Could you make the source of the slides available as part of this repo? Perhaps a Google slides link?

Oh hi Rich. May I have access to this repo so I can create a PR for a typo?

I think it would be a good idea to add some slides in the "for engineers" deck that talk about Server Side Request Forgery (SSRF). As more applications are built (or migrated) using public cloud providers like AWS, SSRF attacks on metadata APIs will become more prevalent.

These are some resources on SSRF:

• https://application.security/
• https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
• https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af

Takeaways for engineers:

• Follow the principle of least privilege to contain the blast radius.
• Don't blindly trust URLs from the client. Exercise caution when implementing URL unfurling logic or the like.
• Ensure any data retrieved from an API has the expected format before sending it to the client or clients. e.g. If an image is expected, ensure that an image was retrieved.
• For code that is meant to access public URLs, ensure it cannot access internal endpoints.
  ** Don't rely on regular expressions alone to filter out "bad IP addresses".

I had an issue where mkdocs serve didn't run... had to run

pip install pymdown-extensions

To get things to work. Might be nice to add to the instructions.

Also, amazing docs! The amount of work you're going to save IT Security people around the world is huge.

The pagerduty_security_training_for_everyone_part_ii_public.key Keynote presentation is not downloadable. Is it possible to update the asset again? File size is 134 bytes and seems to be either corrupt or not uploaded successfully.

Despite linking to the famous XKCD comic, this document fails to heed the basic lesson that a passwords which a human must memorize should be easy for a human to memorize while being hard for a computer to guess. Master passwords for the password manager are an example of such.

A decent password manager can generate a proper passphrase: a series of native language words spelled correctly in simplest form (such as lowercase). These mnemonic phrases allow the average person to store more random entropy with less effort, and far less chance of forgetting their password.

Complex sequences of gibberish will result in users writing down passwords, reducing their entropy, or wasting excessive and unnecessary effort memorizing less entropy than they otherwise could, with a higher chance of forgetting after a vacation or break.

For passwords which can must be mnemonic, such as a master passphrase, I would change the advise to using a mnemonic phrase instead of random individual characters.

Hi,

In

I'm not a native English speaker but it seems there is a typo in docs/for_everyone_part_ii/index.md

What is your business continuity plan in the even of a global pandemic?

I think event is more appropriate here.