Secure by Design Β· NLQF6 Β· talking picture
Security as a design quality
The first four weeks bring tech and non-tech students to one shared level. Security here is not a final check or a hacking course, but a design attitude: broad across product, process, people and organisation. The practice serves to make knowledge stick before the knowledge test β deep technical skill comes afterwards.
NLQF64 weeks9 blocks/week7 lessons + 2 processing36 blocks10 metro stationstech + non-techknowledge test
01 Starting points
P1Secure by Design
Security is a design quality that travels along from the start β not a final check. That is the common thread through all four weeks.
P2Broad, not IT-framed
Product, process, people and organisation take centre stage. Do not open with hacking; technology is one angle, not a prerequisite.
P39 blocks per week
Blocks 1β7 are real lessons, block 8 is social/game, block 9 is integration & reflection. Activating formats land in 8 and 9.
P4Continuous case
The security context canvas from week 1 grows week after week into the secure-by-design dossier in week 4. One case ties everything together.
P5Tech + non-tech equal
The dividing line is comfort with technology, not prior knowledge. Security is new to both; the test is the same for everyone.
P6Practice = anchoring
Game, canvas and retrieval serve memory before the knowledge test β not independent capability. That comes after this minor.
Show metro stations
Highlight to-build
wk1 wk2 wk3 wk4 block 8 social/game block 9 integration to build to measure
Week 1
Mindset & culture
why & who
Block 1ββΈ
Intro Secure by Design: security as a design quality
lesson
S1S2
- Core
- Security is not a final check but a design quality that travels along from the start.
- Topics
- CIA/BIV, product security, security first; OV-chipkaart, DigiNotar, Stuxnet as failing principles.
- Do
- Short kickoff; whole-class 'what does securely designed mean'; use mini-incidents to recognise BIV/CIA; start a shared glossary card.
- Stations
- S1 Basics & awareness / product security
S2 Security mindset & culture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S1.1 (opener + primer + live demo). Demo moves; do not open with hacking.
Block 2ββΈ
What can go wrong? Products, services, processes and systems
lesson
S1SO
- Core
- Explore damage, impact and risks without diving straight into technology.
- Topics
- SMS spoofing, IMEI cloning, stingray, USB, power plants, public infrastructure, robots, supply chain.
- Do
- Group brainstorm per domain; sort examples by product/service/process/system; discuss damage and impact.
- Stations
- S1 Basics & awareness / product security
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: partly S1.1 and S1.4.
Block 3ββΈ
Security principles: least privilege, defense in depth, secure by default
lesson
S1S6
- Core
- Basic principles as design rules for safer choices.
- Topics
- Cryptography & limits, confidentiality, integrity, authentication, non-repudiation, defense in depth, access control.
- Do
- Explain principles through recognisable design choices; link to earlier risks; make a short principle card.
- Stations
- S1 Basics & awareness / product security
S6 Security requirements & architecture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: partly S1.4. Least privilege / secure-by-default were not explicit β now added.
Block 4βΈ
Human behaviour and security culture
lesson
S2SO
- Core
- Security is bound up with behaviour, routines, responsibility and culture.
- Topics
- Social engineering, training/information, not everything is technically solvable, action on a suspected incident.
- Do
- Discuss phishing/social-engineering examples; pair task 'why do people click?'; design one behavioural measure.
- Stations
- S2 Security mindset & culture
SO Other topics
Old: S1.2 + S1.3.
Block 5ββΈ
Stakeholders, interests and responsibilities
lesson
S2S3S4
- Core
- Map who has a stake in security and who influences design choices.
- Topics
- Threat actors (state, hacker, competitor); interests of user, organisation, supplier, regulator, administrator.
- Do
- Make a stakeholder map; discuss roles and interests; formulate one security expectation per stakeholder.
- Stations
- S2 Security mindset & culture
S3 Hacker mindset & threats
S4 Governance & supply chain
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S1.4.
