In Section 5: Untrusted Code there's this example that is suggested to be insecure:

name = Kino.Input.text("What's your name?")

textfield_value = Kino.Input.read(name)
{result, binding} = Code.eval_string("a", a: textfield_value)
"Hello, " <> result

We did this security training at my small team at work and none of us could figure out how to choose an input that would prove that this code is insecure. See screenshot for example. Is it possible that this example is not correct? Was it supposed to say Code.eval_string(textfield_value) instead? That would definitely be insecure.

How can I verify that my answers to the quiz questions are correct?

The README says this will happen automatically on GitLab CI:

But:

• I am not using GitLab
• I don't see any GitLab CI configuration file in this repository that would allow me to at least look up what kind of commands are running there

There's a grader.exs script that says to run mix run grader.exs:

But there's no mix.exs file in this repository, so I get this error:

$ mix run grader.exs 
** (Mix) Cannot execute "mix run" without a Mix.Project, please ensure you are running Mix in a directory with a mix.exs file or pass the --no-mix-exs option

When I run mix run grader.exs --no-mix-exs or elixir grader.exs, I get this error:

$ mix run grader.exs --no-mix-exs
Evaluating: modules/1-introduction.livemd
** (MatchError) no match of right hand side value: {:error, {:undef, [{Livebook.LiveMarkdown, :notebook_from_livemd, ["# ESCT: Part 1 - Introduction\n\n## Overview\n\nFound in this series of modules is a curriculum for teaching Secure Coding concepts and ideas centered around the Elixir ecosystem. Core principles of Application Security have been sourced from other available resources within the community and pieced together into this Elixir Livebook format to allow for an interactive spin.\n\nIt is worth stating that this material is a work in progress and is open to contributions in order to make this the one-stop shop for Developer Secure Coding Training (for Elixir). The initial training material was originally crafted by the Product Security team at [Podium](https://www.podium.com/) and as such, contains very opinionated lessons to help contribute to the Secure SDLC of Podium's engineers. The more general this material can be made through outside contributors, the more secure we can make the Elixir community.\n\n## Who This Is For\n\nThis curriculum is for any Software Developer / Engineer / Maker / Hacker looking to better their own knowledge of the Web Application Security space, especially as it pertains to Elixir Phoenix applications.\n\nThis Training material is also ideally used in an educational environment for organizations to level up their Engineering teams Security knowledge. Quiz questions have been crafted within and an auto-grader that can be deployed in the CI/CD pipeline for local forks of this repo will be made available soon.\n\n## How To Use This Livebook\n\n### Livebooks\n\nIf you've never used an Elixir [Livebook](https://livebook.dev/) before, you're in for a treat! They are a very exciting new tool that is actively under development - very similar in application to [Jupyter Notebooks](https://jupyter.org/), but for the Elixir ecosystem!\n\nIt would not do the Livebook any justice to try and summize here how to fully take advantage of all its capabilities, for a better introduction there is a great tutorial offered in local installations of Livebook.\n\n**For the purposes of this Training material, just know that you need to run the \"Setup\" step for the \"Notebook dependencies and setup\" section at the very top of EVERY module before running any code samples found within the module you're working on.**\n\n### Examples & Quiz Questions\n\nSpread throughout the Training material, you will find sections labeled <span style=\"color:blue;\">**Example**</span> and <span style=\"color:red;\">**Quiz**</span>. The idea here is those are relevant (and runnable) code examples in Elixir for the section you're learning about. <span style=\"color:blue;\">**Examples**</span> are just for your education, whereas there will be graded component to <span style=\"color:red;\">**Quiz**</span> questions.\n\n**Don't worry!** If you've done the reading for the associated section, you should breeze through it and each question will outline what specifically needs to be done to successfully complete it! Here's an example <span style=\"color:red;\">**Quiz**</span> question layout:\n\n### <span style=\"color:red;\">**Quiz**</span>\n\n**This is what the question prompt would look like!**\n\n*This is the description on what the auto-grader is looking for in order to pass the question successfully*\n\n### Auto-grader\n\nMeticulous care has been put into the <span style=\"color:red;\">**Quiz**</span> questions thus far in order to allow for programmatic grading of answers. This has been done to accommodate the usage of these Training materials en masse for organizations to level up the entirety of their Engineering teams.\n\nAs such, each <span style=\"color:red;\">**Quiz**</span> question is very specific about what to change and what not to change in the code sample - this is to maintain the integrity of the grader and provide immediate feedback to the taker if they succeeded or not. **Please do not unnecessarily change the code examples more than what is asked of you in the question!**\n\n## Training Modules\n\n1. Introduction (You Are Here)\n2. [OWASP](./2-owasp.livemd) - ~40 minutes\n3. [Secure SDLC Concepts](./3-ssdlc.livemd) - ~15 minutes\n4. [GraphQL Security](./4-graphql.livemd) - ~15 minutes\n5. " <> ...], []}, {Grader.Client, :init, 1, [file: 'grader.exs', line: 24]}, {:gen_server, :init_it, 2, [file: 'gen_server.erl', line: 851]}, {:gen_server, :init_it, 6, [file: 'gen_server.erl', line: 814]}, {:proc_lib, :init_p_do_apply, 3, [file: 'proc_lib.erl', line: 240]}]}}
    grader.exs:9: Grader.Client.run_and_save/1
    (elixir 1.14.1) lib/enum.ex:975: Enum."-each/2-lists^foreach/1-0-"/2
    grader.exs:76: Grader.App.main/0

