ECX Active AI Training —
ActiveAI.ch
ActiveAI.ch
Secure Backend Development · CCISO & CEH v13 Aligned
5-Day Curriculum
Modules 03-03 through 03-07
Languages covered: Node.js · PHP/Laravel · Go · Rust · Python/Django/Flask
Governance Backbone
EC-Council ADG Framework
Adopt · Defend · Govern — woven through every module as the operating model for secure AI systems at enterprise scale.
Live lab environment: activevuln.com | Infrastructure: Cyber IaaS
Days 1–2
Secure Backend Development — Modules 03-03 to 03-07
Days 3–5
IAM Roadmap Preview — Modules 04-01 to 04-09 (Part 2)
Dual Cert
Every module mapped to CEH v13 domains and CCISO domains
Chapter 1
Day 1 — Backend Language Security: Part 1
What You Will Cover Today
01
Module 03-03
Node.js Security — Event loop protection, prototype pollution, NoSQL injection, and supply chain hardening.
02
Module 03-04
PHP/Laravel Security — Type juggling exploits, mass assignment vulnerabilities, session hardening, and secure file uploads.
03
Module 03-05
Go Security — Concurrency risks, data races, cryptography standards, and supply chain analysis tooling.
Certification Alignment — Day 1
CEH v13 Domains
Web Application Hacking (Module 14) · Cryptography (Module 20) · DoS/DDoS (Module 10)
CCISO Domains
Domain 1: InfoSec Core Competencies · Domain 2: Risk Management · Domain 3: Security Programs
ADG Layer
ADOPT — engineering delivery controls operationalized through parameterized queries, framework middleware, and CI/CD gates.
All Day 1 lab exercises run on activevuln.com live vulnerable targets, provisioned inside isolated Cyber IaaS student sandboxes. Completion generates ADG Minimum Control evidence artifacts.
Module 03-03
CEH: Web App Hacking · CCISO: InfoSec Core
Node.js Security: Securing the Event Loop
Event Loop Blocking (DoS)
Synchronous CPU-intensive tasks — including ReDoS via catastrophic regex — halt Node.js's single thread. All HTTP requests queue indefinitely. Mitigate with worker threads and strictly async patterns.
Prototype Pollution
Recursive merge functions inject properties into
Object.prototype. Every downstream object inherits the malicious values, enabling auth bypass and RCE. Fix: Object.create(null) and schema validation on all untrusted payloads.Express.js Hardening
Deploy
helmet middleware: enforces HSTS (downgrade prevention), CSP (XSS mitigation), X-Frame-Options: DENY (clickjacking). Disable x-powered-by header to suppress server fingerprinting.NoSQL Injection
Raw
req.body passed to MongoDB allows $gt operator abuse to bypass password checks entirely. Sanitize all payloads with express-mongo-sanitize before ORM operations.Supply Chain Defense
Run
npm audit in every CI/CD pipeline. Use npm ci for deterministic builds. Block post-install scripts with --ignore-scripts to prevent malicious package hooks.Lab — activevuln.com: Exploit prototype pollution in a live Node.js application. Patch the vulnerable merge function and verify remediation with the automated scanner on Cyber IaaS. Completion generates ADG MC-8 evidence.
CEH / CCISO Certification Mapping
Module 03-04
CEH: Web App Hacking · CCISO: Risk Management
Laravel & PHP Security: Type Juggling & Mass Assignment
Type Juggling
PHP's loose
== operator casts types before comparison. "Magic hash" strings such as 0e1234 evaluate to 0, enabling authentication bypass without knowledge of the real password. Mitigation: strict === comparison in all authentication logic.Mass Assignment
Eloquent ORM maps HTTP arrays directly to DB model columns. An attacker appending
&is_admin=true to a profile update request writes the column if unprotected. Fix: enforce strict $fillable allowlists — never use $guarded = [] in production.Session Hardening
Mandate
session.cookie_httponly=1 (block JS access), session.cookie_secure=1 (TLS-only transmission), and session.use_strict_mode=1 (prevent Session Fixation attacks).Secure File Uploads
Validate extension allowlists AND true MIME type via
finfo_file(). Strip EXIF metadata to prevent data leakage. Store uploads outside public_html — direct-access webshell RCE is the critical failure mode when this is skipped.CCISO Governance Link
Mass assignment maps directly to OWASP API3:2023 — Broken Object Property Level Authorization. Document in the organizational risk register per ADG MC-1 (AI System Inventory / Asset Register). CCISO candidates are responsible for maintaining this register entry.
