diff --git a/README.md b/README.md index a9232a1..17e59c2 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@
-Elixir Secure Coding Training +Elixir Secure Coding Training # Elixir Secure Coding Training (ESCT) diff --git a/modules/11-authentication.livemd b/modules/11-authentication.livemd index 2924a64..91e3368 100644 --- a/modules/11-authentication.livemd +++ b/modules/11-authentication.livemd @@ -10,7 +10,7 @@ One of two things follow: Imagine you get a knock on your door. You ask who it is, and the person on the other side says you have a package delivery. In fact, you're not expecting a package and you can see the person is not wearing a uniform and doesn't have a package in their hands. Something doesn't match. They don't seem to be who they say they are and so, you don't open the door. -Authentication is the mechanism that helps guard the front door of an application. It's the mechanism that helps control who gets into your system and if they are there legitimately. +Authentication is the mechanism that helps guard the front door of an application. It's the mechanism that helps control who gets into your system and if they are there legitimately. ## Table of Contents @@ -59,7 +59,7 @@ Tokens are long strings of random characters used to identify an entity, session ### OAuth Open Authorization(OAuth) is a protocol in which a multi-step arrangement generates a token for a specific users, the user presents as a credential in lieu of a password. There is an extra server (authorization/token generating service or server) that after a user authenticates with it, it generates a token, and brokers authentication/authorization between initial entity and a resource. -Originally built for authorization, as it's name suggests, it has evolved for use in the authentication and authorization mechanisms. A very good resource that describes the OAuth in context of it's history and current implementations is here: https://www.youtube.com/watch?v=996OiexHze0 +Originally built for authorization, as its name suggests, it has evolved for use in the authentication and authorization mechanisms. A very good resource that describes the OAuth in context of its history and current implementations is here: https://www.youtube.com/watch?v=996OiexHze0 Why use OAuth? When users need access to third party services, outside of your environment where you don't want to share your credentials with those third parties. In OAuth protocol/architecture, an authorization service brokers access and grants users an access token to present, in place of credentials. @@ -140,7 +140,7 @@ OWASP Top 10 for Web Applications A07:2021-Identification and Authentication Fai ## Prevention and Countermeasures Use built and tested authentication mechanisms in your code language framework. -Authentication is a key component of an application but given its integration with some of the other concepts mentioned in this module, it's implementation in your products can become complex. This module touched on some of the highlights but please refer to the references below for extensive explanations of authentication and related. +Authentication is a key component of an application but given its integration with some of the other concepts mentioned in this module, its implementation in your products can become complex. This module touched on some of the highlights but please refer to the references below for extensive explanations of authentication and related. ### Quiz diff --git a/modules/12-cryptography.livemd b/modules/12-cryptography.livemd index 0c6afab..cbc4c47 100644 --- a/modules/12-cryptography.livemd +++ b/modules/12-cryptography.livemd @@ -2,7 +2,7 @@ ## Introduction -Cryptography is the process of transforming information or data from it's original form into one that is unreadable by systems, tools, or people unless they have a key. The part of the process that converts source data/information into the unreadable version is called encryption. Reversing that process is called decryption. +Cryptography is the process of transforming information or data from its original form into one that is unreadable by systems, tools, or people unless they have a key. The part of the process that converts source data/information into the unreadable version is called encryption. Reversing that process is called decryption. Like many concepts/technologies in security, cryptography is not new. Centuries of devisings ways to send messages between and among known and trusted senders/receivers while making those messages unreadable for enemies or anyone else for whom the message is not intended. @@ -10,7 +10,7 @@ Secret codes, etc. Cryptography, like speaking or writing in code, is used whenever there something that needs to be kept secret in an environment where there are multiple other parties who could see or hear the secret but are not the intended recipient. The sender and receiver agree upon a code to exchange messages. Additionally, written notes can be stored and unless a reader has the code, won't know what the actual message is. -Cryptography is used throughout applications to protect sensitive information that while is needed for the operation of the application and it's components, is not intended to be openly shared. This module highlights how cryptography is applied +Cryptography is used throughout applications to protect sensitive information that while is needed for the operation of the application and its components, is not intended to be openly shared. This module highlights how cryptography is applied ## Table of Contents @@ -77,7 +77,7 @@ use HTTPS which implements encryption over a channel. Diffie-Hellman Hashing is sometimes implemented alongside encryption but has a different purpose. Cryptography used for confidentiality; keeping information secret except for intended recipient/audience. -Hashes are used to ensure the integrity of the data, meaning ensuring from it's creation/generation to it's final state, it remains unmodified and untampered with. Hash algorithms are one way functions that - compare starting hash from known good data, to end hash which will indicate changes. Hashing passwords is a common application. Comparing hashes to determine if correct password entered. +Hashes are used to ensure the integrity of the data, meaning ensuring from its creation/generation to its final state, it remains unmodified and untampered with. Hash algorithms are one way functions that - compare starting hash from known good data, to end hash which will indicate changes. Hashing passwords is a common application. Comparing hashes to determine if correct password entered. Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from NIST [Approved Hash Algorithms](https://csrc.nist.gov/Projects/Hash-Functions) ## Security Concerns diff --git a/modules/3-ssdlc.livemd b/modules/3-ssdlc.livemd index b101c55..77704c1 100644 --- a/modules/3-ssdlc.livemd +++ b/modules/3-ssdlc.livemd @@ -37,7 +37,7 @@ More than that, while it may be convenient for testing / building typically in p There are a number of different ways you can manage your secrets for use in production systems. Most of them are implementation specific which varies on your build and deploy processes. -A very easy way to prevent secrets being added to go though is to access them via Environment Variables! +A very easy way to prevent secrets being added to files is to access them via Environment Variables! ### QUIZ diff --git a/modules/4-graphql.livemd b/modules/4-graphql.livemd index 5fb75b7..b931942 100644 --- a/modules/4-graphql.livemd +++ b/modules/4-graphql.livemd @@ -166,7 +166,7 @@ In addition to strategies like rate limiting to protect APIs in general, another ### Description -Resource intensive queries, like those where a GraphQL query tries to traverse and then return a significant amount of highly nest data can cause a server/service to expend a significant amount of it's processing power and other resources. These high cost queries can render a server and therefore the application useless. +Resource intensive queries, like those where a GraphQL query tries to traverse and then return a significant amount of highly nested data can cause a server/service to expend a significant amount of its processing power and other resources. These high cost queries can render a server and therefore the application useless. One approach for implementing validation on incoming queries to determine their "cost" in terms of the resources the use. Queries are defined by how much load they place on the server/service processing the request, allowing developers to plan for how best to manage resources. This is a little like making a budget. diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd index 1e04eb7..1d45c7f 100644 --- a/modules/5-elixir.livemd +++ b/modules/5-elixir.livemd @@ -56,7 +56,7 @@ malicious_user_input = UUID.uuid4() try do malicious_user_input - # ONLY CHANGE LINE 8 + # ONLY CHANGE NEXT LINE |> String.to_atom() rescue _ -> diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index c261b9a..7d53907 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 6 - Cookie Security ```elixir @@ -210,7 +212,7 @@ For systems that use third party ad serving networks, such as Google's AdSense / Under an opt out scheme, consumers are notified via an alert or window when they load a website. The user must consent to the notice before they can navigate the site and any cookies are planted. At a minimum, the notice is to contain the following: disclosure of information gathering practices, the uses for this information, and policies for processing and disposing of this data. -Opt-out cookies are essentially cookies used to avoid cookies. When a website creates an opt-out cookie in your browser folder, it enables you to block that same website from installing future cookies.With this, Opt Out cookies offer safeguards for user information, and help secure systems against potential security concerns regarding “hidden” cookies +Opt-out cookies are essentially cookies used to avoid cookies. When a website creates an opt-out cookie in your browser folder, it enables you to block that same website from installing future cookies. With this, Opt Out cookies offer safeguards for user information, and help secure systems against potential security concerns regarding “hidden” cookies #### Opt In Cookies @@ -220,7 +222,7 @@ Opt-in is the process that describes an affirmative action user takes to offer t If you want to be legally compliant, it is safer to have both the options with opt-out as the default. -OptInOptOutCookies +OptInOptOutCookies ### Resources diff --git a/modules/8-cicd.livemd b/modules/8-cicd.livemd index 6f695b8..781b6b4 100644 --- a/modules/8-cicd.livemd +++ b/modules/8-cicd.livemd @@ -13,7 +13,7 @@ Mix.install([ Just like there's more to making software than just writing code, there's more to _securing_ software than just reviewing code. -Part of the development lifecycle includes deploying code and it is here that we can institute automated tooling and tests to assist in the detection of insecurities and potentially prevent vulnerabilities from reach production whatsoever! +Part of the development lifecycle includes deploying code and it is here that we can institute automated tooling and tests to assist in the detection of insecurities and potentially prevent vulnerabilities from reaching production whatsoever! This module will cover over some of the automated processes you may see in a CI/CD pipeline and how they work at a high level. Important to note is most of these tools can be run in a number of different ways - meaning they don't _have_ to be run in the CI/CD pipeline and instead can be run locally. diff --git a/assets/images/OptInvsOptOutCookies.png b/modules/files/OptInvsOptOutCookies.png similarity index 100% rename from assets/images/OptInvsOptOutCookies.png rename to modules/files/OptInvsOptOutCookies.png diff --git a/assets/images/secure_elixir_gold.png b/modules/files/secure_elixir_gold.png similarity index 100% rename from assets/images/secure_elixir_gold.png rename to modules/files/secure_elixir_gold.png