Week 2, Lecture 2 — Frameworks Worth Knowing

Cybersecurity & Secure Programming

Slot: W2 L2 Content budget: 30 min + two 3-min interludes Embedded interlude: 3 min OWASP A02 CWE list + 3 min ATT&CK Navigator on FIN7 Anchors: CVE funding cliff 15 Apr 2025, FIN7/ATT&CK v18.1 Book chapter: 5

Before the lecture

Read Chapter 5 — Frameworks Worth Knowing in the book PDF (approximately 16 pages, 35 minutes reading time). The chapter opens on the 15 April 2025 CVE Programme funding cliff — the morning MITRE wrote to the CVE Board to say the contract was not being renewed — and uses FIN7 walked through ATT&CK v18.1 as the worked example that makes the matrix concrete. Skim the framework tour itself; spend your re-read on the three-families distinction and the picking guide.

Slides

• Download wk02_lecture02.pptx — open in PowerPoint, Keynote, or LibreOffice Impress to deliver. Speaker notes carry the talking points and time hints.
• Download wk02_lecture02.pdf — PDF export for printing or quick reference.

Lecture timing

A 50-minute slot is realistically 45–50 minutes of room time. 30 min of content + two 3-min embedded interludes + 5–10 min slack for arrivals, transitions, and Q&A. The framework tour is wide and tempting to over-deliver; resist.

Block	Time	Notes
Opening — CVE 2025 funding scare + three-families diagram	0–5 min	The cleanest illustration of why frameworks are infrastructure, not abstractions
OWASP family overview	5–10 min	Top 10:2025 framing, brief LLM Top 10 sign-post, ASVS / Cheat Sheets / ZAP-rebrand watch-out in passing
Embedded interlude A — live OWASP A02 CWE list	10–13 min	See script below
MITRE family	13–20 min	CVE/CWE distinction, ATT&CK overview, FIN7 walk-through
Embedded interlude B — ATT&CK Navigator on FIN7	20–23 min	See script below
Governance whistle-stop	23–30 min	CSF 2.0, ISO 27001, CIS Controls, NIS2, DORA, Cyber Essentials, PCI DSS, SOC 2 — name and one-line each
The opinionated picking guide	30–36 min	The keeper. Cyber Essentials Plus → SOC 2 Type II → ISO 27001 only when asked

If you run short, drop OWASP Mobile Top 10 (name only), CAPEC (one-sentence mention), D3FEND (one line), and the PCI DSS / SOC 2 budget figures. Keepers under any budget: three-families diagram, CVE/CWE distinction, ATT&CK FIN7 walk-through, picking guide.

Embedded interlude A — live OWASP A02 CWE list (~3 min)

URL. https://owasp.org/Top10/A02_2021-Cryptographic_Failures/

Setup. “Open this. Look at the very top of the page.”

Activity. Students see the CWEs Mapped block — roughly 29 separate CWE IDs feeding into this single OWASP category.

Talking points.

• One Top 10 risk maps to many CWE weaknesses.
• OWASP is curation; CWE is taxonomy. They are complementary, not duplicates.
• This is why “I’m OWASP-compliant” is a meaningless phrase — it answers a different question than “have we addressed CWE-XXX?”

Wrap. “OWASP gives you priorities. CWE gives you the underlying inventory. You need both.”

Embedded interlude B — ATT&CK Navigator on FIN7 (~3 min)

URL. https://attack.mitre.org/groups/G0046/

Setup. “Open the FIN7 group page. Scroll to Techniques Used.”

Activity. Students see the list of techniques attributed to FIN7 across the ATT&CK kill chain.

Talking points.

• This is real adversary behaviour, codified.
• Note the spread across tactics — Initial Access, Execution, Persistence, Defence Evasion, Exfiltration. A real APT walks the matrix; they do not specialise in one column.
• Each technique has its own page with detection guidance — that is what defenders use.
• Ask: “If you were defending against FIN7, which technique would you instrument first?” Take answers; there is no clean answer (that is the point).

