Security Upskill Program

Our Security Upskill Program helps you to master role-based and progressive learning journeys geared towards all involved in the development process.
Got any questions?
Call us, chat or get called back for more information about this article, a training, or a tailored training solution.

How to upskill your security team

Don't you have that impression too? That many security learning curriculums are too often based on elevating one expert's opinion or sending out generic security basics across an entire organization?

The problem with these approaches is that you either have specialization OR scalability but never both. To get specialization at scale and share the right info with the right people, you need a different approach.

With our Security upskill program and underlying learning journeys, you and your team(s) will master role-based and progressive learning journeys geared toward all the people involved in your security development process.

Security Learning Journey Modules

Security Learning Journey Modules | Xebia Academy

To upskill your team(s) and team members, we've developed a security learning journey that covers each position and each responsibility.

Security Learning Journey Modules

1. Foundation

Creating any secure culture and ecosystem requires members to understand the bigger picture as well as each other’s responsibilities. This module creates a generalized understanding of security and its jargon. Understanding this removes ambiguity, assumptions, and vague or unclear (security) requirements. We also create common ground between all team members and stakeholders.

2. Secure Development Lifecycle

Having a predefined and standardized approach allows you to embed predictable activities instead of dealing with out-of-scope work. It also ensures feedback loops to prevent repeating mistakes. This module clarifies the challenges and solutions when implementing security in a development lifecycle. Learn what to watch for in every development stage and how each team member can safeguard the most effective security.

3. Threat Modeling

Identifying threats during architectural and design activities helps you reduce risks and meet security objectives earlier in the development lifecycle. Threats can be identified in advance by using engineering techniques that follow a simple process. Based on this outcome, you’ll generate a prioritized list of threats and possible remediations but also a deeper understanding of the system created by your team members.

4. Secure Development

As roughly half of the vulnerabilities in any system are introduced during the development stage, empowering the developer with security essentials will alleviate most of these vulnerabilities. Based on both technical and functional implementations, various patterns will be identified, developers learn to recognize the patterns and choose the right and secure solution from the start.

5. Secure Testing

Performing a high-level security assessment during development allows you to identify, triage, and report findings for timely remediation. Most common findings and vulnerabilities can be identified by the team themselves. This module introduces security testing concepts and frameworks, and also shows how to apply these concepts with both free and commercial tools and resources.

6. Applied DevSecOps

Automating and offloading security activities helps your development team to focus on adding value. At the same time – through the use of Infrastructure as Code and Immutability – it is possible to remove human error from common or impactful tasks. This module shows you how to integrate security in the DevOps environment, the DevOps way of working, and CI/CD pipeline.

7. DevSecOps

DevOps forces the business and AppSec to start interacting differently with development teams. Many security(-related) processes were never designed for a high-velocity development environment, often leading to ineffective and time-consuming processes. Therefore, we need to redesign these processes so that DevSecOps frees the team of impactful activities that have been added to their existing way of working.

8. Applied Cloud Security

Cloud is the most important feature for digital transformation, but it is also the component that is the furthest away from your comfort zone and responsibilities as a development team. This module addresses the fundamental security features of Cloud vendors for compliance, IAM, incident response, monitoring, and infrastructure. Apply this knowledge to help your team(s) to benefit more from the Cloud.

Modular set-up

To tailor your upskill program to your team's needs, we've adopted a modular set-up with different 'flavors' and different focus areas.

Security learning focus areas

Let's first discuss the different focus areas. As you can see in the image below, we've used icons to represent a module's focus areas. A security learning journey module can represent more than one of these areas, We distinguish between:

  • Process and People.
  • Products.
  • Pipelines.
  • Platforms.

Security Learning Journey Modular Set-up

Security learning 'flavors'

Next to the different focus areas, we also give a module a certain flavor. What does that mean, a 'flavor'?!

A flavor represents how far you've become in your knowledge journey. We've based that on four experience levels:

  • Tell: get basic information about a certain subject.
  • Show: demonstrate how it's applied with real-life examples.
  • Do: apply the knowledge yourself with real-world scenarios.
  • Train: teach others in your organization to spread knowledge and master the subject.

