systems, and autonomous vehicles. Recommendations provided include adopting a security-by-design approach, threat modeling products, implementing secure development processes, and incorporating privacy principles.
This document summarizes a talk on using hackers versus security tools in the software development lifecycle (SDLC). It discusses how hackers can provide a unique perspective in requirements, design, development, testing, and production by thinking creatively about edge cases and security implications, though they do not scale as well as tools. Tools are better for automation, high-volume testing, and preventing known issues, but may miss more complex vulnerabilities. An informed approach uses both hackers and tools throughout the SDLC.
Geoffrey Vaughan, Security Engineer at Security Innovation, discusses the pro's and con's of using a hacker vs. a scanning tool for testing applications.
This document provides tips and guidance for starting an information security career. It discusses the importance of continuous learning and hands-on skills development. Some key recommendations include building a home lab, participating in capture-the-flag exercises, learning programming languages like Python and Linux, finding a mentor, considering certifications, and networking within the security community through conferences, Twitter, blogs and open source projects. The document uses examples from penetration testing and security analysis to illustrate real-world scenarios.
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24
Our experts discuss the key considerations for implementing security training and application security into the SDLC, how to engage with developers through gamified learning and embed security testing without any downtime and costing the earth.
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
Application security teams are outnumbered. Even in security-conscious environments, application developers often exceed application security professionals by a ratio of 100:1. In addition, the push for digital transformation is accelerating the pace of development – exacerbating these challenges. One technique forward-looking security teams have adopted to stay afloat is to deploy security champions into development teams throughout the organization. This webinar looks at different models for standing up security champion initiatives and relates Denim Group’s experiences helping organizations craft and staff these programs.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Рано или поздно любая компания задумывается как о безопасности своего продукта, так и внутренней безопасности, и это неизбежно ведет к выстраиванию security-процессов, стандартов, требований и политик. Этот процесс довольно сложный и трудоемкий, требующий определенной зрелости компании и слаженной работы всех сотрудников. Мы хотели бы рассказать о своем опыте создания security-культуры компании Wrike, в том числе с помощью продукта, который мы делаем. Также мы поделимся опытом решения реальных проблем безопасности, с которыми сталкиваемся сами или наши клиенты.
Security Innovation is a leader in software security that provides various security services and training solutions. Their CMD+CTRL Cyber Range is a cloud-based cybersecurity simulation and training platform that allows users to build and assess their skills through hands-on practice in simulated real-world software environments and scenarios. The platform aims to improve cybersecurity skills in a more engaging and effective manner compared to traditional cyber ranges.
The document discusses establishing security champions in an organization. Security champions are developers, QA engineers, architects or others who act as liaisons between development teams and security teams. They help make security-related decisions, assist with triaging security bugs, and ensure security is not a blocker for development. The document provides guidance on identifying teams, defining the security champion role, nominating individuals, setting up communication channels, providing training, and holding weekly meetings to maintain interest and scale security across multiple teams.
Security Training: Making your weakest link the strongest - CircleCityCon 2017Aaron Hnatiw
It is well known among security professionals that the weakest link in any organization's security is the employee- the so-called "human element". While endpoint security controls may mitigate this risk, they are nowhere close to removing it completely. This is where security training becomes essential. This talk will cover how to introduce and improve security training in any organization, along with industry best practices, and methods to keep knowledge retention high. The speaker will provide specific examples from his own experience of cases where a properly trained employee could have easily thwarted a devastating attack immediately. Will your employees be your weakest link, or your strongest asset?
This document provides an overview of digital product security. It discusses common cyberattacks against businesses, security issues in product development processes, and tips for developing software with security by design. It emphasizes starting with secure requirements, using static analysis, dynamic testing, and manual reviews. Following secure SDLC practices and continuous integration of security tools can help improve security, reduce costs, and better satisfy security audits.
Security Fundamentals and Threat ModellingKnoldus Inc.
This session will take you through the basic fundamentals and terminologies of security in our applications along with the latest security and threat trends. We will also discuss what is Threat Modelling and how we can perform it on our architectures without being an actual expert.
