What I’ll Learn — Security by Design (SbD)
Prerequisites: Foundations (D10S) + Defensible Essentials (TADA Tactical)
What SbD does (and why it matters)?
Security by Design turns security goals into engineered outcomes. It gives practitioners a repeatable way to:
-
translate business and risk goals into measurable acceptance criteria;
-
model systems with CDMs (views, trust boundaries, interfaces, failure domains);
-
make trade‑offs using CECs (apply CIE when component trust/containment matters);
-
embed guardrails in the SDLC/CI‑CD so secure choices ship by default; and
-
prove results with DRM records, Cyber Science experiments, and simple TMC calculations.
How SbD keeps data, code, and architecture secure:
-
Data by Design: class/handle data correctly; enforce encryption, keys, retention, lineage, and access rules at design time; map hazards with DRM and verify outcomes with telemetry.
-
Code by Design: Define acceptance criteria for code risks; add policy/test-as-code gates (secrets, dependencies, SBOM, signing/attestation) so pipelines block unsafe builds.
-
Architecture by Design: draw clear trust boundaries and interfaces (CDMs), select defensible patterns (segmentation, zero‑trust overlays, containment), and document decisions with CECs.
Fundamentals (SbD)
Your foundation in turning requirements into secure designs. You’ll learn to model systems, set measurable acceptance criteria, and design reviews that lead to shippable, defensible outcomes.
You’ll learn
-
SbD principles → D10S: Convert goals into acceptance criteria mapped to ISAUnited Defensible 10.
-
Model with CDMs: Views, trust boundaries, interfaces, failure domains; identify where controls live.
-
Decide with CECs: Record trade‑offs; use CIE for component trust and failure containment.
-
TADA inputs to design: Classic models → attack overlays → STRIDE notes feed design choices.
-
Design Risk Management (DRM): Hazards, mitigations, residual risk, decision logs.
-
Shippable by default: Definition of Done + CI/CD gate policies and basic test‑as‑code.
You’ll produce
-
SbD design review record
-
CDM pack (views/boundaries/interfaces)
-
CEC decision log (incl. any CIE usage)
-
Gate policy draft + DRM snapshot
Advanced (SbD)
Level up from practice to proof. Govern patterns, quantify trade‑offs, and package evidence that stands up to review and supports CPL submission.
You’ll learn
-
Pattern governance: Select/justify patterns; maintain a reusable pattern pack.
-
Secure SDLC integration: Policy‑as‑code, test‑as‑code, signed artifacts, and evidence stored with builds.
-
Resilience by design: Containment/rollback plans, zero‑trust overlays, dependency risk, and fallback.
-
Quantify with TMC: Simple math for thresholds, performance/reliability trade‑offs.
-
Cyber Science validation: Experiments/telemetry to prove claims with repeatable metrics.
-
Executive outcomes: Briefs that tie mitigations to risk reduction and D10S.
You’ll produce
-
Full SbD kit (patterns, acceptance criteria, policies)
-
DRM log with decisions/residual risk
-
Metrics & results from labs/tests
-
CDM/CEC declaration + signed design review notes
What I’ll Take — Security by Design (SbD)
Level 1: BASICS (required for all students)
First Course B101 — Defensible 10 Standards (D10S) Foundations
Format: Self-paced with Instructor Support: 12–14 hours
Purpose: Establish a common engineering baseline across all ten ISAUnited domains and teach how a standard is structured and evidenced.
You’ll learn:
-
Why standards must be defensible (Problem → Proposed Solution for each domain)
-
How a standard is built: Requirements (Inputs), Technical Specifications (Outputs), Principles, Controls, V&V
-
The D-SSF snapshot for sub-standard authoring and peer review
Artifacts: 10-domain quick sheets; R/P/C/T matrix; mini V&V table
Second Course B102 — TADA Method & Framework (Technical Adversarial & Defensible Analysis)
Format: Self-paced with Instructor Support | Duration: 12–14 hours
Purpose: Make adversary-aware design decisions and produce traceable evidence.
You’ll learn:
-
Classic attack models → architecture overlays; STRIDE; ATT&CK linkage
-
DRM logging (hazards, mitigations) and CDM/CEC design artifacts
-
How to turn a solution diagram into testable, defensible controls
Artifacts: TADA overlay pack; DRM log; testable acceptance criteria
Progression rule: B101 and B102 are prerequisites for all Core courses.
Level 2: CORE — Security by Design (SbD) Core
Third Course SbD-210: Security by Design — Core Fundamentals
Pattern-driven secure design for common architectures, zero-trust overlays, SSDLC guardrails, evidence hooks, and acceptance criteria tied to D10S.
Last Course SbD-410: Security by Design — Core Advanced
Advanced patterns and governance at scale: API security by design, IaC/cloud guardrails, supply-chain hardening, and end-to-end V&V.
SbD Capstone: Design Review Dossier
Deliver: CDM/CEC set, TADA overlay, DRM log, D-SSF mini standard, V&V results.
What Do I Get — Security by Design (SbD)
Choose one of two outcome paths at registration:
Path A — Knowledge & CPEs
-
Who it is for: Practitioners seeking structured learning and verified continuing education.
-
You earn: CPE certificate for each completed course and a transcript of completed modules.
-
Requirements to complete: Attend and pass course assessments; submit required artifacts to the baseline standard.
-
No CPL deliverables required.
Path B — Knowledge & CPEs + CPL Preparation
-
Who it is for: Candidates targeting ISAUnited Certified Professional License tracks (CSbDP, CPCE, CPCA).
-
You earn: Everything in Path A plus a CPL Readiness Kit aligned to ISAUnited’s evaluation-based licensing (no multiple-choice exams, no interviews).
-
Additional deliverables include the D-SSF mini-standard, DRM hazard log, TADA overlay, V&V plan, and program-specific evidence (e.g., architecture decision records or controls mapping).
-
Readiness review: Coach-reviewed checklist and feedback aligned to CPL submission expectations; portfolio-based evaluation.
CPE credit: Equal to instructional contact hours per course; certificates are issued upon successful completion.
