ECSF Proficiency Level: Intermediate
EQF Level: EQF Level 6 (Bachelor's degree equivalent)
Training Type: Upskilling
Delivery Method: Hybrid & Physical
Duration: 16 hours
Trainee Group Size: 12-24
ECSF Skills Covered:
- Review codes assess their security – Advanced
- Decompose and analyse systems… – Intermediate
- Identify and solve cybersecurity-related issues – Intermediate
- Implement cybersecurity recommendations… – Intermediate
- Develop code, scripts and programmes – Intermediate
- Conduct user and business security requirements analysis – Intermediate
Learning Objectives:
- Explain secure-by-design and secure-by-default principles within modern software development environments.
- Analyse common software vulnerability classes and their root causes across different programming paradigms.
- Apply structured secure coding methodologies aligned with OWASP and industry best practices.
- Perform systematic secure code reviews using vulnerability identification techniques.
- Integrate security controls into the software development lifecycle (SDLC).
- Select and justify appropriate mitigation strategies for identified application security weaknesses.
- Apply language-agnostic defensive programming patterns prior to specialization in a selected CR module.
Learning Outcomes:
- Identify and classify software vulnerabilities (e.g., injection, memory corruption, authentication flaws, insecure deserialization).
- Decompose application components to detect weak input validation, insecure data handling and ineffective access controls.
- Conduct structured secure code analysis and document security findings.
- Propose and implement secure coding improvements consistent with recognised best practices.
- Evaluate the effectiveness of remediation strategies against defined threat models.
- Integrate secure development principles into practical coding exercises within the selected CR specialization (C/C++, .NET/C#, Java, Python or Mobile).
Course Structure (Learning Nodes): 1. Secure-by-Design Foundations and OWASP Risk Framework
· Secure-by-design and secure-by-default principles
· Introduction to OWASP Top 10 as a secure coding workflow model
· Mapping vulnerability classes to root causes
· Threat modelling fundamentals aligned with OWASP categories
· Developer responsibility within secure SDLC
2. OWASP Top 10 – Vulnerability Classes and Secure Coding Patterns
· Injection flaws and secure input validation
· Broken authentication and secure identity controls
· Access control weaknesses and authorization enforcement
· Cryptographic failures and secure data protection
· Insecure design and architectural anti-patterns
· Security misconfiguration and defensive configuration practices
· Vulnerable and outdated components (dependency risks)
· Identification and authentication failures
· Software and data integrity failures
· Logging and monitoring considerations at development level
· Each category includes:
· Root cause analysis
· Insecure code example
· Secure coding remediation pattern
· Prevention guidelines
3. Secure Code Review Methodology (OWASP-aligned)
· Systematic review based on OWASP risk categories
· Manual secure code inspection techniques
· Introduction to static analysis (SAST) tools
· Root-cause remediation and refactoring strategies
· Documenting findings and communicating risk
4. Secure Component Integration & SBOM (Supporting – LOS 21)
· OWASP perspective on vulnerable and outdated components
· Third-party library risk assessment
· Introduction to SBOM concepts (SPDX, CycloneDX)
· Software Composition Analysis (SCA) fundamentals
· Dependency update and patch governance
5. DevSecOps and Secure Deployment Practices (Supporting – LOS 22)
· Integrating OWASP-based controls into SDLC
· Embedding SAST and SCA into CI/CD pipelines
· Secure pipeline validation gates
· Continuous security testing workflow
· Developer feedback loops and remediation tracking
6. Applied Secure Coding Workshop (OWASP-driven)
· Vulnerability identification in sample code aligned with OWASP categories
· Refactoring insecure patterns into secure implementations
· Applying structured mitigation workflows
Group-based review and remediation validation
1 Chief Information Security Officer (CISO): No
2. Cyber Incident Responder: No
3. Cyber Legal, Policy & Compliance Officer: No
4. Cyber Threat Intelligence Specialist: No
5. Cybersecurity Architect: No
6. Cybersecurity Auditor: No
Cybersecurity Educator: No
Cybersecurity Implementer: No
Cybersecurity Researcher: No
Cybersecurity Risk Manager: No
Digital Forensics Investigator: No
Penetration Tester: No
SMEs: No
Cybersecurity Professionals: No
LMS : No
Cyber Range : No
SG/TTX: No
Bootcamp : No
Hackathon : No
1 Analyse and comply with cybersecurity-related laws, regulations and legislations: No
2 Analyse and consolidate organisation’s quality and risk management practices: No
3 Analyse and implement cybersecurity policies, certifications, standards, methodologies and frameworks: No
4 Analyse business processes, assess and review software or hardware security, as well as technical and organisational controls: No
5 Anticipate cybersecurity threats, needs and upcoming challenges: No
6 Anticipate required changes to the organisation’s information security strategy and formulate new plans: No
7 Apply auditing tools and techniques: No
8 Assess and enhance an organisation’s cybersecurity posture: No
9 Assess the security and performance of solutions: No
10 Audit with integrity, being impartial and independent: No
11 Automate threat intelligence management procedures: No