What am I doing wrong?

It would be nice if a few more passes were made on the content itself to try and spruce it up with more relatable / friendly content.

Things like:

• Visuals to accompany examples (Mermaid charts)
• Topical GIFs and memes
• (Tasteful) Emojis for section headings
• etc.

We should continue rounding out what is included from the EEF's research into the module for Elixir Security and add the "Deployment Hardening" lesson.

Relevant Resource:

• https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/deployment_hardening

Much like the first wave of content including GraphQL as a module, there should more than likely be one for REST API security / best practices.

I think before moving on this we should compile a list of reputable resources to build lessons around.

Relevant Resources:

• https://www.invicti.com/blog/web-security/rest-api-web-service-security/
• https://restfulapi.net/security-essentials/
• https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/

It would be good to move towards a future where we integrate a user completing the training into a reporting functionality as part of the grader step.

This could report out to things like Learning Management Systems, Identity Providers, even SSO solutions to be able to add a system of safeguards that if an engineer doesn't complete or pass their training in a given amount of time, they won't be able to merge code.

While it may sound harsh, this sometimes is a requirement for compliance reasons and hopefully the very nature of this training being engaging reduces the amount of engineers who choose not to take it.

Linting, code patterns, security anti-patterns, SAST all run in similar circles - I believe there is some things you could implement in your linting practices that could have an effect on code security.

What that is exactly is still to be determined, but I'd love to start collecting thoughts on it and if should be included in the training module for CI/CD Tooling.

For the Elixir specific examples, it would most likely be referencing Credo.

Relevant Resources:

• https://owasp.org/www-project-devsecops-guideline/latest/01b-Linting-Code#:~:text=What%20Is%20Linting%3F,a%20basic%20static%20code%20analyzer.
• https://medium.com/greenwolf-security/linting-for-bugs-vulnerabilities-49bc75a61c6

I think it would be super cool to start adding to the various insecurities throughout the modules historical examples of CVEs, public compromises/incidents, etc.

It could be as simple as a link out to other reading, but it could help contextualize the impact and reach a particular issue has in a broader sense.

Example: For the lesson on not allowing code eval in Elixir, link out to maybe an incident a company has had or bug bounty find that allowed for remote code execution.

We should continue rounding out what is included from the EEF's research into the module for Elixir Security and add the "(De-)Serialization" lesson.

Relevant Resource:

• https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/serialisation

If the purposed architecture for autograding is to have the grader run on all MRs to main branch, it will block folks who are trying to make adjustments to the curriculum before having engineers in their company run it themselves.

So a break glass would need to be made in the grader job to allow for bypassing it (which is also useful for bugs in grading to not cause undo problems on participants), but we need to be careful not to introduce a hole so folks who aren't passing the test can just bypass it without completing the training (especially if the training is being used for compliance purposes).

We should continue rounding out what is included from the EEF's research into the module for Elixir Security and add the "Protecting Sensitive Data" lesson.

Relevant Resource:

• https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/sensitive_data

Potentially add a new module (or at the very least a lesson or two if there isn't enough content for a full module) regarding Elixir LiveView and the security considerations that should be kept in mind when using it.

Relevant Resource:

• https://hexdocs.pm/phoenix_live_view/security-model.html

I would love to see a lesson within the Secure SDLC module surrounding Defense in Depth

Relevant Resources:

• https://csrc.nist.gov/glossary/term/defense_in_depth
• https://www.fortinet.com/resources/cyberglossary/defense-in-depth
• https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

In the effort of completeness, we should include definitions around signed cookies and encrypted cookies to the module.