Block 6ββΈ
Assets and abuse scenarios
lesson
S1S3S5SO
- Core
- Determine what must be protected and how a design can be abused.
- Topics
- Data, processes, systems, people, devices, identity, authentication, access management, data abuse.
- Do
- Inventory assets; determine asset value; write first abuse cases from the user, attacker and administrator perspective.
- Stations
- S1 Basics & awareness / product security
S3 Hacker mindset & threats
S5 Threat modelling, monitoring & risk
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S1.4, partly S1.5 (but broader and less technical than Juice Shop).
Block 7βΈ
Week yield: security context and first abuse cases
lesson
S1S2S3S5
- Core
- The week closes substantively with context, assets, stakeholders and first abuse scenarios.
- Topics
- Security context, assets, stakeholders, threat actors, vulnerabilities, possible damage, first abuse cases.
- Do
- Teams present their context in 3 minutes; peer questions; the teacher makes the shared thread visible.
- Stations
- S1 Basics & awareness / product security
S2 Security mindset & culture
S3 Hacker mindset & threats
S5 Threat modelling, monitoring & risk
Old: S1.6 (consolidation).
Block 8ββΈ
Social block: security bingo / getting acquainted through risks
βsocial Β· game
S2SO
- Core
- Get to know each other through recognisable security situations and dilemmas.
- Topics
- Phishing, passwords, losing your phone, public wifi, USB, MFA, social engineering, personal experiences.
- Do
- Security bingo; dilemma cards; exchange experiences and link them to security culture.
- Stations
- S2 Security mindset & culture
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
New game block. Content input from S1.3.
Block 9ββΈ
Integration block: security context canvas
βintegration
S1S2S3S5
- Core
- The content of week 1 comes together in one shared case.
- Topics
- CIA/BIV, assets, stakeholders, threat actors, first threats, first design principles, first abuse cases.
- Do
- Fill in the security context canvas; short gallery walk; keep the canvas as a starting point for week 2.
- Stations
- S1 Basics & awareness / product security
S2 Security mindset & culture
S3 Hacker mindset & threats
S5 Threat modelling, monitoring & risk
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
New core artefact; partly S1.4 + S1.6.
Week 2
The hostile outside world
threats & attackers
Block 1ββΈ
Attacker thinking: assets, motives, access and impact
lesson
S3SO
- Core
- Reason from motives, access points, vulnerabilities and damage.
- Topics
- Black/white/grey hat, dark web, stolen data, motives, access, impact, threat actors.
- Do
- Make an attacker persona; fill in motive-access-impact; whole-class discussion of ethical limits.
- Stations
- S3 Hacker mindset & threats
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S2.1 (hacker mindset).
Block 2ββΈ
Threats in a digital and organisational context
lesson
S1S3SO
- Core
- Look at threats broadly: digital, physical, human, procedural and organisational.
- Topics
- Phishing, DDoS, MitM, ransomware-as-a-service, social engineering, supply-chain attacks, cloud, devices.
- Do
- Sort a threat card set; link threats to case assets; short threat-landscape mini-jigsaw.
- Stations
- S1 Basics & awareness / product security
S3 Hacker mindset & threats
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S2.2 (threat landscape).
Block 3ββΈ
Incident analysis: where did the design fail?
lesson
S1S3S5S8
- Core
- Analyse an incident as the result of choices in design, process, behaviour, technology or governance.
- Topics
- OV-chipkaart, DigiNotar, certificate authority, Stuxnet, zero-day, failing security principles.
- Do
- Incident case in groups; build a cause-effect chain; indicate which security principle failed.
- Stations
- S1 Basics & awareness / product security
S3 Hacker mindset & threats
S5 Threat modelling, monitoring & risk
S8 Testing, pentest & incident response
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
New in wk2; related to S3.5 (post-mortem).