Starting your Career in Information SecurityAhmed Sayed-
This document outlines a presentation on information security. It discusses what information security is, general paths in security like network security and penetration testing, roles in information security, opportunities in the Middle East market, how to start in information security with CompTIA Security+ as the main certification, and concludes with a question and answer section. The presenter has over 14 years of experience in IT and information security and holds multiple technical certifications.
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
SOC Specialists are at the core of the organization’s security teams, detecting and responding to suspicious activities and cyber threats as they arise. The SOC Specialist training course at InfosecTrain is tailored for candidates who want to learn how to avoid, identify, assess, and respond to cybersecurity threats and incidents. The course is the second in a series that comprises Part 1-SOC Analyst and Part 2-SOC Specialist.
Security Operation Centre Specialist Course ContentInfosec train
SOC Specialists are at the core of the organization’s security teams, detecting and responding to suspicious activities and cyber threats as they arise. The SOC Specialist training course at InfosecTrain is tailored for candidates who want to learn how to avoid, identify, assess, and respond to cybersecurity threats and incidents.
This 5-day training course provides an overview of the objectives, content, and structure of the CompTIA Security+ certification. The course covers topics such as network attack strategies and defenses, encryption standards and products, network and host security technologies, remote access security, and business continuity strategies. The CompTIA Security+ certification validates knowledge of communication security, infrastructure security, cryptography, operational security, and general security concepts. Passing the exam demonstrates competency in information security and is recognized as a valuable credential.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
More Related Content
Similar to Upskilling your engineers in Cyber security while they WFH
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
The document provides guidance on best practices for secure IoT product development. It discusses the top 5 security considerations which include implementing secure firmware updates, authentication and encryption on product interfaces, independent security assessments, securing companion mobile apps/gateways, and implementing a secure root of trust. It also highlights lessons learned from privacy and security issues with IoT products like baby monitors, fitness trackers, medical devices, drones, critical infrastructure systems, and autonomous vehicles. Recommendations provided include adopting a security-by-design approach, threat modeling products, implementing secure development processes, and incorporating privacy principles.
This document summarizes a talk on using hackers versus security tools in the software development lifecycle (SDLC). It discusses how hackers can provide a unique perspective in requirements, design, development, testing, and production by thinking creatively about edge cases and security implications, though they do not scale as well as tools. Tools are better for automation, high-volume testing, and preventing known issues, but may miss more complex vulnerabilities. An informed approach uses both hackers and tools throughout the SDLC.
Geoffrey Vaughan, Security Engineer at Security Innovation, discusses the pro's and con's of using a hacker vs. a scanning tool for testing applications.
This document provides tips and guidance for starting an information security career. It discusses the importance of continuous learning and hands-on skills development. Some key recommendations include building a home lab, participating in capture-the-flag exercises, learning programming languages like Python and Linux, finding a mentor, considering certifications, and networking within the security community through conferences, Twitter, blogs and open source projects. The document uses examples from penetration testing and security analysis to illustrate real-world scenarios.
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24
Our experts discuss the key considerations for implementing security training and application security into the SDLC, how to engage with developers through gamified learning and embed security testing without any downtime and costing the earth.
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
Application security teams are outnumbered. Even in security-conscious environments, application developers often exceed application security professionals by a ratio of 100:1. In addition, the push for digital transformation is accelerating the pace of development – exacerbating these challenges. One technique forward-looking security teams have adopted to stay afloat is to deploy security champions into development teams throughout the organization. This webinar looks at different models for standing up security champion initiatives and relates Denim Group’s experiences helping organizations craft and staff these programs.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Рано или поздно любая компания задумывается как о безопасности своего продукта, так и внутренней безопасности, и это неизбежно ведет к выстраиванию security-процессов, стандартов, требований и политик. Этот процесс довольно сложный и трудоемкий, требующий определенной зрелости компании и слаженной работы всех сотрудников. Мы хотели бы рассказать о своем опыте создания security-культуры компании Wrike, в том числе с помощью продукта, который мы делаем. Также мы поделимся опытом решения реальных проблем безопасности, с которыми сталкиваемся сами или наши клиенты.
Security Innovation is a leader in software security that provides various security services and training solutions. Their CMD+CTRL Cyber Range is a cloud-based cybersecurity simulation and training platform that allows users to build and assess their skills through hands-on practice in simulated real-world software environments and scenarios. The platform aims to improve cybersecurity skills in a more engaging and effective manner compared to traditional cyber ranges.
