-
Notifications
You must be signed in to change notification settings - Fork 148
Training Syllabus
Paul Ionescu edited this page Sep 9, 2019
·
6 revisions
| Challenge Name | SANS 25 CWE(s) | OWASP Top 10 2017 | PCI-DSS Req. 6 |
|---|---|---|---|
| Yellow Belt : Missing Authentication for Critical Function | CWE 306 | A2 | 6.5.10, 6.5.8 |
| Yellow Belt : Reliance on Untrusted Inputs in a Security Decision | CWE 807 | A2; A5 | 6.5.10. 6.5.8 |
| Yellow Belt : Missing Authorization | CWE 862 | A5 | 6.5.10 |
| Orange Belt : Missing Encryption of Sensitive Data | CWE 311 | A3 | 6.5.3, 6.5.4 |
| Orange Belt : Use of a Broken or Risky Cryptographic Algorithm | CWE 327 | A3 | 6.5.3, 6.5.4 |
| Orange Belt : Use of a One-Way Hash without a Salt | CWE 759 | A3 | 6.5.3, 6.5.4 |
| Green Belt : Password Guessing Attack | CWE 307; CWE 798 | A2 | 6.5.10 |
| Green Belt : Integer Overflow or Wraparound | CWE 190 | N/A | N/A |
| Green Belt : Download of Code Without Integrity Check | CWE 494 | N/A | N/A |
| Purple Belt : URL Redirection to Untrusted Site ('Open Redirect') | CWE 601 | N/A | N/A |
| Purple Belt : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and related flaws | CWE 79; CWE 829 | A7 | 6.5.7 |
| Purple Belt : Cross-Site Request Forgery (CSRF) | CWE 352 | N/A | 6.5.9 |
| Blue Belt : Unrestricted Upload of File with Dangerous Type | CWE 434 | N/A | 6.5.8 |
| Blue Belt : Improper Restriction of XML External Entity Reference ('XXE') | CWE 611 | A4 | 6.5.1 |
| Blue Belt : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE 22 | A5 | 6.5.8 |
| Brown Belt : Incorrect Authorization | CWE 863 | A5 | 6.5.4 |
| Brown Belt : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and related flaws | CWE 78; CWE 250; CWE 732 | A1 | 6.5.1 |
| Brown Belt : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | CWE 89 | A1 | 6.5.1, 6.5.5 |
| Black Belt : Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') and related flaws | CWE 120; CWE 676 | N/A | 6.5.2 |
| Black Belt : Use of Externally-Controlled Format String | CWE 134 | N/A | N/A |
| Black Belt : Quiz | All of the above | All of the above | All of the above |
| Second Degree Black Belt : Security Misconfiguration | N/A | A6 | N/A |
| Second Degree Black Belt : Sensitive Data Exposure | CWE 311; CWE 327; CWE 759 | A3 | 6.5.3, 6.5.4 |
| Second Degree Black Belt : Broken Authentication & Broken Access Control | CWE 306; CWE 862 | A2; A5 | 6.5.10, 6.5.8 |
| Second Degree Black Belt : Cross-Site Scripting | CWE 79 | A7 | 6.5.7 |
| Second Degree Black Belt : Injection | CWE 78 | A1 | 6.5.1 |
| Second Degree Black Belt : XML External Entities | CWE 611 | A4 | 6.5.1 |
| Second Degree Black Belt : Using Components with Known Vulnerabilities & Insecure Deserialization | CWE 509 | A8; A9 | 6.5.1 |
| Security Code Review Master : Input Validation | Various | Various | Various |
| Security Code Review Master : Parameterized Statements | CWE 78; CWE 89; | A1 | 6.5.1 |
| Security Code Review Master : Memory Best Practices | CWE 120; CWE 131; CWE 193; CWE 134 | N/A | 6.5.2 |
| Security Code Review Master : Protecting Data | CWE 311; CWE 312; CWE 759; CWE 319; CWE 327 | A3 | 6.5.3, 6.5.4 |
| Security Code Review Master : Preventing Cross-Site Scripting | CWE 79; | A7 | 6.5.7 |
| Security Code Review Master : Indirect Object References | CWE 22; CWE 601 | A5 | 6.5.8 |