Skip to main content


Training on product security evaluation for greater security and cyber-resilience of the ICT ecosystem

What is the Cyber Capacity Building Program?

The Cyber Capacity Building Program is aimed at government organizations, academia and companies to help them develop mechanisms and skills for security assessments of ICT products they use.

To learn more and access white paper, please click here.

What are the requirements for the training on product security evaluation?

The training requires a basic knowledge of the software development lifecycle, programming, and information security.

The training works as a ‘construction kit’: only chosen sections are provided.

How to get access to the Program?

The Program is provided in online and offline versions, in English.

Offline versions are organized in Kaspersky Transparency Centers.

To request access, please contact

What our partners say

“The Kaspersky Cyber Capacity Building Program is wholly comprehensive and practical for government agencies and all organizations. We are living in the era of digitalization and disruptive technologies; hence, the call to enhance cybersecurity skills and mechanisms is crucial.
The National Cyber Security Center of Vietnam (NCSC Vietnam, a unit of the Authority of Information Security, part of the Ministry of Information and Communications) is always ready and willing to support Kaspersky on this program and other cybersecurity practices.”

Mr. Tran Quang Hung
NCSC Vietnam, Authority of Information Security, Ministry of Information and Communications, Government of Vietnam

“The topics covered in the program were very relevant to the participants and also provided them with valuable information and insights. I would like to appreciate the entire Kaspersky team who were behind this meticulously planned and well organized program packed with quality content. The interactive sessions and the problems given to the participants clearly showed the dedication and the level of efforts taken by your team to organize this program”.

Dr. Sanjay Bahl
Director General, CERT-In, Ministry of Electronics and Information Technology, Government of India

"BSSN always strives to foster and develop the human resources competencies in cybersecurity and cryptography, including through this cooperation with Kaspersky. The Cyber Capacity Building Program established a structured Cybersecurity Human Resources posture that will produce professional human resources who can adapt to technological development and have technical competencies in cybersecurity".

Mr. Hinsa Siburian
Head of National Cyber and Crypto Agency (BSSN) of Indonesia


Evaluating product security

Duration: 1 hour.

Introduction to applications and system security; building reliable and resilient ICT infrastructure:
  • Approaches for evaluating product security;
  • Assessment techniques of a vendor’s software development process;
  • Analyzing a vendor’s data processing practices; and
  • Static and dynamic examination techniques of a software product for its security.

Threat modelling

Duration: 1.5 hours.

The purpose of threat modeling is to provide systematic analysis of what controls or defenses need to be included – given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.

The sections includes:

  • Approaches for threat modelling;
  • Actor identification; and
  • Risk identification and prioritization.

Secure code review

Duration: 2.5 hours.

Introduction to the basic techniques of identifying vulnerabilities in software code. The purpose of the code review is to ensure that a product has no potential vulnerabilities or backdoors. We will also share best practices of Kaspersky’s Transparency Centers and how processes are organized for external reviews of our source code and software development.

This section includes:

  • Approaches for automated source code analysis;
  • Static analysis of source code;
  • Dynamic analysis of source code; and
  • Approaches for manual analysis of source code.

Code fuzzing

Duration: 2.5 hours.

Code Fuzzing gives an introduction to the process of defining, developing and testing Windows-based applications through fuzzing to identify bugs and vulnerabilities. Though the training focuses on native Windows-based applications, most of the concepts – as well as the methodology and tools – can be applied to other platforms.

After completing this course, trainees will be able to:

  • Understand the different fuzzing techniques and when to apply them;
  • Choose the appropriate tools and prepare a target for fuzzing; and
  • Generate interesting fuzzing input depending on the target.

Vulnerability Management and Disclosure

Duration: 1 hour.

Introduction to and definition of approaches for building up the process of managing vulnerabilities within an organization’s ICT infrastructure:

  • Sharing best practices for vulnerability management;
  • Sharing best practices for coordinated vulnerability disclosure;
  • Sharing Kaspersky’s experience in handling vulnerability reports from the research community; and
  • Revealing nuances of bug bounty programs.