The document discusses establishing security champions in an organization. Security champions are developers, QA engineers, architects or others who act as liaisons between development teams and security teams. They help make security-related decisions, assist with triaging security bugs, and ensure security is not a blocker for development. The document provides guidance on identifying teams, defining the security champion role, nominating individuals, setting up communication channels, providing training, and holding weekly meetings to maintain interest and scale security across multiple teams.
Security Training: Making your weakest link the strongest - CircleCityCon 2017Aaron Hnatiw
It is well known among security professionals that the weakest link in any organization's security is the employee- the so-called "human element". While endpoint security controls may mitigate this risk, they are nowhere close to removing it completely. This is where security training becomes essential. This talk will cover how to introduce and improve security training in any organization, along with industry best practices, and methods to keep knowledge retention high. The speaker will provide specific examples from his own experience of cases where a properly trained employee could have easily thwarted a devastating attack immediately. Will your employees be your weakest link, or your strongest asset?
This document provides an overview of digital product security. It discusses common cyberattacks against businesses, security issues in product development processes, and tips for developing software with security by design. It emphasizes starting with secure requirements, using static analysis, dynamic testing, and manual reviews. Following secure SDLC practices and continuous integration of security tools can help improve security, reduce costs, and better satisfy security audits.
Security Fundamentals and Threat ModellingKnoldus Inc.
This session will take you through the basic fundamentals and terminologies of security in our applications along with the latest security and threat trends. We will also discuss what is Threat Modelling and how we can perform it on our architectures without being an actual expert.
Starting your Career in Information SecurityAhmed Sayed-
This document outlines a presentation on information security. It discusses what information security is, general paths in security like network security and penetration testing, roles in information security, opportunities in the Middle East market, how to start in information security with CompTIA Security+ as the main certification, and concludes with a question and answer section. The presenter has over 14 years of experience in IT and information security and holds multiple technical certifications.
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
SOC Specialists are at the core of the organization’s security teams, detecting and responding to suspicious activities and cyber threats as they arise. The SOC Specialist training course at InfosecTrain is tailored for candidates who want to learn how to avoid, identify, assess, and respond to cybersecurity threats and incidents. The course is the second in a series that comprises Part 1-SOC Analyst and Part 2-SOC Specialist.
Security Operation Centre Specialist Course ContentInfosec train
SOC Specialists are at the core of the organization’s security teams, detecting and responding to suspicious activities and cyber threats as they arise. The SOC Specialist training course at InfosecTrain is tailored for candidates who want to learn how to avoid, identify, assess, and respond to cybersecurity threats and incidents.
This 5-day training course provides an overview of the objectives, content, and structure of the CompTIA Security+ certification. The course covers topics such as network attack strategies and defenses, encryption standards and products, network and host security technologies, remote access security, and business continuity strategies. The CompTIA Security+ certification validates knowledge of communication security, infrastructure security, cryptography, operational security, and general security concepts. Passing the exam demonstrates competency in information security and is recognized as a valuable credential.
