Skip to content

2. Curriculum.md

Latest commit

 

History

History
91 lines (74 loc) · 2.42 KB

2. Curriculum.md

File metadata and controls

91 lines (74 loc) · 2.42 KB

Curriculum Modules

Following are the curriculum modules that the working group for OCSD has arrived at:

  1. Secure Architecture and Threat Modeling
  • Secure SDLC practices
  • Secure Architecture/Design Principles
  • Common design flaws
  • Threat Modeling / Risk Concepts
  1. Authentication and Credential Management
  • Password Best Practices
  • Multi-Factor Authentication (MFA)
  • Credential Lifecycle Management
  • Federated Identity and Single Sign-On (SSO)
  • Authentication Bypass and Brute-Force Attacks
  1. Authorisation
  • Session and Identity Management
  • Access Control Approaches
  • Function- and Object-Level Authorization
  • Session Abuse and Privilege Escalation Attacks
  1. Input Validation and Output Encoding
  • Input Validation
  • Output Encoding and Sanitization
  • Injection Attacks
  1. Cryptography and Key Management
  • Cryptography Best Practices
  • Secure Random-Number Generation
  • Cryptographic Key Management
  • Digital signatures and HMACs
  1. Error Handling
  • Logging Sensitive Operations Securely
  • Avoiding Stack Traces / Information Leaks
  1. Secure Logging
  • Log Protection Best Practices
  • Log Aggregation, Monitoring, and Alerting
  1. Data Protection and Privacy
  • Encryption at Rest and Encryption in Transit
  • Client-Side Storage Threats
  • Regulatory (e.g., GDPR, CCPA) Considerations
  • Data Retention and Destruction
  • Caching and Privacy Headers
  1. Secure Communications
  • Transport-Layer Security (TLS) Enforcement
  • TLS 1.2+ Best Practices
  • HTTPS Everywhere and HSTS
  • Certificate Pinning
  • Secure Protocol Selection
  1. Software Supply Chain Security
  • Dependency Management
  • Software Bills of Materials (SBOMs)
  • Secure Deserialization
  • Subdomain Takeover Attacks
  • Code Signing and Verification
  • Open-Source Software and Licensing
  1. Business Logic Security
  • Business Logic Flaws (Race Conditions, Inconsistent State)
  • Anti-Automation Best Practices (CAPTCHA, Rate Limiting)
  • Anomaly Detection and Misuse Cases
  1. Secure File and Resource Handling
  • Upload/Download Controls
  • Path Traversal Prevention
  • RFI, SSRF Protections
  • MIME Sniffing and Validation
  1. API and Web Service Security
  • REST, GraphQL, and SOAP Security Models
  • Authentication and Authorization for APIs
  • Throttling and Abuse Protection
  • JSON and XML Parser Safety
  1. Secure Configuration and Deployment
  • Secure Defaults
  • Secrets Management
  • CORS, CSP, and HSTS
  • SBOM and CI/CD Hardening
  1. Security of and for AI
  • Securing Models
  • Securing Data Sets