ISO 21434 Training for Conducting Vulnerability Analysis and Assessments

Course Duration: 3 Days - 8 Hours/day

This three-day seminar will provide the knowledge and skills required to perform vulnerability analysis and assessments per the ISO 21434 Cybersecurity Engineering Standard. This class will give you the information to plan, conduct and report vulnerability analysis and assessment activities for ISO/SAE 21434.

This course combines presentations with in-class group exercises to put what you are learning into practice. Concepts are reinforced by a series of breakout exercises on critical aspects of audits and assessments.

Learning Objectives

  • Learn a general methodology for conducting vulnerability analysis and assessments
  • Understand scanning and mapping network topology
  • Be able to identify listening ports/services on hosts
  • Learn to fingerprint operating systems remotely
  • Conduct vulnerability scans
  • Audit gateway, switch, and firewall security
  • Perform MCU, hardware, and software vulnerability

Course Outline

Day One

  • Introduction and Overview to ISO/SAE 21434
  • ISO/SAE 21434 Purpose, Scope, and Framework
  • Introduction to Vulnerability Analysis
  • Pre-requisites for Vulnerability Analysis
  • Target of Analysis
  • Architectural Design
  • Threat Scenarios
  • Software Cybersecurity Requirements
  • Scanning and Exploits
  • Vulnerability of Detection Methods
  • Types of Scanners
  • Enumerating Targets to Test Information Leakage
  • Types of Exploits: Worms, Spyware, Backdoors, Rootkits, Denial of Service (DoS)
  • Deploying Exploit Frameworks
  • Uncovering Infrastructure Vulnerabilities
  • Uncovering Communication Weaknesses
  • Vulnerabilities in Infrastructure: Hardware and Software
  • Network Management Tool Attacks
  • Identifying IDS Bypass Attacks
  • Corrupting Memory and Causing Denial of Service
  • Seminar Agenda (cont’d)

Day Two

  • Exposing and Revealing MCU Vulnerabilities
  • Scanning Controllers: Assessing Vulnerabilities on Your Network
  • Uploading Rogue Scripts and File Inclusion
  • Performing Buffer Overflow Attacks
  • Scanning for MCU Vulnerabilities
  • Client Buffer Overflows
  • Silent Downloading: Spyware
  • Attacking Design Errors
  • Thereat Analysis FMVEA: Failure Modes, Vulnerabilities and Effects Analysis
  • Review of FMEA
  • Adapting FMEA for Vulnerability Analysis
  • Implementing Scanner Operations and Configuration
  • Choosing Credentials, Ports, and Dangerous Tests
  • Preventing False Negatives
  • Creating Custom Vulnerability Test
  • Customizing Scans
  • Handling False Positives
  • Creating and Interpreting Reports
  • Filtering and Customizing Reports
  • Interpreting Complex Reports
  • Contrasting the Results of Different Scanners
  • Seminar Agenda (cont’d)

Day Three

  • Researching Alert Information
  • Using the National Vulnerability Database (NVD) to Find Relevant Vulnerability and Patch Information
  • Evaluating and Investigating Security Alerts and Advisories
  • Employing the Common Vulnerability Scoring System (CVSS)
  • Identifying Factors That Affect Risk
  • Evaluating the Impact of a Successful Attack
  • Determining Vulnerability Frequency
  • Calculating Vulnerability Severity
  • Weighing Important Risk Factors
  • Performing a Risk Assessment
  • The Vulnerability Management Cycle
  • Patch and Configuration Management
  • Analyzing the Vulnerability Management Process
  • Vulnerability Assessment Report
  • Report Components
  • Writing the Report

Who Should Attend

Those involved in the design, development, and production of electrical and electronic based vehicle products, including the systems, software and hardware engineers, and managers. Basically, all those responsible for the development and implementation of hardware and software systems in motor vehicles.

Participants should be, or plan to be, actively managing, or involved in, or aware of electrical and/or electronic items, systems, or elements that are incorporated in vehicles. You should also have the abilities, education, and experience required for the above roles.

Course Materials

Each participant will receive a seminar manual including case studies.

Note: Omnex does not provide copies of standard(s) during training courses, but clients are encouraged to have their own copy.


Participants should be involved in or aware of software and hardware development as it relates to the motor vehicle industry. A basic understanding of the ISO/SAE 21434 standard is recommended.

Upcoming Training