Similar to Upskilling your engineers in Cyber security while they WFH (20)
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
3. Aditya Kakrania
• Held most roles in SDLC
• Information security since 2002
• Delivered talks and taught classes at Fortune-100
companies
• Created a lot of learning content for SDLC security
• Lately doing SDLC Gap Analysis:
• Upskilling is part of improvement roadmap
• Created upskilling programs for many orgs
About me
4. Upskilling
Core steps
DETERMINE LEVEL of security know-how
Know where to start
Avoid making engineers repeat content
GENERATE INTEREST in security
No learning happens without interest
Reward learners
MANAGE LEARNING to improve level of security know-how
Learning platform should retain interest
Platform should support scoring
Progress should be trackable
5. Upskilling
Webinar Agenda
1. Understanding how attackers “audit” your products
• What can be learned from them
2. Leveraging CaptureTheFlag (CTF) solutions
• Engineers will understand attack vectors
• Engineers will understand weaknesses
• You identify strengths and weaknesses of team
3. Enabling Effective Learning
• Map CTF evaluation to online training courses
• Track progress and scores
GENERATE INTEREST
GENERATE INTEREST
DETERMINE LEVEL
MANAGE LEARNING
MANAGE LEARNING DETERMINE LEVEL
6. How attackers ‘audit’
Attackers are people too
Turn Use-cases into Abuse-cases
•Leverage tools and scripts
•View software differently
•Speculate code & design behind features
•Observe and take great notes
7. How attackers ‘audit’
From Use to Abuse
Observe &
Note
Make/Refine
Attack Vector
Execute
Attack Vector
Use Case
Abuse Case
8. How attackers ‘audit’
• Mindset of turning use-cases into abuse-cases
• How to disable abuse cases in code and design
• Common attack vectors
• How to mitigate them
• Observational skills – what cues do attackers look for
• Curtail those cues as much as possible
• Understanding the tools attackers use
• What information is available to them
• How tools can manipulate software
What can be learned from them
9. Leveraging CTF Events
• CTF platform should have 50%+ vulnerabilities that are easy to find
• Participants are not hackers, point is to learn
• Group activity with small teams
• Good to have multiple roles in a team (Ex: Architect + Dev + QA)
• Great team building exercise
• One physical location preferred, remote works
• Cross learning through interaction
• Helps in maintaining interest
• Track progress and scores
• Common scoreboard promotes friendly competition
• Award participants
• Participation/Rank certificates, Gifts
How-To
11. Managed Learning
• Rank group CTF performance on available learning topics
• Database security: Low
• Injection attacks: Medium
• Cryptography attacks: Low
• Map to learning content based on
• SDLC role
• Content difficulty level
• Offer support
• Have quiz and exams at end of courses
• Enable tracking course progress at individual level
• Offer learning support based on progress tracking and score data
• learning platform, security champion, email group etc.
How-To
13. Upskilling engineers in cybersecurity
• CTFs and Training can help create a culture of security
• Not security experts, but security conscious engineers
• Designers will be aware of insecure mechanisms and patterns
• Developers will recognize bad practices, fewer defects in code
• Testers will know how to find security defects
• Expect incremental improvement
• Not everyone will learn improve right away
• Continuous cycles of CTFs + Training
• Create security champions in each team
Finally
14. The Security Innovation Difference
• Blended Learning → Attack & Defend
• Attack: Hands-on simulation with CMD+CTRL
• Real, purposely vulnerable applications for hands-on learning
• Discover team capabilities and kindle interest in security
• Defend: Progressive computer-based training
• Role-based training for Architects, Developers, QA, Operations, IT, and Analysts
• Modular courses provides a clear path that grows with leaners
• Quarterly releases ensure content addresses current technologies and attack vectors
• Rich Reporting
• Real-time assessment of your team’s capabilities
• Quarterly program analysis to adjust learning paths, cadence, and metrics
Been involved in most aspects of product development and been active in the info security since 2002. I have delivered many talks at conferences and taught classes at Fortune 100 companies worldwide.
I have developed a lot of learning content for SDLC security and currently like to perform security gap analysis of product teams and create a roadmaps for security improvement over time. Have performed security gap analysis for large international airlines and financial companies.
All of these aspects of my experience enable me to talk at some length on upskilling in security.
Also, specially because a large part of the roadmap creation in SDLC Gap Analysis - which I have been doing for the last few years - deals with upskilling the engineers in security and today I’d like to present what I have learned in that area.
Core steps organizations need to take for upskilling. If you remove security references from this, these steps apply to all upskilling.
Most organizations have some sort of a learning program; whether it is managed well or useful or not – it’s at least there; and that’s a start. So what I have seen is that most orgs are skipping two very important things:
(1) Understanding or determining how much their engineers already know. Without knowing this you don’t knwo where to what level to start training programs at. I have seen many assumptions about teams turn out to be completely wrong and what happens is that we end up with an ineffective learning program. Either because we have started at a level that is too high or very often a level that is too low – which results in engineers having to repeat what they already know.
(2) The second step that most orgs miss, is to make the engineers WANT TO go through the learning program. You will all agree that no one learns anything unless they have some real interest in the topic. So I will talk about things that we have done at orgs to motivate and even incentivize engineers so that they themselves start caring about security.
