security.md

Security

With this module, you'll learn how to keep secrets safe and write code that keeps user data private and secure.

Topics

OWASP Top 10

With this topic, you'll learn about the most common application security issues and how to mitigate them.

Learning Outcomes

• Describe each of the vulnerabilities in the OWASP Top 10
• Describe what threat modeling is
• Explain how you might prevent the "Broken Access Control" vulnerability
• Explain what remediation is and how you might remediate an "Injection" vulnerability

Resources

• OWASP Top 10:2021 Resource
• OWASP Top 10:2021 Overview Video
• Port Swigger Web Security Academy Resource
• What is web application security? Resource

Exercises

• Remediate the Broken Access Control vulnerability

---

Authentication and Authorization

With this topic, you'll learn about identity providers and how to use OAuth 2.0 to manage authentication and authorization in an application.

Learning Outcomes

• Compare authentication with authorization and explain their differences
• Use an identity provider to authenticate users in an application
• Explain what "federated identities" are
• Explain what the OAuth 2.0 standard is

Resources

• Auth0 Tool
• Auth0 in 100 Seconds Video
• AWS Cognito Tool
• Calling an API Video
• Ethereum Accounts Article
• Firebase Authentication Tool
• Identity and Reputation in Web 3 Article
• Introduction to Identity Video
• OAuth 2.0 Protocol Resource
• OpenID Connect and OAuth2 Video
• OWASP Authentication Cheatsheet Resource
• OWASP Authorization Cheatsheet Resource
• Signing in with Ethereum Video

Exercises

• Setup an Identity Provider

---

Managing Secrets

With this topic, you'll learn about application secrets and how to manage them effectively.

Learning Outcomes

• Describe what an application secret is
• Describe what an environment variable is
• Explain why you might want to secure an application secret
• Explain how you might inject secrets into an application using environment variables

Resources

• 12 Factor App: Config Resource
• 1Password Secrets Automation Tool
• 7 Cryptography Concepts EVERY Developer Should Know Video
• AWS Systems Manager (check out Parameter Store) Tool
• Removing sensitive data from a repository Resource
• Security and Cryptography Video
• Working with AWS Parameter Store Resource

Exercises

• Fetch an Application Secret

---

Continuous Security

With this topic, you'll learn about methods to integrate security scanning into a project CI/CD pipeline.

Learning Outcomes

• Describe what continuous security is
• List out some tools you might use to scan a project for vulnerabilities
• Explain how you might go about remediating vulnerabilities found from automated scanning

Resources

• GitHub Security Tool
• Snyk Code Tool
• Sonarqube Tool

Exercises

• Setup Dependency Scanning

---

Working with Security Engineers

With this topic, you'll learn about the role of a security engineer and how to work with them on your team effectively.

Learning Outcomes

• Describe the role of a security engineer
• Identify what you need from a security engineer to complete software engineering tasks
• Explain how you might work with a security engineer to remediate vulnerabilities

Resources

• Threat Modeling Article
• Threat Modeling 101 Video
• Threat Modeling Worksheet Resource
• What is Threat Modeling and Why Is It Important? Video

Exercises

• Threat Modeling