Description

This curriculum spans the breadth of security infrastructure work seen in multi-workshop technical advisory programs, covering design through runtime and aligning with the continuous governance demands of internal cloud security and compliance initiatives in regulated environments.

Module 1: Secure Architecture Design and Threat Modeling

Selecting between monolithic and microservices architectures based on attack surface exposure and data flow complexity.
Implementing threat modeling using STRIDE to identify spoofing risks in user authentication pathways.
Deciding whether to adopt zero-trust principles across internal service communications or maintain perimeter-based segmentation.
Integrating security controls early in architecture diagrams, such as enforcing mutual TLS between backend services.
Evaluating third-party component trustworthiness during design, including open-source libraries with known CVEs.
Documenting data classification levels and mapping them to encryption and access control requirements in system diagrams.

Module 2: Identity and Access Management (IAM) Integration

Choosing between OAuth 2.0 and OpenID Connect based on application needs for authorization versus authentication.
Configuring role-based access control (RBAC) with least-privilege principles across multi-tenant SaaS environments.
Implementing just-in-time (JIT) provisioning for temporary access to production systems during incident response.
Enforcing MFA for administrative roles while balancing usability for non-privileged users.
Managing service account lifecycle, including rotation of long-lived credentials in automated workflows.
Integrating with enterprise directories (e.g., Active Directory, Azure AD) while handling attribute mapping conflicts.

Module 3: Secure Coding and Dependency Management

Enforcing static application security testing (SAST) in CI pipelines with fail thresholds for critical vulnerabilities.
Blocking builds that include open-source dependencies with known high-severity CVEs using SBOM tools.
Implementing input validation strategies to prevent injection attacks in dynamic query construction.
Choosing secure memory handling patterns in languages like C/C++ to prevent buffer overflow conditions.
Managing secrets in code repositories by replacing hardcoded credentials with runtime injection via vaults.
Conducting peer code reviews with checklists focused on common vulnerabilities like CSRF and improper error handling.

Module 4: Data Protection and Encryption Strategies

Selecting between application-level and database-level encryption based on compliance requirements and performance impact.
Implementing key rotation policies for AES-256 encryption keys in cloud key management systems (e.g., AWS KMS).
Masking sensitive data in logs and monitoring tools to prevent PII exposure during debugging.
Designing tokenization systems for payment data to reduce PCI DSS scope in transaction processing.
Enabling transparent data encryption (TDE) on databases while managing backup encryption dependencies.
Assessing the feasibility of homomorphic encryption for analytics on encrypted datasets in regulated industries.

Module 5: API Security and Secure Communication

Enforcing rate limiting and quota management on public APIs to mitigate denial-of-service risks.
Validating and sanitizing payloads in REST and GraphQL endpoints to prevent query injection and overposting.
Implementing OAuth scopes to restrict API access based on user roles and data sensitivity.
Using mTLS for service-to-service communication in Kubernetes clusters to prevent lateral movement.
Configuring API gateways to strip sensitive headers and enforce request/response schema validation.
Monitoring for anomalous API usage patterns indicative of credential theft or automated scraping.

Module 6: Security in CI/CD and DevOps Pipelines

Integrating dynamic application security testing (DAST) into staging environments with authenticated scans.
Enforcing signed commits and pipeline provenance to prevent unauthorized code injection.
Restricting pipeline permissions using ephemeral credentials scoped to specific deployment targets.
Automating container image scanning and blocking deployments with critical vulnerabilities.
Implementing immutable infrastructure patterns to prevent configuration drift in production.
Logging and auditing all pipeline executions for forensic traceability during incident investigations.

Module 7: Incident Response and Runtime Protection

Configuring web application firewalls (WAF) with custom rules to block OWASP Top 10 attack patterns.
Deploying runtime application self-protection (RASP) agents to detect and terminate malicious execution threads.
Establishing thresholds for anomaly detection in user behavior, such as abnormal data export volumes.
Integrating SIEM systems with application logs to correlate security events across services.
Executing containment procedures during active breaches, including selective service shutdowns.
Conducting post-incident reviews to update threat models and close identified security gaps.

Module 8: Compliance, Auditing, and Governance

Mapping application controls to regulatory frameworks such as GDPR, HIPAA, or SOC 2 during design.
Generating audit trails for privileged operations with immutable storage and tamper protection.
Conducting third-party penetration tests and managing remediation timelines for critical findings.
Documenting data residency requirements and enforcing storage location constraints in multi-region deployments.
Implementing configuration baselines for infrastructure as code (IaC) to maintain compliance posture.
Coordinating evidence collection for audits, including access logs, change records, and vulnerability scan reports.