April 4th, 2025
Test Connection Safelisting Tool
We are really excited to announce that we have developed a new page that can be used to test your organization's network connection. When a user or admin accesses this page, it will test all the required Security Journey domains and alert you if you need to work with your Network team to adjust your safelisting rules. If one of these domains is not accessible, our content may not work as expected.
Check it out here!
April 3rd, 2025
Learning Swing Modal Redesign
Our learning swing modal got a much needed face-lift!
April 2nd, 2025
New Content & Path Alert 🚨
Blockchain Security | Reentrancy
In our newly updated blockchain lesson, “Blockchain Security | Reentrancy”, we’ve added an interactive IDE that allows learners to fix vulnerabilities directly in the smart contract code. This hands-on approach strengthens our appeal to the DeFi sector—an area underserved by existing training platforms—and positions us to be a leader in blockchain security education.
You can access the lesson here: Blockchain Security | Reentrancy
Next.js Publicly Disclosed Vulnerability CVE-2025-29927
Our team created a CTF-style lesson to challenge learners to exploit CVE-2025-29927, a vulnerability discovered in Next.js middleware on March 21, 2025. This CVE allows attackers to bypass authorization checks in the middleware and access protected content. Learners can use either the intercept request feature or make a direct request using GetMan to access a protected page and capture the flag.
You can try the lesson here: CTF: Music Calendar Break-in
Secure Privilege Management
A customer requested training content focused on CWE-268: Privilege Chaining. In response, we delivered a focused set of four lessons that directly address this issue. These lessons will emphasize the core security principles necessary to understand and prevent privilege chaining vulnerabilities. Path details are as follows:
Insecure Design | Incorrect Privilege Assignment
This lesson explores Incorrect User Management, highlighting the security risks that arise when the principle of least privilege is not adequately enforced.
Challenge: Setuid Vulnerability Exploitation
In this challenge, you’ll examine a vulnerable setuid executable that runs with elevated privileges, exposing a critical security flaw. Your task is to analyze the program, identify the weakness, and exploit it to disable logins to the system.
Privilege Escalation: Container Escape
In this lesson, you’ll explore how misconfigured Docker environments can lead to privilege escalation attacks. By interacting with Docker containers, you’ll learn how attackers can exploit improper permissions to gain unauthorized root access.
Privilege Chaining in Databases
This hands-on lesson demonstrates how privilege chaining vulnerabilities can expose sensitive data in MySQL.
Learners will exploit a misconfigured SQL view to access restricted salary information, despite lacking direct permissions. Through guided remediation, they’ll learn how to properly secure views using SQL SECURITY INVOKER and avoid common access control pitfalls when working with database objects.
You can find the path here.
March 27th, 2025
Certificate Redesign 🎉
We released a new look and feel for our Security Journey Certificates! This will apply to any new and previously completed paths. You can download your new certificates from your Achievements in your User Profile.
March 26th, 2025
Coding Challenge Instruction Refresh & Quiz Question Refresh
Coding Challenge Instructions Refresh
Code Challenges, which give learners access to a full codebase, were originally designed to follow our break/fix lessons. As a result, some challenges assumed prior knowledge—such as login credentials—gained in earlier lessons, making it difficult to complete them as stand-alone activities or in a tournament setting.
Our team has now revisited each Code Challenge to update and improve the instructions, ensuring that learners have all the information they need to complete the tasks independently!
Quiz Question Refresh
Our Content team has gotten a lot of feedback around improving the quiz questions in some of our older video lessons. For context, many of these quizzes were originally created by a third-party vendor, and the quality has been inconsistent—often lacking subject matter expertise and clarity.
In response, we’ve committed to reviewing and improving the quiz content in 80 lessons, with a focus on quality and providing meaningful feedback to learners. Over the past two weeks, we’ve updated 43 of those lessons. See the current updated lessons below:
Introduction to Go security
Go Threat Landscape
Go and OWASP Top 10 | Part 1
Go and OWASP Top 10 | Part 2
Secure Coding in Go
Secure Database Interactions in Go
Go Request Context Security
Secrets Management with Go
Secure Concurrency with Go
Go Secure Micro-service Architecture
Go Service Hardening
Python Threat Landscape
Secure Constructs in Python
Input Validation with Python
Secure Coding with Python | Part 1
Secure Coding with Python | Part 2
Secure Coding with Python | Part 3
Secure OS interactions with Python
Secure Serialization with Python
Storing and Using Secrets with Python
Secure Control Flow in Python
Introduction to Scala Security
Scala Input Validation
Scala OWASP Top 10 | Part 1
Scala OWASP Top 10 | Part 2
Scala OWASP Top 10 | Part 3
Scala Software Supply Chain
Scala Security Best Practices
Introduction to Rust Security
Rust Secure Coding Tips
Unsafe Rust & FFI
Rust OWASP Top 10 Pt. 1
Rust OWASP Top 10 Pt. 2
Rust OWASP Top 10 Pt. 3
Rust Secure Software Supply Chain
Rust Security Toolchain
Typescript: Intro to Typescript Security
Typescript: Secure Coding with Typescript part 1
Typescript: Secure Coding with Typescript part 2
Typescript: Input Validation for Typescript
Typescript: Secure Constructs with Typescript Part 1
Typescript: Secure Constructs with Typescript Part 2
Typescript: Typescript Secure Build Toolchain
March 14th, 2025
Assessment Due Dates
We've already made improvements to our new Developer Security Knowledge Assessment experience by adding in the time limit or due date to the Map and List View.
