Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Typo fixes #71

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/1-introduction.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This Training material is also ideally used in an educational environment for or

If you've never used an Elixir [Livebook](https://livebook.dev/) before, you're in for a treat! They are a very exciting new tool that is actively under development - very similar in application to [Jupyter Notebooks](https://jupyter.org/), but for the Elixir ecosystem!

It would not do the Livebook any justice to try and summize here how to fully take advantage of all its capabilities, for a better introduction there is a great tutorial offered in local installations of Livebook.
It would not do the Livebook any justice to try and summarize here how to fully take advantage of all its capabilities, for a better introduction there is a great tutorial offered in local installations of Livebook.

**For the purposes of this Training material, just know that you need to run the "Setup" step for the "Notebook dependencies and setup" section at the very top of EVERY module before running any code samples found within the module you're working on.**

Expand Down
4 changes: 2 additions & 2 deletions modules/2-owasp.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,7 @@ IO.puts(vulnerable_dependency)

### Description

Unlike [Broken Access Control](#broken-access-control), this category covers the other half of the "Auth" picture - Authentication; or in otherwords, the validation of "Who" is performing an action within a Data System.
Unlike [Broken Access Control](#broken-access-control), this category covers the other half of the "Auth" picture - Authentication; or in other words, the validation of "Who" is performing an action within a Data System.

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:

Expand Down Expand Up @@ -335,7 +335,7 @@ Notable CWES include CWE-778 Insufficient Logging to include CWE-117 Improper Ou
* Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems.
* Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
* Establish or adopt an incident response and recovery plan.
* Do not expose error logs in response to client when not necessary.
* Do not expose error logs in response to the client when not necessary.

<!-- livebook:{"branch_parent_index":3} -->

Expand Down
2 changes: 1 addition & 1 deletion modules/3-ssdlc.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ An example of developing a web application using defense in depth could be:
* The codebase is checked automatically for vulnerabilities using Semgrep
* The codebase is also checked for outdated dependencies using Dependabot
* The application is regularly tested by the internal security team
* Multiple development environments are used such as Develpoment, Staging, and Production
* Multiple development environments are used such as Development, Staging, and Production

<br />

Expand Down
4 changes: 2 additions & 2 deletions modules/4-graphql.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -152,13 +152,13 @@ IO.puts(answer)

### Description

When building an application, it is necessary to manage the access and use of all relevant internal and external resources involved in the context of the application. This will help ensure the continued availablilty of the application and its functionality for all legitimate users and entities.
When building an application, it is necessary to manage the access and use of all relevant internal and external resources involved in the context of the application. This will help ensure the continued availability of the application and its functionality for all legitimate users and entities.

Resource exhaustion occurs when memory, processes handling application requests, network traffic transmissions, server capacity, storage, and other host operating system or device limitations are exceeded while an application is running. When resource allocation is not well managed, applications become vulnerable to negative impacts in performance, unintentional service failures, and denial of service attacks, in which a malicious actor takes advantage of resource limitations to intentionally overwhelm and crash a system.

Resource exhaustion can occur inadvertently through legitimate use or could be triggered intentionally in a DoS attack by a malicious actor who sends a large number or resource intensive requests to overload the application.

The structure of GraphQL queries make it particularly succeptible to this type of attack as they can be crafted to perform long running and extensive operations, depending on the data being queried.
The structure of GraphQL queries make it particularly susceptible to this type of attack as they can be crafted to perform long running and extensive operations, depending on the data being queried.

In addition to strategies like rate limiting to protect APIs in general, another approach to protecting GraphQL from resource exhaustion involves anticipating the cost of a query and allocating resources based on known available capacity. The next section introduces this approach.

Expand Down
6 changes: 3 additions & 3 deletions modules/5-elixir.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -126,9 +126,9 @@ A timing attack is a side-channel attack in which the attacker attempts to compr

Plainly speaking, response time it takes to compute a given function measured at the pico-second level is analyzed for microscopic variations.

This technique is primarily used to analyze string comparisons of secret values to brute-force the identify of the secret.
This technique is primarily used to analyze string comparisons of secret values to brute-force the identity of the secret.

e.g. When comparing two strings, the function exits when variation is detected. Take a secret value `MY_SECRET` and a user input `MY_PASSWORD`, the string compariosn (`MY_PASSWORD == MY_SECRET`) would go character by character until there's a complete match or a discrepancy. So if the new input was `MY_SAUCE`, that new string would take marginally longer to compare against the secret than `MY_PASSWORD` because of one more similar character as `MY_SECRET`.
e.g. When comparing two strings, the function exits when variation is detected. Take a secret value `MY_SECRET` and a user input `MY_PASSWORD`, the string comparison (`MY_PASSWORD == MY_SECRET`) would go character by character until there's a complete match or a discrepancy. So if the new input was `MY_SAUCE`, that new string would take marginally longer to compare against the secret than `MY_PASSWORD` because of one more similar character as `MY_SECRET`.

### Prevention

Expand Down Expand Up @@ -194,7 +194,7 @@ By using expressions that do not use boolean coercion, the incorrect assumption
* Prefer `or` over `||`
* Prefer `not` over `!`

The latter will raise a "BadBooleanError" when the function returns :ok or {:error, \_}. In the interest of clarity if may even be better to use a case construct, matching explicitly on true and false.
The latter will raise a "BadBooleanError" when the function returns :ok or {:error, \_}. In the interest of clarity it may even be better to use a case construct, matching explicitly on true and false.

### Resources

Expand Down
2 changes: 1 addition & 1 deletion modules/7-anti-patterns.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ Pretty secure criteria! You type `this_is_MY_super_secure_password` and hit ente

You decide to proxy the request and see that the password is never actually being sent to the server when you press enter - the validation check MUST be happening exclusively client-side.

You appease the JavaScript by adding a 1 to the end then proxy the request in transit, seeing that your input (`this_is_MY_super_secure_password1`) is about to be sent as the one of the payload data objects to the server. Before it leaves your browser though, you change the payload back to your original password that didn't met the criteria and let the request go through.
You appease the JavaScript by adding a 1 to the end then proxy the request in transit, seeing that your input (`this_is_MY_super_secure_password1`) is about to be sent as the one of the payload data objects to the server. Before it leaves your browser though, you change the payload back to your original password that didn't meet the criteria and let the request go through.

To your surprise; the server didn't balk at you! You go to log in to the site with your desired password and it worked!

Expand Down
2 changes: 1 addition & 1 deletion modules/8-cicd.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ Refer to Sobelow's [README](https://github.com/nccgroup/sobelow#installation) fo

### Description

[Salus](https://github.com/coinbase/salus) is a Static Application Security Testing (SAST) orchestration tool - developed by the Security team over at Coinbase. Under the hood it is a Ruby program that determines the language of what codebase it is attempting to run on and with selectively run other open source SAST tools for that language.
[Salus](https://github.com/coinbase/salus) is a Static Application Security Testing (SAST) orchestration tool - developed by the Security team over at Coinbase. Under the hood it is a Ruby program that determines the language of what codebase it is attempting to run on and will selectively run other open source SAST tools for that language.

There is currently an [PR in progress](https://github.com/coinbase/salus/pull/651) for integrating Sobelow into Salus.

Expand Down