Meristem will provide self-paced, approximately 30 minute exercises, covering one common vulnerability type per month and provide access to a live environment where students can apply their training. Actively exploiting a vulnerability pushes students to fully grasp the mechanics of the vulnerability and internalize the risk. They then naturally begin to look at their own code from the perspective of an attacker and begin identifying vulnerabilities on their own. The “slow and steady” approach reinforces learning and creates an ongoing conversation within the organization in a way that is difficult to replicate through a single class covering the same topics. These activities are best paired with a small reward program that can be administered by Meristem or within the client organization,
Capture-the-flag events are a tradition in the security community where a deliberately vulnerable environment is offered to participants and they are challenged to exploit vulnerabilities to obtain bits of “sensitive” information represented by short pieces of text known as flags. These events allow students to take on the role of an attacker and provide a sanctioned environment to perform otherwise malicious actions. Taking on that role causes them to look at their own code with a critical eye and consider how features they wrote themselves could be maliciously used as opposed to how the developers expect them to be used. These half-day or one-day events are best offered as a capstone to other security training or as a team-building exercise for groups with existing application security expertise.
Instructor Led Training
Upon request, Meristem will develop a custom secure application development course based on the client’s chosen application stack and development environment. These courses are typically based on OWASP’s Top 10 Application Security Risks, but topics can be selected by the client to address specific needs. Hands-on activities will be included throughout the course to encourage in-depth understanding of the vulnerability risk.