Wrap. “ATT&CK is a vocabulary for what adversaries actually do. CVE/CWE is a vocabulary for what code actually has wrong with it. The two together are how the modern security operations centre describes its world.”

Tip

Pre-lecture link check. Two minutes before class, click each link below and confirm it loads. OWASP and MITRE both restructure URLs occasionally; better to know now than to fumble live.

Links from this lecture

Every external reference cited in the chapter, organised by topic.

The CVE 2025 funding scare

• Krebs, Brian. Funding Expires for Key Cyber Vulnerability Database. KrebsOnSecurity, 16 April 2025. https://krebsonsecurity.com/2025/04/funding-expires-for-key-cyber-vulnerability-database/
• CVE Foundation. Launch announcement, 16 April 2025. https://www.thecvefoundation.org/newsroom/posts/2025-04-16-launch
• Korolov, Maria. CVE program funding secured, easing fears of repeat crisis. CSO Online, February 2026. https://www.csoonline.com/article/4142600/cve-program-funding-secured-easing-fears-of-repeat-crisis.html

The OWASP family

• OWASP. OWASP Top 10:2025. https://owasp.org/Top10/2025/ — release-candidate unveiled at Global AppSec USA, Washington, 6 November 2025; final published December 2025.
• OWASP. OWASP Top 10:2025 — Introduction and Methodology. https://owasp.org/Top10/2025/0x00_2025-Introduction/
• OWASP. OWASP API Security Top 10 (2023 edition). https://owasp.org/API-Security/editions/2023/en/0x11-t10/
• OWASP. Mobile Top 10 (2024 edition). https://owasp.org/www-project-mobile-top-10/
• OWASP Gen AI Security Project. OWASP Top 10 for LLM Applications (2025). https://genai.owasp.org/llm-top-10/ — released 17 November 2024.
• OWASP. Application Security Verification Standard 5.0.0, released 30 May 2025 at Global AppSec EU Barcelona. https://owasp.org/www-project-application-security-verification-standard/
• OWASP. Software Assurance Maturity Model (SAMM v2). https://owaspsamm.org/
• OWASP. Cheat Sheet Series. https://cheatsheetseries.owasp.org/
• OWASP Foundation. Governance. https://owasp.org/governance/

The MITRE family

• CVE Programme. https://www.cve.org/ — the canonical source for assigned CVE identifiers.
• MITRE. Common Weakness Enumeration. https://cwe.mitre.org/
• MITRE. 2025 CWE Top 25 Most Dangerous Software Weaknesses, published 15 December 2025. https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html
• MITRE. Common Attack Pattern Enumeration and Classification (CAPEC 3.9). https://capec.mitre.org/
• MITRE. ATT&CK. https://attack.mitre.org/ — current Enterprise matrix v18.1 (released 28 October 2025); v19 publishing 28 April 2026.
• Picus Security. What’s New in MITRE ATT&CK v18: Detection Strategies and Analytics Unveiled. https://www.picussecurity.com/resource/blog/whats-new-in-mitre-attack-v18
• Center for Threat-Informed Defense. https://ctid.mitre.org/
• MITRE. D3FEND. https://d3fend.mitre.org/ — D3FEND 1.0 GA on 16 January 2025; current version v1.4.0 (April 2026).

The NVD enrichment crisis

• NIST. NIST Updates NVD Operations to Address Record CVE Growth. Press release, 15 April 2026. https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth
• Help Net Security. NIST admits defeat on NVD backlog. 16 April 2026. https://www.helpnetsecurity.com/2026/04/16/nist-national-vulnerability-database-nvd-enrichment/