OWASP Alignment
API3:2023
Broken Object Property Level Authorization
A07:2021
Identification & Authentication Failures
Lab — activevuln.com: Exploit type juggling login bypass on a live Cyber IaaS sandbox. Remediate with strict comparison and validate with automated regression tests.
Module 03-05
CEH: Cryptography · CCISO: InfoSec Core Competencies
Go Security: Memory Safety, Concurrency & Supply Chain
Goroutine Leak
Goroutines blocked on channels that never receive data grow memory linearly until an OOM crash. Use
context.WithCancel and always close channels explicitly. Detect leaks in CI with the goleak testing library before they reach production.Data Race
Two goroutines accessing the same memory with at least one write produces silent data corruption — no panic, no warning, just wrong values. Run
go test -race in CI. Enforce safe access patterns via sync.Mutex or channel-based communication.Injection Prevention
Use
database/sql parameterized queries — never fmt.Sprintf for SQL construction. For templates, use html/template (context-aware auto-escaping) over text/template to prevent XSS in generated output.Cryptography Standards
Mandate
crypto/rand over predictable math/rand. Use golang.org/x/crypto/bcrypt for credential storage. Implement AES-GCM via crypto/cipher for authenticated encryption — provides both confidentiality and integrity.net/http Hardening
Set explicit
ReadTimeout, WriteTimeout, and IdleTimeout on the http.Server struct. This prevents Slowloris DoS by forcibly closing stalled connections that attackers use to exhaust server threads.Supply Chain & SAST
govulncheck maps CVEs to specific imported functions in the compiled binary — not just declared dependencies. gosec performs AST-based analysis for hardcoded credentials. golangci-lint enforces idiomatic error handling across the entire CI/CD pipeline.Go's built-in race detector and
govulncheck provide binary-level CVE attribution — a significant advantage over dependency-manifest-only scanners used in other ecosystems.Chapter 2
Day 2 — Backend Language Security: Part 2
Today's Modules
01
Module 03-06
Rust Security — Ownership model, FFI boundary risks, web framework hardening, and dependency trust chain tooling.
02
Module 03-07
Python/Django/Flask Security — Pickle deserialization RCE, SSTI, Django hardening, FastAPI Pydantic defenses, and PyPI supply chain.
Certification Alignment — Day 2
CEH v13
Cryptography (Module 20) · Web App Hacking (Module 14) · Malware Threats (Module 6)
CCISO
Domain 1: InfoSec Core · Domain 2: Risk Management · Domain 3: Security Programs & Operations
ADG Layer
DEFEND — runtime hardening, SAST tooling, and dependency scanning map to ADG's 9 Governance Surfaces.
Day 2 completes the secure coding curriculum. All labs run on activevuln.com via Cyber IaaS. ADG MC-8 and MC-9 evidence artifacts generated upon completion.
Module 03-06
CEH: Cryptography · CCISO: InfoSec Core
Rust Security: Ownership, FFI & Dependency Trust
Ownership & Borrowing
Rust's compiler enforces: one owner, either one mutable reference or multiple immutable references — never simultaneously. This eliminates use-after-free and double-free at compile time, with zero garbage collection overhead. Memory safety is not a runtime feature — it is a compile-time guarantee.