Block 4βΈ
OWASP / MITRE as examples of threat thinking
lesson
S3S4S5
- Core
- Get acquainted with frameworks that help recognise and order threats.
- Topics
- CVE, OWASP, MITRE, cyber kill chain, CVSS, interpreting and classifying vulnerabilities.
- Do
- Short framework tour; classify example vulnerabilities; compare MITRE/OWASP/CVE as an ordering language.
- Stations
- S3 Hacker mindset & threats
S4 Governance & supply chain
S5 Threat modelling, monitoring & risk
Old: S2.1 + S2.2.
Block 5ββΈ
Estimating risks: likelihood, impact, priority
lesson
S5S6
- Core
- Weigh and prioritise risks β not every threat is equally important.
- Topics
- Information at risk β threats β mitigations; vulnerability, threat, risk, measure, CVSS.
- Do
- Fill in a risk matrix; pick the top 5 risks; substantiate likelihood/impact.
- Stations
- S5 Threat modelling, monitoring & risk
S6 Security requirements & architecture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S2.5 (risk analysis).
Block 6βΈ
First design measures: prevent, limit, detect, recover
lesson
S5S6S4
- Core
- Link risks to first measures and design choices.
- Topics
- Mitigations, CIS Controls, access control, logging, rate limiting, defense in depth, cryptography, key management.
- Do
- Devise measures per top risk; classify into prevent/limit/detect/recover; note first design decisions.
- Stations
- S5 Threat modelling, monitoring & risk
S6 Security requirements & architecture
S4 Governance & supply chain
New/expanded relative to S2.5.
Block 7βΈ
Intro to monitoring and detection
lesson
S5S8
- Core
- Designing securely also means anomalies become visible and discussable.
- Topics
- Security Operations Centre, logging/monitoring, logging of security-relevant actions, detection as a design choice.
- Do
- Discuss what you want to see in logs; formulate detection questions; link monitoring as a design choice to risks.
- Stations
- S5 Threat modelling, monitoring & risk
S8 Testing, pentest & incident response
Old: S2.6 (monitoring).
Block 8ββΈ
Social/game block: threat card game or attack-tree challenge
βsocial Β· game
S3S5
- Core
- Teams practise attacker thinking and threat recognition.
- Topics
- Attack trees, persona non grata, cyber kill chain; link threats to asset, motive, access, impact.
- Do
- Attack-tree challenge in teams; points for creativity and plausibility; short debrief on design implications.
- Stations
- S3 Hacker mindset & threats
S5 Threat modelling, monitoring & risk
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S2.1 (attack tree) + S2.3 (STRIDE game). Possibly Cornucopia/EoP as a card game.
Block 9ββΈ
Integration block: risk profile + first design measures
βintegration
S3S4S5S6
- Core
- The week ends with a prioritised list of risks and first measures for the case.
- Topics
- Top threats, risk prioritisation, first CIS Controls, mitigations, design measures, detection points.
- Do
- Deliver a risk profile; review measures; make the link to governance questions for week 3.
- Stations
- S3 Hacker mindset & threats
S4 Governance & supply chain
S5 Threat modelling, monitoring & risk
S6 Security requirements & architecture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S2.4 + S2.5 + S2.6.
Week 3
Governance & organisation
+ incident response
Block 1ββΈ
Governance-light: roles, responsibilities and ownership
lesson
S4S2
- Core
- Security calls for clear roles, decision-making, ownership and agreements.
- Topics
- Security governance, responsibilities, ownership, not if but when, action on a suspected incident.
- Do
- Make a RACI-light; discuss ownership of risks; sketch an escalation path.
- Stations
- S4 Governance & supply chain
S2 Security mindset & culture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S3.1 (governance).
Block 2βΈ
Compliance versus security
lesson
S4
- Core
- The difference between meeting the rules and actually designing securely.
- Topics
- GDPR, NIS2, CRA, ISO, NIST, HIPAA, SOC 2; rule-compliant vs. actually secure.