The final core step for upskilling which, as I said, most companies try and do is have a learning program. However, two key aspects of running a learning program so that it is well managed and effective are:
(1) have content that is interactive and retains interest – you don’t want the learner skipping the content, so have quizzes in between; provide super relevant examples that they can relate to; make them interact with the platform so that they are not just sitting and staring at a screen.
(2) We’ve also found it useful to include quizzes and short exams at the end of learning modules; it helps in measuring skill at the individual level.
(3) The learning program should track the progress of individual learners. This is very important to help you gauge the actual usage of the program – I’ve seen many learning programs that only exist – but are almost never used. Lack of usage is a good indicator that we got something terribly wrong in the first two core steps that I’ve just described.
So now we come to the agenda of this webinar in which I will present the lessons I have learned.
Today, I will talk about how we have used CTFs to generate interest and also gauge the level of security knowledge for individuals. For those of you how are not familiar with CTFs; they are software products that purposely have security defects in them so that participants can try to find them and learn in the process.
I will next talk about some lessons I have learned in creating effective learning programs. In which I will talk about the importance of using the determined level of individuals to create a learning path for them so that the content is both interesting and relevant to them; and also about tracking progress and scores for other management activities.
Now, before we begin to discuss upskilling our teams, we have to first upskill ourselves a bit about the methods that I am proposing today – so we will start with quickly understanding how attackers attack our products and what our teams can learn and adopt from them.
Attackers don’t have any kind of superpowers; but they do behave differently and in these three slides we will see what we can learn from them.
So how to attackers behave differently;.
The main thing attackers do differently is that they turn Use-cases into Abuse-cases –this is the fun part, where you can let your imagination run wild and explore the features of a software and dream up various ways in which you can abuse those features.
In order to do this they:
Leverage tools –but anyone can get those tools; what else:
They view software differently – it takes a different mindset, is only partly as glamorous as movies will have you believe. Attackers know that nothing is unbreakable, everything has an attack vector, with varying degrees of complexity and challenges. This is something that we will want our engineers to understand.
Speculate code & design behind features – it helps to be able to speculate on the decisions made by the developer, what common mistakes might they have made, what software design flaw made by the architect are we observing in this particular feature. This is something that our engineers do not need to do since they are aware of the design and code of the product.
Observe software & take great notes – this is the laborious part, you never see attackers in movies making observations and taking notes – because it may appear to be boring. Attackers do this on repeat really. They spend 90% of their time making observations and taking notes.
This graphic here; this is what attackers are doing 90% of the time.
They are taking a feature, a use case, of your product and trying to turn it into an abuse case; An abuse case which harms your company and your customers and is also usually beneficial for the attacker.
An attacker generally pick a use case on which they have speculated that you have made a mistake in either code or design. They will then execute that Use case and make observations about the environment and the outputs of the software. Next step is to modify the aspects of the use case, generally by tweaking data sent from the attacker to your software, and then executing that modified use case. Again, observing the output and environment to see if it had the desired effect; if not, they will refine their attack parameters and try again....and again and again...until they succeed. And upon success they will have turned a use case into an abuse case.
This is what we need our engineers to understand; not necessarily how to go throught he entire process and become hackers themselves; but understand what the attackers go through. Once that is done, the engineers will themselves be able to code and design products that can make it much harder for attackers to convert use cases to abuse cases.
If we have time at the end, I can show you some examples of this on a vulnerability database: http://vuldb.com
...Now that we’ve upskilled ourselves about this. Let us see how CTFs and Courses can help achieve these goals!
We’ve found the best way for our engineers to understand the points in the previous slide is to occasionally put on their hacker hats on and participate in a CTF program. CTFs are great because they can be a team activity where many teams in your company are competing with each other. I also recommend making up mall teams which cover different roles in a product team. For example Architect + Dev + Tester This helps them together realize the different aspects of the product that can be attacked.
Now let’s look at some key lessons learned from my experience:
SecGen: Create randomly insecure virtual machines, lab environments, and hacking challenges, so students can learn security penetration testing techniques.
Premium Customer Success Program
Shifts the burden of program rollout and optimization onto us
Role-based learning paths