[Baseline WG] Create Secure Software Development Labs in Collaboration with OpenSSF

[david-a-wheeler]

Description: Create more hands-on labs for the free "Developing Secure Software" (LFD121) course

Impact: This will significantly help software developers learn how to develop secure software. 53% of software developers have never taken a course in how to develop secure software, and the percentage is much higher for new developers. The LFD121 course is highly rated by those who've taken it, but a common issue they raise is the need for hands-on labs so they can practice applying the ideas. This proposal helps resolve this.

Scope: Each lab takes less than 1 day to create. Any lab would be an improvement. We have 21 unassigned labs. There are 10 that are assigned but not done, and in a few cases I fear the assignee won't complete them (say 2-3 more). So the range of work is 1-24 labs, each < 1 day of work. The list of labs, current assignees, and instructions are here: https://best.openssf.org/labs/ Anyone interested should contact David A. Wheeler, dwheeler @ linuxfoundation DOT org.

[SophiaUgo]

I Love the idea, great initially and equally interested in checking out the course

[eddie-knight]

@david-a-wheeler shared a time-sensitive request today, looking for someone to volunteer to create two practice labs with a single simple example for each topic:

1. Cross-site scripting lab
2. Avoiding default hard-coded credentials

The goal is to have this finished within the next week or two; please raise your hand here if you're interested in contributing!

[Josetic224]

I and @SophiaUgo would both love to work on this sir

[david-a-wheeler]

@Josetic224 @SophiaUgo - THANK YOU. You're awesome!

I suggest first trying out this lab as an example: https://best.openssf.org/labs/input1.html

The idea is that you'd make copy of our template and edit that copy to create the lab. Here is documentation on creating a lab.

For the moment, I'm going to assume you're working on both of these labs, so here's source material:

1. Here's the course's material on cross-site scripting (XSS), which the lab will hopefully support: https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#countering-cross-site-scripting-xss

2. Here's the course material on hard-coded/default credentials: https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-default--hardcoded-credentials

We assume learners know how to program, but we can't assume they know any particular programming language. So we get them started, and we also implement a "hint" button that can help them understand what to do in the language being used. I'm happy to help you if you get stuck.

For context: The list of labs we'd like to do someday, along with existing working labs & instructions for creating a lab, are all here: https://best.openssf.org/labs/

[david-a-wheeler]

You can also contact me via email if you wish, dwheeler (AT) linuxfoundation (DOT) org. I won't be able to respond Aug 29-30, but otherwise I'll be happy to help.

[SophiaUgo]

Alright David we will keep in touch.

[Josetic224]

@david-a-wheeler Thank you very Much

[david-a-wheeler]

@SophiaUgo @Josetic224 - any news? I want to wrap up these labs! I'm happy to answer questions if you like.

[david-a-wheeler]

Hi, I'm so grateful for your willingness to create labs! However, I haven't heard anything, it's been over a month, and I sent a reminder 3 weeks ago.

I plan to drop these assignments tomorrow morning 2024-10-04 unless I hear something, so that others can work on them. If you are working on them, please reply & post your lab(s) soon at https://github.com/ossf/wg-best-practices-os-developers/pulls. I do appreciate your willingness to work on these, but if other things have come up, I understand. I'd like to just release them so others can work on them, with no hard feelings.

Thank you so much!