- Do
- Case questions: when are you compliant but not yet secure? Translate rules into design questions.
- Stations
- S4 Governance & supply chain
Old: S3.2 (legislation & compliance).
Block 3ββΈ
ISO 27001 in outline
lesson
S4S5
- Core
- ISO 27001 as a management system for information security, risks and improvement.
- Topics
- ISO, NIST, policy, risk analysis, controls, continuous improvement, relation to broader frameworks.
- Do
- Link the PDCA cycle to security; controls as control measures; make a mini control card.
- Stations
- S4 Governance & supply chain
S5 Threat modelling, monitoring & risk
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S3.1 (governance).
Block 4ββΈ
NIS2, GDPR and CRA in outline
lesson
S4S1
- Core
- Laws and regulations as context for design decisions.
- Topics
- NIS2, GDPR, CRA, product security, privacy, duty of care, supply-chain responsibility.
- Do
- Legislation poster per group; translate core obligations into consequences for design or organisation.
- Stations
- S4 Governance & supply chain
S1 Basics & awareness / product security
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S3.2 (legislation & compliance).
Block 5ββΈ
Supply chain security
lesson
S4S7aSO
- Core
- Investigate dependencies on suppliers, software, data, platforms and supply-chain partners.
- Topics
- Supply chain (attacks), Software Bill of Materials, suppliers, cloud, data, software, platforms.
- Do
- Make a dependency map; mark blind-trust points; discuss SBOM as a concept.
- Stations
- S4 Governance & supply chain
S7a SDLC β technical depth
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S3.3 (supply chain).
Block 6βΈ
Organisational measures: awareness, procedures, authorisations
lesson
S2S4SO
- Core
- Security measures are also organisational and behavioural.
- Topics
- Training, awareness, procedures, identity, authentication, access management, insurance.
- Do
- Make a measures menu; compare technical vs. organisational measures; design an awareness intervention.
- Stations
- S2 Security mindset & culture
S4 Governance & supply chain
SO Other topics
Old: partly S3.1 + S1.3.
Block 7ββΈ
Incident response, crisis communication and trust
lesson
S8S2S4
- Core
- Design for the moment when it goes wrong.
- Topics
- Incident response, reporting, repair/post-mortem, external communication, ITIL, acting on incidents.
- Do
- Discuss the incident lifecycle; make a communication card; prepare post-mortem questions.
- Stations
- S8 Testing, pentest & incident response
S2 Security mindset & culture
S4 Governance & supply chain
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S3.4 + S3.5.
Block 8βΈ
Social/game block: Backdoors & Breaches
βsocial Β· game
S8S5S4S2
- Core
- Experience incident response, roles, detection, communication and decision-making under pressure.
- Topics
- Incident response, SOC thinking, logging, monitoring, reporting, external communication, post-mortem, team roles.
- Do
- Play Backdoors & Breaches; assign roles; observers watch communication, decision-making and escalation.
- Stations
- S8 Testing, pentest & incident response
S5 Threat modelling, monitoring & risk
S4 Governance & supply chain
S2 Security mindset & culture
Old: S3.4. Direct match β off-the-shelf game.
Block 9ββΈ
Integration block: governance map + response agreements
βintegration
S4S8S2
- Core
- The week ends with roles, responsibilities, compliance points and response agreements.
- Topics
- Governance map, supply-chain dependencies, legislation, incident procedure, communication and recovery agreements.
- Do
- Deliver a governance map; process lessons learned from the game; link response agreements to the case.
- Stations
- S4 Governance & supply chain
S8 Testing, pentest & incident response
S2 Security mindset & culture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S3.5 + S3.6.
Week 4
Design & testing
requirements β testing
Block 1ββΈ
Formulating security requirements
lesson
S6S5S4
- Core
- Translate risks into concrete, testable and relevant security requirements.