March 12th, 2025
Developer Profile
Starting today. learners visiting the Security Journey Platform will be
asked to complete the Developer Profile, which captures key details like:
Their background and experience
Preferred programming languages
Job roles, architectural tools, and security knowledge
Capturing this information will allow you in the future to tailor training to
each developer’s expertise and deliver more relevant and impactful content. To learn more about our Developer Profile, check out this article!
February 18th, 2025
New Top 25 CWE Path
Top 25 CWEs
25 NEW Video Lessons covering the Top 25 CWEs has been released!
MITRE Corporation, a leader in cybersecurity, maintains the CWE Top 25, a list of the most critical software weaknesses across various application types. Unlike the OWASP Top 10, which focuses on web application security, the CWE Top 25 includes vulnerabilities found in native applications and other non-web environments.
Customers have frequently asked about our coverage of this topic and we now have a comprehensive set of lessons to help learners understand and mitigate these critical security flaws!
It's at our Foundational Level. You can find it under Paths & Quests > Recommended Paths > Video and Hands-On > CWE Top 25.
February 14th, 2025
Updated OWASP Top 10 for LLM Applications 2025 Paths & NEW Hacking Challenges
OWASP Top 10 for LLM Applications 2025
Our team has released a new course that covers LLM Security including lessons specific to the update OWASP Top 10 LLM Application list.
We've also added a new video component to these hands-on lessons to streamline the learning experience. Learners who need additional depth can now watch relevant videos without leaving the hands-on lesson, making it easier to absorb key concepts in context.
You can find these new paths here:
Paths & Quests > Recommended Paths > Hands-On Only > HackEDU: OWASP Top 10 for LLM Applications
Paths & Quests > Recommended Paths > Video and Hands-On > AI/LLM Security
For more details check out this article.
Three New Hacking Challenges
This week, we introduced three new Capture The Flag (CTF) challenges:
CTF based on a publicly disclosed WordPress vulnerability.
Birthday Attack - Hacking Challenge inspired by the birthday paradox
Escape Macrodata Refinement - CTF inspired by the Apple TV+ series Severance.
February 11th, 2025
Developer Security Knowledge Assessments 🎉
NEW FEATURE ALERT! Our Developer Security Knowledge Assessments are LIVE!
Assessments is a powerful tool designed to evaluate developers' understanding of secure coding and application security principles.
Our assessment helps organizations measure and improve their teams' security proficiency, ensuring they are equipped to build secure applications from the ground up.
To learn more, check out this collection of articles and find out how you can use them today!
January 31st, 2025
Assignment Reminder Frequency Update & Reporting Improvements
Ability to Send Daily Assignment Reminders
Now, you can send daily reminders to your learners by updating your Assignment notification settings. Assignments can be updated at any time. Once enabled, learners will receive a bell notification once a day until they complete their training. If they don't clear their bell notification within an hour of receiving it. They would get an "Unread Notification" email reminding them of their assigned training.
New Path Filters
We recently rolled out some new filters within our Progress Report and Assignment Progress reports to make reporting on learners' progress in paths even easier!
Within the Progress Report and Assignment Progress report you can filter on path enrollment or identify learners who have not yet enrolled in a path. This report will allow you to track who has not yet logged in and started training.
January 23rd, 2025
CWE Filter Vulnerability Details on Hover
We've made using CWE Filters even easier! You can now hover your cursor over the CWE number and see the name of the vulnerability will be displayed. This should make finding and assigning what you need even that easier!
January 16th, 2025
CWE Filter Displays Total Lesson Count
The CWE Filter in the Custom Path UI now displays the count of total lessons associated with each CWE number.
This mirrors the Full Catalog experience
Please note that the numbers in the Full Catalog can be higher than in the Custom Path Ul, as the Full Catalog displays Tournament-Only content (and the other Ul does not)
January 9th, 2025
Navigation Bar & User Profile Updates 🎉
We've made some big improvements to our Platform Navigation Bar & User Profile settings.
Notable changes include:
Log Out moved to the bottom of the User Profile dropdown
More Menu has been removed and features reorganized
To learn more, check out this article!
