Curriculum Request: Create challenges to teach security and debugging

[Greenheart]

Curriculum Request: Create challenges to teach security and debugging.

Pre-face:

I've written about this suggested improvement [in a recent Medium post](https://medium.com/@ greenheart/this-article-gave-me-an-idea-e0711e21c4ce#. 2zgmfx7lk) and describe both the issue, solution and reasoning behind it over there.

I would love to collaborate with other contributors to create these challenges, so feel free to come with suggestions! 😄

~ @Greenheart

---

Ideology :

• Cover important security topics through challenges.
• Challenges should have user stories to be completed, for assessing the user progress.
• Award a security-focused certification ?

List of resources to check and create the curriculum :

• Interactive tutorial on XSS 6 Good challenges might be good enough to just add to the curriculum in the same way like for example the Node.js challenges?
• Google HTML5 Security (2014)
• XSS - Google App Security
• CSRF - JSRecipes
• Node/Express Security Overview
• HTTPS and user auth with node
• Helmet.js - HTTP Header secutiry for node/express
• Nodesecurity.io - Talks, Blogs and Whitepapers
• XSS - [DrapsTV, YouTube]

Challenge Ideas to be considered :

Idea 1 (Based on current Backend challenge Format)

• Campers are given a starter (template|bootstrap) repository.
• The repository can be a simple todo list app or any basic CRUD app.
• They are given challenges with incremental difficulties, to fix vulnerabilities.
• Different types of vulnerabilities can be split across challenges, with their own set of user stories.

Idea 2 (Workshopper type format ~ Suggested by @xapax)

Part 1

• Fork OWASP NodeGoat : This is a great resource and looks quite promising.
• Write beginner-friendly instructions (if the tutorial provided is too advanced)
• Split into several smaller challenges
• An example of a challenges could be: Patch the code for Server Side JS Injection (changing eval to JSON.parse), ensure that all dependencies are secure (run nsp), fix de-/misconfigured header.

Part 2

• This XSS-game from Google is a great way to get practical experience with this specific threat.
• 6 levels of increasing difficulty
• Tested by @Greenheart - "Great challenges that are ready to be used as is if we get permission from Google"

Road map :

• Learn about vulnerabilities, summarize most important facts that we can make use of.
• Decide what type of challenges should be developed, this will be
  • API or CRUD?
  • Only back-end, or should we involve client-side security in this project too?
    (Maybe just focus on back-end first?)
• Decide which security-topics we want to cover
  • using .env for sensitive variables like port, mongo uri, api keys etc. @Rafase282
  • Escape dangerous characters in requests to the server --> The server should not store html in the db to stop users from adding custom script-tags to posts that could be viewed by other users and possibly run malicious code in their browsers. (Protect against some XSS-attacks)
  • Protect from cross site request forgery (CSRF) by adding invisible "_csrf"-token to forms and inputs. (Example implementation using Express)
• Implement the challenges with features that showcases these security-topics
  • Insecure app-version to use as template / starter kit
  • Secure version to use for reference/code review
• Video Challenges related to Security.
  • Supplement challenges with videos related to security.
  • Might even be a part of the security challenges / certification?

This an initial suggestion for a workflow, but please give feedback!

[QuincyLarson]

This is quite a collection of challenges!

The more of these challenges we could create for FCC's editor (as opposed to having to clone an existing repo and set up a local dev environment) the better. That said, if it's impossible to mimmic, say, XSS on Free Code Camp, then we can cover that specific topic with a NodeSchool-like package (OWASP NodeGoat looks great!)

[BerkeleyTrue]

Work continues here https://github.com/FreeCodeCamp/CurriculumExpansion

Happy Coding