- Topics
- Security requirements, information at risk β threats β mitigations, CIS Controls as input.
- Do
- Turn risks into requirements; make requirements SMART/testable; formulate first acceptance criteria.
- Stations
- S6 Security requirements & architecture
S5 Threat modelling, monitoring & risk
S4 Governance & supply chain
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S4.1 (from threat to requirement).
Block 2βΈ
Choosing measures: technology, process, behaviour and organisation
lesson
S6S4S2
- Core
- Weigh measures from effectiveness, feasibility and context.
- Topics
- Applying CIS Controls, implementation groups, roadmap, auditable questions, technical + organisational.
- Do
- Prioritise measures; discuss trade-offs; link controls to risks and organisational context.
- Stations
- S6 Security requirements & architecture
S4 Governance & supply chain
S2 Security mindset & culture
New; CIS controls as an explicit measures framework (missing in the old HTML).
Block 3ββΈ
Architecture and design principles, broadly explained
lesson
S6S1SO
- Core
- Architecture broadly: layers, boundaries, access, responsibilities and coherence.
- Topics
- Zero trust, defense in depth, silos, rate limiting, access control, key management, cryptography, post-quantum.
- Do
- Improve a deliberately bad design; apply design principles; make an architecture sketch.
- Stations
- S6 Security requirements & architecture
S1 Basics & awareness / product security
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S4.2 (secure architecture).
Block 4ββΈ
Threat modelling as a shared design language
lesson
S5S6
- Core
- Threat modelling connects technology, process, organisation, behaviour and risk in one shared language.
- Topics
- Threat modelling in general, STRIDE, PASTA, LINDDUN, persona non grata, attack trees.
- Do
- Make or sharpen a threat model on the case; use STRIDE-light; link threats to design choices.
- Stations
- S5 Threat modelling, monitoring & risk
S6 Security requirements & architecture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S2.3 + S2.4. Whiteboard/canvas instead of a technical tool.
Block 5ββΈ
From requirement to design choice
lesson
S6S5
- Core
- Establish traceability from risk to design decision.
- Topics
- Threat β risk β requirement β measure β design decision; logging, access control, cryptography, monitoring.
- Do
- Fill in a traceability matrix; substantiate design decisions; mark gaps in the chain.
- Stations
- S6 Security requirements & architecture
S5 Threat modelling, monitoring & risk
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: partly S4.1 + S4.2.
Block 6ββΈ
Security in the lifecycle: design, build, use, maintain
lesson
S7S7aS4
- Core
- Security as a continuous process throughout the entire lifecycle.
- Topics
- SDLC, PDLC, CI/CD, upgrade/downgrade/patches, supply-chain attacks, SBOM, setting up a project.
- Do
- Make a lifecycle map; place security activities in design/build/test/maintain; discuss patching and SBOM.
- Stations
- S7 SDLC / PDLC / CI-CD
S7a SDLC β technical depth
S4 Governance & supply chain
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S4.3 (SDLC short + CI/CD).
Block 7ββΈ
Testing and validating: how do you know it is more secure?
lesson
S8S5S6
- Core
- How design choices are tested and validated.
- Topics
- Testing, pentesting, simulations, reporting, repair/post-mortem, CVE/CVSS to interpret findings.
- Do
- Match test types to requirements; check acceptance criteria; make a validation-plan-light.
- Stations
- S8 Testing, pentest & incident response
S5 Threat modelling, monitoring & risk
S6 Security requirements & architecture
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S4.4 + S4.5 (concepts; hands-on labs optional).
Block 8ββΈ
Social block: peer review carousel
βsocial Β· game
S6S5S4S8
- Core
- Teams defend design choices and give feedback from different roles.
- Topics
- Roles: attacker, user, compliance, administration, communication, architecture; feedback on substantiation.
- Do
- Peer review carousel; each team assessed from multiple roles; turn feedback into improvement actions.
