Cyber Security Body of Knowledge (CyBOK) Training Course

This instructor-led, live training in New Zealand (online or on-site) is intended for system administrators who wish to use 389 Directory Server to configure and manage LDAP-based authentication and authorisation.

By the end of this training, participants will be able to:

• Install and configure 389 Directory Server.
• Understand the features and architecture of 389 Directory Server.
• Learn how to configure the directory server using the web console and CLI.
• Set up and monitor replication for high availability and load balancing.
• Manage LDAP authentication using SSSD for improved performance.
• Integrate 389 Directory Server with Microsoft Active Directory.

This instructor-led, live training in New Zealand (available online or on-site) is aimed at system administrators who wish to use Microsoft Active Directory to manage and secure data access.

By the end of this training, participants will be able to:

• Set up and configure Active Directory.
• Establish a domain and define user and device access rights.
• Manage users and machines through Group Policies.
• Control access to file servers.
• Set up a Certificate Service and manage certificates.
• Implement and manage services such as encryption, certificates, and authentication.

Android is an open platform for mobile devices such as handsets and tablets. It offers a wide range of security features designed to simplify the development of secure software; however, it also lacks certain security aspects found in other handheld platforms. This course provides a comprehensive overview of these features and highlights the most critical shortcomings to be aware of, particularly those related to the underlying Linux system, the file system, and the broader environment, as well as the use of permissions and other Android software development components.

Typical security pitfalls and vulnerabilities are examined for both native code and Java applications, accompanied by recommendations and best practices to prevent and mitigate them. In many cases, the issues discussed are illustrated with real-world examples and case studies. Finally, the course offers a brief overview of how to use security testing tools to uncover programming bugs with security implications.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about the security solutions available on Android
• Gain proficiency in using various security features of the Android platform
• Acquire information on recent vulnerabilities affecting Java on Android
• Learn to identify typical coding mistakes and how to avoid them
• Develop an understanding of native code vulnerabilities on Android
• Recognise the serious consequences of insecure buffer handling in native code
• Understand architectural protection techniques and their inherent weaknesses
• Access sources and further reading materials on secure coding practices

Audience

Professionals

Building a secure networked application can be challenging, even for developers who have previously worked with various cryptographic components such as encryption and digital signatures. To help participants grasp the role and application of these cryptographic primitives, the course first establishes a solid foundation covering the core requirements of secure communication—secure acknowledgment, integrity, confidentiality, remote identification, and anonymity. It also explores typical issues that can compromise these requirements, along with real-world solutions.

As cryptography is a critical pillar of network security, the course examines key algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement. Rather than delving into complex mathematical theory, these topics are presented from a developer's perspective, featuring practical use cases and considerations such as the implementation of public key infrastructures. The course introduces security protocols across various domains of secure communication, with in-depth coverage of widely used protocol families like IPSEC and SSL/TLS.

Common cryptographic vulnerabilities are examined, including those affecting specific algorithms and protocols such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding Oracle, Lucky Thirteen, POODLE, and the RSA timing attack. For each vulnerability, practical implications and potential consequences are outlined, again avoiding deep mathematical detail.

Finally, as XML plays a central role in data exchange for networked applications, the course addresses XML security. This includes the use of XML in web services and SOAP messages, along with protective measures such as XML signature and XML encryption. It also highlights weaknesses in these protections and XML-specific security threats, including XML injection, XML External Entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Understand the requirements of secure communication
• Learn about network attacks and defenses at different OSI layers
• Have a practical understanding of cryptography
• Understand essential security protocols
• Understand some recent attacks against cryptosystems
• Get information about some recent related vulnerabilities
• Understand security concepts of Web services
• Get sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course covers the fundamentals of securing C/C++ code against malicious users who may exploit numerous vulnerabilities, particularly those related to memory management and input handling. The course explores the principles of writing secure code.

Even seasoned Java developers do not fully master the diverse security services offered by Java, nor are they always aware of the various vulnerabilities pertinent to Java-based web applications.

Beyond introducing the security components of the Standard Java Edition, this course addresses security challenges in Java Enterprise Edition (JEE) and web services. Discussions of specific services are preceded by foundational concepts in cryptography and secure communication. A range of practical exercises explores both declarative and programmatic security techniques within JEE, while also covering transport-layer and end-to-end security for web services. All components are demonstrated through hands-on exercises, allowing participants to experiment with the discussed APIs and tools first-hand.

The course also examines and explains the most common and severe programming flaws inherent to the Java language and platform, as well as web-related vulnerabilities. In addition to typical errors made by Java developers, the security issues covered include both language-specific concerns and those arising from the runtime environment. All vulnerabilities and associated attacks are illustrated through clear, easy-to-follow exercises, followed by recommended coding guidelines and potential mitigation strategies.

