Yesterday I've finished 19th Green Belt course from Security Journey. Yup, that's right, 19. I've got 19 certificates to prove that even. Well, 20, because there is also one for Thread Modelling course, that was separate. Want to share some thoughts about it.
Was it useful? I would say that for me, who learnt a lot about security stuff while working in Citi, there probably was not that many entirely new stuff. I learnt about new types of attacks, especially in the courses about languages/platforms that are outside of my current stack, but in regards to "general" types of things... I already knew most of them, even if in some cases I may not have known specific terms. Another explanation for that is that when building the core of my website, I did do research of best practices, including those in terms of security.
That, of course, does not detract from the courses themselves. They do contain a lot of information about common types of attacks and ways to mitigate them, including different tools, that can help you increasing security. There was a ton of information about SAST, for example, that I have not utilized to the full extent yet, since I was, mostly relying on linters, but not on actual scanners.
Quite a few of the courses also leaned a lot onto ORMs. Before these courses I never even heard of the term, which surprised me, since it should be an important tool when coding in PHP. It made me look into Doctrine, and by extension - into Symfony. I've already been using Twig and their HTML Sanitizer, but looking into other modules it provides, I am now considering switching it, even though previously I was not willing to use a framework at all. I am not entirely sure yet, but since I've also learnt about some relatively obscure way to attack data, it may be worth it to refactor after all, since I do not fear refactoring.
I do have some complaints about the course, though:
- The quality of text (and I was reading, not watching videos) can vary greatly from lesson to lesson. From what I understood, some of the texts are essentially speech-to-text. This not only introduces mistypes, but also makes certain portions of text a bit... Confusing, maybe? Strange? Which should not happen, because if you are earning money from the course - proof-read the texts. It's not like you will be updating the texts that often.
- The information about some security headers was outdated. I mean there were mentions of deprecated ones even. Or those, that are technically discouraged at the moment, because they are not part of the standard. It may still be worth mentioning them, because they may be useful, if your app is targeting very old browsers, but the text should clearly state, that those headers are "niche" ones.
- There were a few statements which were more like opinions, but were presented as facts. In the text itself it was more or less ok, but then you would get a question in the assessment, the answer to which was that opinion. I think I tagged all of them through feedback functionality, but it may be a good idea to review all the questions, still.
Overall, though, I think this was a worthy time-spender. Doubt I will retain all the information outside my stack, but at least I re-confirmed that I do have a security-centered mind, which is good (potential employers - take note). And I do recommend it for others, especially, if you are new to security in software: white and yellow belts will "ease you in" just right.