- Stations
- S6 Security requirements & architecture
S5 Threat modelling, monitoring & risk
S4 Governance & supply chain
S8 Testing, pentest & incident response
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
New; replaces/broadens S4.6.
Block 9ββΈ
Integration block: secure-by-design dossier + test preparation
βintegration
S1S2S3S4S5S6S7S8SO
- Core
- Everything comes together in a mini-dossier; preparing for case-based reasoning.
- Topics
- Context, assets, threats, risks, governance, requirements, architecture, lifecycle, monitoring, test, response.
- Do
- Finish the mini secure-by-design dossier; make a concept map; discuss practice case questions.
- Stations
- S1 Basics & awareness / product security
S2 Security mindset & culture
S3 Hacker mindset & threats
S4 Governance & supply chain
S5 Threat modelling, monitoring & risk
S6 Security requirements & architecture
S7 SDLC / PDLC / CI-CD
S8 Testing, pentest & incident response
SO Other topics
β to build yourselfFor this block, discuss which canvas / card set / template you build in advance.
Old: S4.6 (synthesis & test preparation).
02 Metro map β do we cover every topic?
The nine core topics are "metro stations". Each block calls at one or more stations; the table shows how every topic runs through the four weeks. That way you see at a glance that everything is touched on and where the emphasis lies.
| Metro station | Week 1 | Week 2 | Week 3 | Week 4 |
|---|---|---|---|---|
| S1Basics & awareness / product securityCIA-BIV, cryptography & limits, famous failures (OV-chipkaart, DigiNotar, Stuxnet) | block 1, 2, 3, 6, 7, 9 | block 2, 3 | block 4 | block 3, 9 |
| S2Security mindset & cultureSocial engineering, training, not if but when, security first | block 1, 4, 5, 7, 8, 9 | β | block 1, 6, 7, 8, 9 | block 2, 9 |
| S3Hacker mindset & threatsBlack/white/grey hat, dark web, motives, attacker thinking | block 5, 6, 7, 9 | block 1, 2, 3, 4, 8, 9 | β | block 9 |
| S4Governance & supply chainGDPR, NIS2, CRA, ISO, NIST, CIS Controls, supply chain | block 5 | block 4, 6, 9 | block 1, 2, 3, 4, 5, 6, 7, 8, 9 | block 1, 2, 6, 8, 9 |
| S5Threat modelling, monitoring & riskSTRIDE, attack trees, kill chain, SOC, logging, risk analysis | block 6, 7, 9 | block 3, 4, 5, 6, 7, 8, 9 | block 3, 8 | block 1, 4, 5, 7, 8, 9 |
| S6Security requirements & architectureZero trust, defense in depth, rate limiting, key management, access control | block 3 | block 5, 6, 9 | β | block 1, 2, 3, 4, 5, 7, 8, 9 |
| S7SDLC / PDLC / CI-CDSecurity in the software/product lifecycle, CI/CD | β | β | β | block 6, 9 |
| S7aSDLC β technical depthUpgrades, patches, supply-chain attacks, SBOM | β | β | block 5 | block 6 |
| S8Testing, pentest & incident responseReporting, post-mortem, communication, ITIL, incident response | β | block 3, 7 | block 7, 8, 9 | block 7, 8, 9 |
| SOOther topicsPhishing, DDoS, MitM, ransomware-as-a-service, IAM, cloud, devices | block 2, 4, 6, 8 | block 1, 2 | block 5, 6 | block 3, 9 |
03 Sources
As much off-the-shelf and free as possible. Deliberately split: the core route is broad and design-focused; technical lab tools stay outside it as optional depth, so the minor does not become IT-framed.
Core sources β shared foundation
Concepts, frameworks and NL/EU context that fit the broad design approach. Plus the serious games for the game blocks (block 8).