12 Build a cybersecurity risk-aware environment: No
13 Build resilience against points of failure across the architecture: No
14 Carry out working-life practices of the data protection and privacy issues involved in the implementation of the organisational processes, finance and business strategy: No
15 Collaborate with other team members and colleagues: No
16 Collect information while preserving its integrity: No
17 Collect, analyse and correlate cyber threat information originating from multiple sources: No
18 Collect, evaluate, maintain and protect auditing information: No
19 Communicate, coordinate and cooperate with internal and external stakeholders: No
20 Communicate, explain and adapt legal and regulatory requirements and business needs: No
21 Communicate, present and report to relevant stakeholders: No
22 Comprehensive understanding of the business strategy, models and products and ability to factor into legal, regulatory and standards’ requirements: No
23 Conduct ethical hacking: No
24 Conduct technical analysis and reporting: No
25 Conduct user and business security requirements analysis: No
26 Conduct, monitor and review privacy impact assessments using standards, frameworks, acknowledged methodologies and tools: No
27 Configure solutions according to the organisation’s security policy: No
28 Coordinate the integration of security solutions: No
29 Decompose and analyse systems to develop security and privacy requirements and identify effective solutions: No
30 Decompose and analyse systems to identify weaknesses and ineffective controls: No
31 Define and apply maturity models for cybersecurity management: No
32 Design systems and architectures based on security and privacy by design and by defaults cybersecurity principles: No
33 Design, apply, monitor and review Information Security Management System (ISMS) either directly or by leading its outsourcing: No
34 Design, develop and deliver learning programmes to cover cybersecurity needs: No
35 Develop and communicate, detailed and reasoned investigation reports: No
36 Develop code, scripts and programmes: No
37 Develop codes, scripts and programmes: No
38 Develop cybersecurity exercises including simulations using cyber range environments: No
39 Develop evaluation programs for the awareness, training and education activities: No
40 Develop, champion and lead the execution of a cybersecurity strategy: No
41 Draw cybersecurity architectural and functional specifications: No
42 Enable business assets owners, executives and other stakeholders to make risk-informed decisions to manage and mitigate risks: No
43 Establish a cybersecurity plan: No
44 Explain and communicate data protection and privacy topics to stakeholders and users: No
45 Explain and present digital evidence in a simple, straightforward and easy to understand way: No
46 Follow and practice auditing frameworks, standards and methodologies: No
47 Generate new ideas and transfer theory into practice: No
48 Guide and communicate with implementers and IT/OT personnel: No
49 Identify and exploit vulnerabilities: No
50 Identify and select appropriate pedagogical approaches for the intended audience: No
51 Identify and solve cybersecurity-related issues: No
52 Identify needs in cybersecurity awareness, training and education: No
53 Identify non-cyber events with implications on cyber-related activities: No
54 Identify threat actors TTPs and campaigns: No
55 Identify, analyse and correlate cybersecurity events: No
56 Implement cybersecurity recommendations and best practices: No
57 Implement cybersecurity risk management frameworks, methodologies and guidelines and ensure compliance with regulations and standards: No
58 Influence an organisation’s cybersecurity culture: No
59 Integrate cybersecurity solutions to the organisation’s infrastructure: No
60 Lead the development of appropriate cybersecurity and privacy policies and procedures that complement the business needs and legal requirements; further ensure its acceptance, comprehension and implementation and communicate it between the involved parties: No
61 Manage and analyse log files: No
62 Manage cybersecurity resources: No
63 Model threats, actors and TTPs: No
64 Monitor new advancements in cybersecurity-related technologies: No
65 Motivate and encourage people: No
66 Organise and work in a systematic and deterministic way based on evidence: No
67 Perform social engineering: No
68 Practice all technical, functional and operational aspects of cybersecurity incident handling and response: No
69 Propose and manage risk-sharing options: No
70 Propose cybersecurity architectures based on stakeholder’s needs and budget: No
71 Provide training towards cybersecurity and data protection professional certifications: No
72 Review and enhance security documents, reports, SLAs and ensure the security objectives: No
73 Review codes assess their security: No
74 Select appropriate specifications, procedures and controls: No
75 Think creatively and outside the box: No
76 Understand legal framework modifications implications to the organisation’s cybersecurity and data protection strategy and policies: No
77 Understand, practice and adhere to ethical requirements and standards: No
78 Use and apply CTI platforms and tools: No
79 Use penetration testing tools effectively: No
80 Utilise existing cybersecurity-related training resources: No
81 Work ethically and independently; not influenced and biased by internal or external actors: No
82 Work on operating systems, servers, clouds and relevant infrastructures: No
83 Work under pressure: No