FFI Boundary Risk
Calls to C/C++ libraries require
unsafe blocks. Rust cannot verify external memory safety. The majority of Rust CVEs in the ecosystem originate at FFI boundaries. Audit all unsafe blocks with miri for undefined behavior detection before merging to main.Web Framework Hardening
Axum and Actix-web: enforce payload size limits via typed extractors to prevent memory exhaustion. Use strict routing to block Path Traversal natively. Configure TLS via
rustls — memory-safe, no OpenSSL C-bindings required.Cryptography & Dependency Toolchain
Cryptography Ecosystem
Replace OpenSSL wrappers with native Rust alternatives:
RustCrypto for hashing and block ciphers, ring for AEAD (authenticated encryption), rustls for TLS termination. Each eliminates a C-binding FFI attack surface.Dependency Trust Chain
cargo audit — CVE scanning against advisory database. cargo deny — bans vulnerable crates and enforces license compliance policies. cargo vet — requires manual audit attestation before a crate can be compiled into the binary.Advanced Analysis
cargo fuzz with libFuzzer bombards APIs with malformed inputs to find panics and undefined behavior. miri detects strict-aliasing violations and UB during test execution — essential for all unsafe block validation.Module 03-07
CEH: Web App Hacking · CCISO: Risk Management
Python/Django/Flask Security: Deserialization & Supply Chain
Pickle Deserialization RCE
pickle.loads() executes arbitrary functions defined in __reduce__. Loading any untrusted pickle file equals immediate remote code execution. Replace with json, msgpack, or ast.literal_eval() for safe data parsing. Maps to OWASP A08:2021 — Software and Data Integrity Failures.SSTI — Server-Side Template Injection
User input concatenated into Jinja2 or Django templates allows
{{ config.items() }} to leak secrets or traverse the MRO chain for RCE. Always pass data as context variables — never concatenate user input into template strings.Django Hardening
Enforce
CsrfViewMiddleware. Use ORM parameterized queries natively. Set SECURE_SSL_REDIRECT=True, SESSION_COOKIE_SECURE=True, X_FRAME_OPTIONS='DENY' in production settings.Flask / FastAPI Defenses
Flask-Talisman enforces secure HTTP headers across all routes. FastAPI's Pydantic models enforce strict type hints, value boundaries, and regex patterns on all JSON payloads — neutralizing malformed data attacks at the framework layer before business logic executes.PyPI Supply Chain
Defend against typosquatting (e.g.,
requets vs requests) and dependency confusion attacks targeting private package names. Pin hashes in requirements.txt. Use private PyPI mirrors on Cyber IaaS for air-gapped environments requiring controlled package ingestion.CCISO/CEH Alignment: Deserialization → OWASP A08:2021. Supply chain → CEH Module 14 (Hacking Web Applications) + CCISO Domain 1 (Governance). Both require documented risk register entries per ADG MC-1.
Chapter 3
Days 3–5 — IAM Overview
Part 1 concludes with the IAM module roadmap. Full deep-dives are delivered in ECX Active AI Training Part 2. The preview below maps nine IAM modules to their CEH v13 and CCISO domains.
Days 3–5 Focus
Identity & Access Management — authentication, MFA, password storage, access control, brute force defense, OIDC, OAuth2, Passkeys, and SAML security.
CEH Alignment
Session Hijacking (Module 11) · Web App Hacking (Module 14) · Cryptography (Module 20)
CCISO Alignment
Domain 3: Security Programs & Operations · Domain 1: Governance · Domain 2: Risk Management
All IAM modules provisioned on activevuln.com with Cyber IaaS student sandboxes. Full lab scenarios available in Part 2.
Modules 04-01 → 04-09
CEH: Session Hijacking · CCISO: Domain 3
IAM Curriculum Map
Part 1 concludes with the IAM module roadmap — full deep-dives delivered in ECX Active AI Training Part 2.
9
IAM Modules
Modules 04-01 through 04-09 covered in Part 2
10.5
Total Hours
Instructor-led IAM curriculum in Part 2
3
CCISO Domains
Domains 1, 2, and 3 addressed across the IAM suite
Governance Backbone
ADG Framework Integration: ADOPT · DEFEND · GOVERN
All Part 1 modules map directly to EC-Council's ADG operating model and the RE³ Trust Model. ADG is not another standard — it is the operating model that sits underneath the standards you already have and makes them executable. The architecture is three pillars that scale unchanged from the board to the engineer.
ADOPT — Execute & Deliver
Secure coding practices in Modules 03-03 to 03-07 operationalize ADG's engineering delivery controls. Parameterized queries, supply chain tooling, and framework hardening are all ADOPT-layer artifacts — implemented by engineers and validated in CI/CD.