The governance family

• NIST. The NIST Cybersecurity Framework (CSF) 2.0. NIST CSWP 29, 26 February 2024. https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final
• ISO/IEC. ISO/IEC 27001:2022 — Information security management systems — Requirements. October 2022. https://www.iso.org/standard/27001
• Center for Internet Security. CIS Critical Security Controls v8.1, June 2024. https://www.cisecurity.org/controls/v8-1
• European Union. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2). Entered into force 17 January 2023; transposition deadline 17 October 2024.
• NCSC Ireland. NIS2. https://www.ncsc.gov.ie/nis2/
• ECSO. NIS2 Transposition Tracker. https://ecs-org.eu/activities/nis2-directive-transposition-tracker/
• European Union. Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). Fully applicable 17 January 2025. https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
• NCSC (UK). Cyber Essentials Overview. https://www.ncsc.gov.uk/cyberessentials/overview
• IASME. Cyber Essentials v3.3. https://iasme.co.uk/cyber-essentials/
• Stabilise. Cyber Essentials v3.3: The Complete Guide to April 2026 Changes. https://stabilise.io/blog-pages/blog/cyber-essentials-v3-3-the-complete-guide-to-april-2026-changes
• PCI Security Standards Council. PCI DSS v4.0.1, June 2024. https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1
• AICPA. SOC 2. https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2

Common student questions (and short answers)

• “Aren’t OWASP Top 10 and CWE Top 25 just two names for the same list?” — No, and conflating them is a tell that the speaker has read neither. OWASP Top 10 is an awareness list of risk categories in web applications, ranked by prevalence in app-testing data. CWE Top 25 is a list of weakness types across all software, ranked by a formula combining frequency in the NVD and CVSS severity. There is overlap (XSS, SQLi appear in both) but the lists answer different questions.
• “Is ATT&CK a threat-modelling methodology?” — No — it is a library. ATT&CK does not tell you how to do threat modelling; it gives you a structured catalogue of what real adversaries do, which you then feed into a methodology (STRIDE, the Four-Question Frame from Chapter 4, PASTA). This misconception is the one that slips into job adverts and vendor pitch decks.
• “Should our 30-person SaaS just go straight for ISO 27001?” — Almost certainly not. For a fifteen-to-thirty-person Irish SaaS without a regulated customer pulling them by name, ISO 27001 first is over-engineered, over-budgeted, and slow to produce value. The pattern that works is Cyber Essentials Plus → SOC 2 Type II → ISO 27001 only when a customer asks for it by name. Many companies eventually run ISO 27001 + SOC 2 in parallel, mapping the same controls to both, but that is a Year-3 problem, not a Year-1 problem.
• “Is NVD still reliable as a CVE enrichment source?” — As of April 2026, only for CVEs in CISA’s KEV catalogue, in software used by the US federal government, or covered by EO 14028. Everything else is flagged “lowest priority” and relies on CNA-supplied scores. Defenders building dissertation pipelines that assume NVD enrichment of every CVE will be surprised.

End-of-lecture self-check

Optional, formative — not graded. Click an option to see immediate feedback.

Going Further

• OWASP. OWASP Top 10:2025 and OWASP API Security Top 10 (2023). https://owasp.org/Top10/2025/ and https://owasp.org/API-Security/. — The two awareness lists every postgrad should bookmark.
• OWASP. Cheat Sheet Series. https://cheatsheetseries.owasp.org/. — Read the Authentication, Password Storage, SQL Injection Prevention, XSS Prevention, and Authorization cheat sheets — together they are perhaps two hours of reading and will save you years of avoidable bugs.
• MITRE. ATT&CK. https://attack.mitre.org/. — The single most important reference work in operational security. Open ATT&CK Navigator and paint a coverage layer for your current employer; you will learn more in an hour than from any textbook.
• NIST. Cybersecurity Framework 2.0 (NIST CSWP 29, February 2024). https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final. — The reference document for organising any security programme.
• IASME. Cyber Essentials v3.3 Requirements. https://iasme.co.uk/cyber-essentials/. — Twelve pages, clearly written, the cheapest credible certification, in force from today. If your employer does not have it, this is the obvious next step.

---

← Schedule ← Previous: W2 L1 Next: Week 2, Practical →