Found in this series of modules is a curriculum for teaching Secure Coding concepts and ideas centered around the Elixir ecosystem. Core principles of Application Security have been sourced from other available resources within the community and pieced together into this Elixir Livebook format to allow for an interactive spin.
It is worth stating that this material is a work in progress and is open to contributions in order to make this the one-stop shop for Developer Secure Coding Training (for Elixir). The initial training material was originally crafted by the Product Security team at Podium and as such, contains very opinionated lessons to help contribute to the Secure SDLC of Podium's engineers. The more general this material can be made through outside contributors, the more secure we can make the Elixir community.
This curriculum is for any Software Developer / Engineer / Maker / Hacker looking to better their own knowledge of the Web Application Security space, especially as it pertains to Elixir Phoenix applications.
This Training material is also ideally used in an educational environment for organizations to level up their Engineering teams Security knowledge. Quiz questions have been crafted within and an auto-grader that can be deployed in the CI/CD pipeline for local forks of this repo will be made available soon.
If you've never used an Elixir Livebook before, you're in for a treat! They are a very exciting new tool that is actively under development - very similar in application to Jupyter Notebooks, but for the Elixir ecosystem!
It would not do the Livebook any justice to try and summize here how to fully take advantage of all its capabilities, for a better introduction there is a great tutorial offered in local installations of Livebook.
For the purposes of this Training material, just know that you need to run the "Setup" step for the "Notebook dependencies and setup" section at the very top of EVERY module before running any code samples found within the module you're working on.
Spread throughout the Training material, you will find sections labeled Example and Quiz. The idea here is those are relevant (and runnable) code examples in Elixir for the section you're learning about. Examples are just for your education, whereas there will be graded component to Quiz questions.
Don't worry! If you've done the reading for the associated section, you should breeze through it and each question will outline what specifically needs to be done to successfully complete it! Here's an example Quiz question layout:
This is what the question prompt would look like!
This is the description on what the auto-grader is looking for in order to pass the question successfully
Meticulous care has been put into the Quiz questions thus far in order to allow for programmatic grading of answers. This has been done to accommodate the usage of these Training materials en masse for organizations to level up the entirety of their Engineering teams.
As such, each Quiz question is very specific about what to change and what not to change in the code sample - this is to maintain the integrity of the grader and provide immediate feedback to the taker if they succeeded or not. Please do not unnecessarily change the code examples more than what is asked of you in the question!
- Introduction (You Are Here)
- OWASP - ~40 minutes
- Secure SDLC Concepts - ~15 minutes
- GraphQL Security - ~15 minutes
- Elixir Security - ~15 minutes
- Cookie Security - ~10 minutes
- Security Anti-Patterns - ~15 minutes
- CI/CD Tools - ~10 minutes
- The Secure Road - ~10 minutes
Total Time for Completion: ~2hr10m