Relevant Resources:

• https://cloud.google.com/cdn/docs/using-signed-cookies#:~:text=Signed%20cookies%20give%20time%2Dlimited,t%20feasible%20in%20your%20application.
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html
• https://blog.jscrambler.com/securing-http-cookies#:~:text=Encrypted%20Cookies&text=This%20adds%20a%20layer%20of,can't%20sniff%20the%20cookies.
• https://security.stackexchange.com/questions/67401/what-is-actually-the-purpose-of-encrypting-the-values-in-a-cookie

It would be ideal to talk about the prevention techniques and difference in approach to Application layer rate-limiting and Network layer rate-limiting.

Additionally it would be great to create a code example / quiz question that utilizes the Hammer library.

Much like the first wave of content including GraphQL as a module, there should more than likely be one for gRPC security / best practices.

I think before moving on this we should compile a list of reputable resources to build lessons around.

Relevant Resources:

• https://www.f5.com/labs/articles/education/will-grpc-be-the-next-protocol-to-slip-by-your-defenses
• https://www.trendmicro.com/en_us/research/20/h/how-unsecure-grpc-implementations-can-compromise-apis.html

Just a tiny usability thing. Happy to submit a PR myself.

Currently, the cookie security module's setup ends on building a plug connection. It's just a little strange that the return value from the cell is the actual Plug.Conn struct. Assuming the cell completes, it would probably be better to just return an :ok like the other modules

I would love to see the grader mechanism be supported in all VCSes that support free CI jobs - which includes GitHub.

From what I've determined, this should be doable through GitHub Actions - the biggest hurdle I believe is getting it to run the Elixir autograder, but from what I've seen from things like credo checks in GitHub Actions, this should be doable

I think it would be interesting to introduce either a full module for Cryptography or have it be a dedicated lesson within an existing module.

I lean towards having it as its own module - it could go over asymmetric vs symmetric cryptography, what the recommended algorithms are, maybe mention which algs are broken and why.

Examples / quiz questions could use recommend Elixir libraries for encryption and such.

Potential addendum lesson could discuss quantum cryptography and NISTs recommendations.

(This idea originated due to @hectorip talk at ElixirConf 2022)

I think it would be helpful to introduce the Zero Trust Model to the Secure SDLC module as a lesson and how it can be extrapolated into Elixir-land

Relevant Resources:

• https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
• https://aws.amazon.com/blogs/publicsector/how-to-think-about-zero-trust-architectures-on-aws/
• https://blog.axway.com/learning-center/digital-security/microgateway/api-microgateway

Similar in concept to Autograder as GitHub Action it's Podium's priority to get this working immediately since we use GitLab.

We would most likely just need to finish getting a Dockerfile setup and creating a .gitlab-ci.yml file that defines the job to run and executes the grader script.

Starting to think that it may be worth having a dedicated module for Authentication and the different ways you could establish connections.

Lessons would be things like:

• OAuth
• JWT based flows
• WebSocket Connections
• Session vs. Session-less

It would be handy to encompass more of the Elixir Ecosystem with this training, as such we should include a module or lessons regarding Nerves best practices as it relates to security.

This could include things like explicitly calling out the use of Livebook on Nerves devices and such.

I am not as familiar with Nerves under the hood as I'd like to be, so I would love to see a sponsor for this content.

We should continue rounding out what is included from the EEF's research into the module for Elixir Security and add the "Spawning External Executables" lesson.

Relevant Resource:

• https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/external_executables

The initial wave of Elixir code examples were very rudimentary at best, they could use some love and care.

This issue may need to be broken up into more specific examples that should be improved, but this will serve as the initial issue.

Something to keep in mind is the constraints of the quiz questions / examples that interface with the autograder as we don't want to break those.

Many lessons are lacking associated attribution in the initial mad dash to create content, an attempt should be made to go back through and add attribution to sections.

E.g. link out to the associated OWASP Top 10 topic where appropriate

There are tons of news articles today detailing how 3rd party cookies track user behavior and how dangerous that is. I believe it would be prudent to outline why that is and things to look out for to avoid accidentally building systems that track user behavior like that.

It may be a bit difficult to come up with an example / quiz question for this part, but it may be doable: e.g. Given this cookie and other data, could you remove this hypothetical users sense of privacy? or something equally as scary.

It's also worth mentioning that I know certain browsers are starting to take action against these types of dangerous cookies, so maybe this won't be an issue forever? That may be a bit too optimistic though...

Relevant Resource:

• https://allaboutcookies.org/privacy-issues-cookies

Since this is a livebook, we should install the sobelow package and have the participant use it to scan an example phoenix web app

The Security implications of Machine Learning abuse and manipulation is still a developing area, but I believe it may become prudent to cover at least as a lesson should there not be enough content to flesh out a full module.

Relevant Resources:

• https://arxiv.org/abs/2104.09667
• https://arxiv.org/abs/1804.00308