Security Innovation, a leader in software security assessment and training, announced the release of a new, intermediate level cyber range as part of its CMD+CTRL software security training series. Containing 45 security challenges and 14 vulnerability types based on common security risks from the OWASP Top 10, CWE, MITRE ATT&CK framework and others, the training teaches participants how to better protect against the latest cybersecurity threats in a simulated system by having them act like attackers.
The newest component of a comprehensive application security training program, Shadow Health is designed for organizations in any industry, and replicates attack scenarios via an authentic but intentionally insecure health care portal platform built on a cloud-native tech stack. While the cyber range uses a web application scenario familiar to the health care industry, the training is designed to apply to all types of applications to help cross-functional teams including application developers, security engineers and QA engineers make their solutions less vulnerable to cyberattacks.
CIO INFLUENCE: JFrog Software Supply Chain Platform Delivers 393% ROI According to Total Economic Impact Study
Through a fun, interactive, gamified approach to training, that includes missions, competitions and leaderboards, companies can use Shadow Health in conjunction with related courses and labs to assess employee application security competency and maximize learning and collaboration. Challenges include broken access control, injection, cross-site scripting vulnerabilities, SSRF, Log4j and five special “capture the flag” challenges.
“Putting employees in the seat of the attacker gives them a better perspective on how to make their software safer,” said Fred Pinkett, Senior Director, Product Management, at Security Innovation. “We have designed this cyber range to be a challenge for employees of all skill levels. Overall, fewer than 20% of participants identify all the issues, and the average participant finds less than half.”
Rise in Simulated Cybersecurity Training
Realistic simulations are an increasingly important component of software security training. A recent report from Security Innovation and the Ponemon Institute found that 60% of companies now include realistic simulations as part of their cybersecurity training programs compared to 36% in 2020. The effectiveness and motivation of realistic training is one reason ROI for cybersecurity programs incorporating realistic simulations grew from an average of 30% in 2020 to 40% in 2023.
CIO INFLUENCE: World Password Day: Password advice for CIOs
“Security training needs to be more engaging, while keeping up with the current challenges faced by developers and software security teams,” said Pinkett. “Being able to see the implication of an attack in the form of stolen data and fraudulent transactions turns vulnerabilities from theoretical issues to tangible problems. Shadow Health includes the vulnerabilities that plague enterprises today in a realistic and contextual training that helps developers master the art of vulnerability detection in an engaging and fun way, while helping organizations build a security-focused culture.”
The CMD+CTRL Security Training Program
More than 250 companies and 25,000 participants have enhanced their skills on Security Innovation’s cyber ranges. The integrated, role-based cybersecurity training portfolio includes over 350 online courses and hands-on learning labs that are designed to prepare learners to prove their skills in the cyber ranges. Shadow Health is the 11th immersive cyber range in the Security Innovation library and is offered in sessions ranging from a half-day to a full week. It is designed to present an intermediate-level challenge that complements other ranges that vary in difficulty and tech stacks, including:
- Shadow Bank (basic) – banking application focused on OWASP Top 10 and security principles
- Forescient (intermediate) – AWS infrastructure with front-end website, virtual servers, accounts, and services
- LetSee Marketplace (advanced) –single page application (SPA) with a heavy API focus
- Infinicrate (advanced) – cloud file storage application for teams using GitHub, cloud services, and development tools
- MailJay (advanced) – level challenge cloud-native marketing automation SaaS suite that emulates a modern-day marketing application, as well as its front-end and back-end services
CIO INFLUENCE: CIO Influence Interview with Lior Yaari, CEO and Co-Founder at Grip Security
[To share your insights with us, please write to sghosh@martechseries.com]