DEFEND — Secure & Validate
SAST tools (
gosec, clippy, cargo fuzz), runtime hardening (helmet, Flask-Talisman, Axum extractors), and dependency scanning (govulncheck, cargo audit) map to ADG's 9 Governance Surfaces.GOVERN — Oversee & Assure
CCISO candidates own the risk register entries. CEH candidates own the attack surface validation. Both roles are required per ADG MC-3 (Separation of Duties). Neither role alone satisfies the control — both must collaborate.
Lab Stack — ADG-Aligned
activevuln.com
Live vulnerable targets aligned to each module's CVE examples. Attack, patch, and re-test in a controlled environment.
Cyber IaaS
Elastic, isolated sandboxes per student. Prevents cross-student contamination. Supports air-gapped registries.
Lab completions generate ADG MC-8 (Runtime Monitoring) and ADG MC-9 (Incident Response) evidence artifacts — directly usable in CCISO portfolio submissions.
Certification Reference
CCISO & CEH v13 Certification Alignment — Part 1
Every module in Part 1 maps to specific exam domains for both certifications. Use this table as your exam preparation reference and evidence cross-walk.
CEH v13 Exam Coverage
3/20
CEH Modules
Modules 11, 14, and 20 directly addressed in Part 1 curriculum
5/5
Languages
All five backend languages covered with hands-on lab exercises
CCISO Domain Coverage
3/5
CCISO Domains
Domains 1, 2, and 3 covered across Part 1 modules
9/9
ADG Controls
All 9 ADG Governance Surfaces addressed through DEFEND-layer tooling
Lab Infrastructure
Lab Infrastructure: activevuln.com + Cyber IaaS
activevuln.com
Live vulnerable application targets — each module has a dedicated lab scenario with real CVE-mapped exploits. Students attack, patch, and re-test in a controlled environment that mirrors the CEH Practical exam format: timed, hands-on exploitation and remediation tasks scored against OWASP Top 10 and MITRE ATT&CK mappings.
Cyber IaaS Platform
Cloud-delivered security infrastructure providing elastic VM provisioning per student cohort. Isolated network segments prevent cross-student contamination. Supports air-gapped PyPI mirrors, private npm registries, and Go module proxies — essential for supply chain lab scenarios.
CI/CD Integration
Each lab includes a pre-configured pipeline (GitHub Actions / GitLab CI) with SAST tools pre-installed. Students submit fixes and see automated pass/fail results scored against security gates — simulating real enterprise DevSecOps workflows.
ADG Evidence Artifacts
Lab completions generate ADG MC-8 (Runtime Monitoring) and ADG MC-9 (Incident Response) evidence artifacts — directly usable in CCISO portfolio submissions without additional documentation overhead.
CEH Practical Prep
activevuln.com scenarios mirror the CEH Practical exam format exactly — timed exploitation and remediation tasks scored against OWASP Top 10 categories and MITRE ATT&CK technique mappings.
Completion & Next Steps
Part 1 Completion: Your Path to Certification
Modules Completed in Part 1
03-03
Node.js Security
03-04
PHP / Laravel
03-05
Go Security
03-06
Rust Security
03-07
Python / Django / Flask
Readiness Snapshot
CEH v13 Readiness
Modules 11 (Session Hijacking), 14 (Web App Hacking), and 20 (Cryptography) — core exam domains covered with hands-on lab evidence from activevuln.com.
CCISO Readiness
Domains 1 (Governance & Risk), 2 (Security Controls), 3 (Security Programs) — risk register entries and ADG Minimum Control evidence artifacts generated and portfolio-ready.
Next: ECX Active AI Training Part 2
Identity & Access Management — Modules 04-01 through 04-09.
01
OAuth2 & OIDC
DPoP tokens, Auth Code + PKCE, FAPI 2.0, RFC 9700.
02
Passkeys & WebAuthn
FIDO2 attestation, phishing-resistant auth, account recovery.
03
SAML Security
XML Signature Wrapping (XSW), XXE in SAML parsers.
04
AI-Layer IAM Governance
ADG GOVERN-layer controls for AI system identity and access.
Key Resources
- activevuln.com — lab portal and scenario tracker
- Cyber IaaS — student dashboard and sandbox manager
- EC-Council ADG Framework §11 Controls reference
Sources