Participants attending this course will

• Understand the fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Grasp the security concepts underlying web services
• Gain proficiency in using various security features within the Java development environment
• Develop a practical understanding of cryptography
• Understand the security solutions provided by Java EE
• Identify common coding mistakes and learn how to avoid them
• Access information on recent vulnerabilities in the Java framework
• Acquire hands-on experience with security testing tools
• Obtain resources and further reading materials on secure coding practices

Audience

Developers

Description

The Java language and the Runtime Environment (JRE) were designed to be free from the most problematic common security vulnerabilities seen in other languages, such as C/C++. However, software developers and architects should not only understand how to leverage the various security features of the Java environment (positive security) but also remain aware of the numerous vulnerabilities that still affect Java development (negative security).

The introduction to security services is preceded by a concise overview of the foundations of cryptography, establishing a common baseline for understanding the purpose and operation of relevant components. These components are explored through a series of practical exercises, allowing participants to experiment with the discussed APIs firsthand.

The course also examines and explains the most frequent and serious programming flaws in the Java language and platform, covering both typical mistakes made by Java developers and issues specific to the language and its environment. All vulnerabilities and associated attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Learn to utilise various security features of the Java development environment
• Gain a practical understanding of cryptography
• Learn about typical coding mistakes and how to prevent them
• Receive information on recent vulnerabilities in the Java framework
• Access resources and further reading on secure coding practices

Audience

Developers

Today, numerous programming languages are available to compile code for the .NET and ASP.NET frameworks. While this environment offers powerful capabilities for security development, developers must understand how to apply architecture- and code-level programming techniques to implement the desired security functionality, avoid vulnerabilities, and limit their exploitation.

This course aims to equip developers through extensive hands-on exercises with the skills to prevent untrusted code from performing privileged actions, protect resources through robust authentication and authorisation, manage remote procedure calls, handle sessions, implement various solutions for specific functionality, and much more.

The introduction to different vulnerabilities begins by examining typical programming issues encountered when using .NET, while the discussion of ASP.NET vulnerabilities also covers various environment configurations and their impacts. Finally, the topic of ASP.NET-specific vulnerabilities addresses not only general web application security challenges but also specialised issues and attack methods, such as attacking ViewState or string termination attacks.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Learn to utilise various security features within the .NET development environment
• Gain practical knowledge in using security testing tools
• Learn about common coding mistakes and how to prevent them
• Receive information on recent vulnerabilities in .NET and ASP.NET
• Access resources and further readings on secure coding practices

Audience

Developers

This course introduces key security concepts, provides an overview of the nature of vulnerabilities irrespective of programming languages or platforms, and explains how to manage software security risks across the various phases of the software development lifecycle. While not delving deeply into technical specifics, it highlights some of the most compelling and pressing vulnerabilities across diverse software development technologies, outlines the challenges of security testing, and presents practical techniques and tools for identifying existing issues in code.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Gain insight into web vulnerabilities on both server and client sides
• Recognise the serious consequences of insecure buffer handling
• Be informed about recent vulnerabilities affecting development environments and frameworks
• Learn about common coding mistakes and how to avoid them
• Understand security testing approaches and methodologies

Audience

Managers

This instructor-led, live training in New Zealand (delivered online or on-site) is designed for system administrators who wish to use FreeIPA to centralise authentication, authorisation and account information for their organisation's users, groups and machines.

By the end of this training, participants will be able to:

• Install and configure FreeIPA.
• Manage Linux users and clients from a single central location.
• Use FreeIPA's CLI, Web UI and RPC interface to set up and manage permissions.
• Enable Single Sign-On authentication across all systems, services and applications.
• Integrate FreeIPA with Windows Active Directory.
• Backup, replicate and migrate a FreeIPA server.

This instructor-led, live training in New Zealand (online or on-site) is designed for system administrators who wish to use Okta for identity and access management.

By the end of this training, participants will be able to:

• Configure, integrate, and manage Okta effectively.
• Integrate Okta into existing applications.
• Implement robust security measures using multi-factor authentication.

This instructor-led, live training in New Zealand (online or on-site) is designed for intermediate-level system administrators and IT professionals who wish to install, configure, manage, and secure LDAP directories using OpenLDAP.

By the end of this training, participants will be able to:

• Understand the structure and operation of LDAP directories.
• Install and configure OpenLDAP across various deployment environments.
• Implement access control, authentication, and replication mechanisms.
• Integrate OpenLDAP with third-party services and applications.

This instructor-led, live training in New Zealand (online or on-site) is designed for system administrators who wish to use OpenAM to manage identity and access controls for web applications.

By the end of this training, participants will be able to:

• Configure the required server environment to begin setting up authentication and access controls using OpenAM.
• Implement single sign-on (SSO), multi-factor authentication (MFA), and user self-service features for web applications.
• Utilise federation services (OAuth 2.0, OpenID, SAML v2.0, etc.) to securely extend identity management across different systems or applications.
• Access and manage authentication, authorisation, and identity services via REST APIs.

This instructor-led, live training in New Zealand (online or on-site) is designed for system administrators who wish to use OpenDJ to manage their organisation's user credentials in a production environment.

By the end of this training, participants will be able to:

• Install and configure OpenDJ.
• Maintain an OpenDJ server, including monitoring, troubleshooting, and performance optimisation.
• Create and manage multiple OpenDJ databases.
• Back up and migrate an OpenDJ server.