The goal of the course is to help participants adopt the hacker mindset while introducing them to common software vulnerabilities and how they manifest.
The course consists of short lectures mixed with practical assignments in the Ambaga training platform. Participants learn to exploit known vulnerabilities in software systems. The exercises simulate real-world web system vulnerabilities. The purpose of the tasks is to train participants to identify weaknesses in software systems and deepen their understanding of the impact that exploiting such vulnerabilities can have.
After the course, participants should have gained the skills to look at software, including their own, with a critical eye. They will use those skills to identify and fix security flaws. This empowerment enables developers to perform their own security testing on their software. They are in a unique position to do so because they know the codebase intimately.
Topics
The curriculum is based on the list of common software security flaws published by the Open Worldwide Application Security Project (OWASP), often called the OWASP Top 10. The material focuses on web software development for those who develop websites, web services, or other solutions that receive data over the Internet. Most of the content applies to all software development, so it is also useful for developers who work exclusively on backend systems.
The categories of security flaws covered in the course are as follows:
- Logic Errors
- Authentication
- Access Control
- Injections
- Browser-related vulnerabilities (Client-side)
- Server-Side Request Forgery (SSRF)
- Security Misconfigurations
- Cryptographic Failures
Upon request, the material can be tailored to the needs of the development team. For example, if a team does not handle frontend development, the browser-related material can be omitted.
Teaching Methods
Each session begins with an approximately 45-minute lecture. After the lecture, participants are given the opportunity to work on assignments where they apply and strengthen their knowledge. The instructor is available to assist participants with solving the tasks.
The training takes place in the Ambaga training platform. Participants can observe real vulnerabilities in realistic web systems. The goal of the assignments is to utilize these vulnerabilities to simulate a security breach. The system is closed and does not involve real attacks on any software in operation. It only simulates them. These exercises introduce participants to what the misuse of vulnerabilities entails and demonstrate the impact a security breach can cause.
Participants collect points by solving tasks, and the platform offers a leaderboard to track progress. A fun competitive spirit often develops around the leaderboard, which can motivate the group to solve as many tasks as possible. Participants control the name under which they appear on the leaderboard and can choose to remain anonymous. This feature can be disabled entirely if requested by the client.
Language
The educational material, including lectures and assignments, is entirely in English. Lectures can be delivered in either English or Icelandic.
Schedule
The course is structured as follows:
| Session | Duration | Topic |
|---|---|---|
| 1 | 2 hrs | Logic errors, authentication, and access control |
| 2 | 2 hrs | Injection vulnerabilities |
| 3 | 2 hrs | Browser-related vulnerabilities and SSRF |
| 4 | 2 hrs | Configuration failures and cryptography |
Objectives
This course is designed as foundational cybersecurity training for developers. Its primary goal is to introduce developers to the hacker mindset. Software is often developed under time pressure, and security can sometimes be overlooked while the main goal is to make everything functional. By giving developers this insight into the hacker mindset, we provide them with the tools necessary to look critically at their own software. This helps them identify potential security breaches before they are exploited.
This course does not cover tools such as proxies used in security audits. It also does not cover defense-oriented tools like firewalls and source code analysis tools. Ambaga offers courses that cover the use of such tools, but those are intended as advanced courses following this foundational training.
Practical Information
Companies, Organizations, and Large Groups
The course is typically held in four sessions. Each session is two hours long, totaling eight hours. This is usually spread over two weeks. For example, the sessions could be held on Monday and Thursday for two consecutive weeks. The exact implementation is negotiable, and most client requirements regarding the schedule can be met.
Generally, courses are held in person at the client's location. The client provides a hall or meeting room where the Ambaga instructor can hold lectures and assist with project work. Upon request, Ambaga can provide a teaching space. Remote employees can be accommodated using video conferencing equipment.
The price of the course depends on the number of participants. Contact us to request a quote.
Individuals
In addition to offering courses for companies, Ambaga regularly holds courses for individuals. The course takes place in the capital area, and Ambaga provides the teaching space. Contact us for more information regarding timing.
The price for such a course is 180,000 ISK including VAT per person.