Concepts & frameworks
- OWASP Top 10 β
most common web risks as a language - OWASP ASVS β
requirements thinking - OWASP SAMM β
governance / maturity - CIS Controls β
concrete measures framework - MITRE ATT&CK β
attack techniques & detection - Cyber Kill Chain β
attack phases - Threat modelling (OWASP) β
STRIDE & methods - CVE / CVSS (NVD) β
interpret & score vulnerabilities - NIST CSF β
governance peg - NIST SSDF β
secure development lifecycle - ISO 27001 (overview) β
infosec management system
NL / EU & law
- NCSC-NL β
incl. former DTC: 5 basic principles, CyberVeilig Check - ENISA Threat Landscape β
EU threat overview - Dutch Data Protection Authority β
GDPR & data-breach notification duty (72h) - NIS2 (EU) β
duty of care & supply-chain responsibility - Cyber Resilience Act β
product security in the EU
Serious games (block 8)
- Backdoors & Breaches β
incident response β free online - Elevation of Privilege β
STRIDE card game (free PDF) - OWASP Cornucopia β
threat-modelling card game
Awareness
- Google Phishing Quiz β
awareness exercise - Veiliginternetten β
accessible NL resource
not in the core route Β Optional β technical depth
Valuable, but too technical for the shared foundation. Offer as a resource bank, demo or deepening track (e.g. LU2 / technical profile). Not centrally required; do not open with these.
Lab environments (depth)
- OWASP Juice Shop β
demo or LU2 / technical profile - TryHackMe β
optional deepening track - PortSwigger Academy β
web-hacking resource bank - PicoCTF β
optional activity / CTF
Tools & primer (optional)
- OWASP Threat Dragon β
tool demo; prefer canvas for the basics - Cloudflare Learning Center β
network primer as prework - MDN β How the web works β
prework browser/HTTP
04 What do we build ourselves?
The design approach leans on canvases, maps and card sets instead of off-the-shelf tools β so this is where most of the build work sits. Turn on "Highlight to-build" to see which blocks it belongs to.
Canvases & maps β the backbone
- W1Β·9 (core artefact, runs throughout) Β· Security context canvas
- W1Β·5 Β· Stakeholder map
- W1Β·6 Β· Asset & abuse-case canvas
- W2Β·1 Β· Attacker persona
- W2Β·5 Β· Risk matrix
- W2Β·9 Β· Risk profile
- W3Β·1 Β· RACI-light
- W3Β·5 Β· Dependency map
- W3Β·9 Β· Governance map
- W4Β·5 Β· Traceability matrix
- W4Β·6 Β· Lifecycle map
- W4Β·9 (final artefact) Β· Secure-by-design dossier
Card sets & game material
- W1Β·3 Β· Principle cards
- W1Β·8 Β· Security bingo + dilemma cards
- W2Β·2 Β· Threat-card sorting set
- W2Β·8 Β· Attack-tree challenge
- W4Β·4 Β· STRIDE-light canvas
- W4Β·7 Β· Test-types match-up
- W4Β·8 Β· Role cards peer review
Choosing / assembling cases
- runs through all weeks Β· Continuous venture / fictional company
- W2Β·3 Β· Incident case
- W3Β·7 Β· Breach write-up
- W3Β·4 Β· Legislation-poster case
- W4Β·3 Β· 'Badly designed' architecture (A4)
Retrieval, slides & assessment
- at block 7 or 9 Β· Weekly quiz (Kahoot/Menti)
- W1Β·1 Β· Glossary card
- W1Β·1 Β· Kickoff slides
- W2Β·4 Β· Framework-tour slides
- W2Β·7 Β· Monitoring intro
- W4Β·9 Β· Practice case questions + knowledge test
Off-the-shelf β do not build yourselfBackdoors & Breaches (W3Β·8), Elevation of Privilege / Cornucopia (game blocks), the framework references (OWASP, MITRE, CIS, CVE/CVSS) and the Google Phishing Quiz. You build on these; you do not need to develop them.