Security Learning Journey Flavors | Xebia Academy

Example security learning journey

When you take the above-mentioned focus areas and flavors and combine those elements in a modular learning journey, you will come to this.

Security Learning Journey Example | Xebia Academy

Security training modules

1. Foundation

This module creates a general understanding of security and its jargon. Understanding this removes ambiguity, assumptions and vague or unclear (security) requirements. This security foundations training also creates common ground between all team members and stakeholders.

Topics

  • What is security?
  • What leads to insecurity?
  • History of mitigations.
  • Threat Actors and Risk.
  • Approaches.

Flavor

  • TELL - 2 hours.

2. Secure Development Lifecycle

This training course clarifies the challenges and solutions when implementing security in a development lifecycle. The focus is on what to watch for in every development stage and what each team-members role is to achieve the most effective security.

Topics

  • Requirements and use cases.
  • Architecture and design.
  • Development and configuration
  • Testing and test plan.
  • Deployment and feedback.

Flavors

  • TELL – 2 hours.
  • SHOW – 8 hours.

3. Threat Modeling

Threats can be identified in advance by using engineering techniques that follow a simple process. Based on this outcome, you'll generate a prioritized list of threats and possible remediations. Also, all team members will get a deeper understanding of the system.

Topics

  • Attack trees and abuse cases.
  • Assets and threat actors.
  • Creation and decomposition of models.
  • STRIDE.
  • Residual risk.

Flavors

  • TELL - 1 hour.
  • SHOW - 4 hours.
  • DO - 8 hours.
  • TRAIN - 8 hours.

4. Secure Development

This module explains the principles behind the most common vulnerabilities, including OWASP top 10. With the knowledge of these patterns, developers can find, fix and prevent most application insecurities (over 200 CWEs).

Topics

  • Format and masking.
  • Trust boundaries.
  • Input/output handling.
  • Data and control.
  • Whitelisting.
  • Tokenization and encryption.   

Flavors

  • SHOW - 4 hours
  • DO - 8 hours

5. Secure Testing

This module introduces security testing concepts and frameworks. We'll also show you how to apply these concepts with free and commercial tools and resources.

Topics

  • Footprinting.
  • Fuzzing.
  • Authentication, Authorization, and Auditing.
  • Input, function, and output handling.
  • Business logic.
  • Network and configuration.

Flavors

  • SHOW - 8 hours.
  • DO - 16 hours.

6. Applied DevSecOps

This module teaches you how to integrate security in the DevOps environment, the DevOps way of working, and the CI/CD pipeline.

Topics

  • Infrastructure as Code and Immutability.
  • Find vulnerabilities in application dependencies, Docker files, Images, and resources.
  • Lint, Static Application Security Testing, Dynamic Application Security Testing.
  • Secrets/sensitive data leakage.
  • Monitoring vulnerabilities and observability using various tools.

Flavors

  • SHOW - 8 hours2.
  • DO - 16 hours

7. DevSecOps

DevOps forces the business and AppSec to start interacting with development teams. DevSecOps frees your team from impactful activities that are added to their existing way of working.

Topics

  • Agile and DevOps basics.
  • The role of automation in development, deployment, and operations.
  • Agile threat modeling.
  • Patch management in DevOps environments.
  • Incident handling feedback loops.
  • Cloud challenges and advantages.
  • Combining SRE and DevSecOps.

Flavors

  • TELL - 4 hours.
  • SHOW - 8 hours.

8. Applied Cloud Security

This module addresses the fundamental security features of cloud vendors for topics like compliance, IAM, incident response, monitoring, and infrastructure that can help teams from benefitting more from using the cloud.

Topics

  • Security on Cloud provider.
  • Identity and Access management.
  • Infrastructure Security.
  • Monitoring and Detective Controls.
  • Processing logs.
  • DDoS mitigation.
  • Incident Response Essentials.

Flavors

  • SHOW - 8 hours.
  • DO - 16 hours.
contact-us

Get in touch

Our team is at your service

Get in touch! →

Or call +31 (0)20 760 9844