Skip to content

Commit 1ffc819

Browse files
committed
fix(lec1,labs): repair Slide 5 mermaid syntax; 4-backtick template fences; lab1 /api/Products endpoint
- lec1 Slide 5: '-.-->' is not valid mermaid (use '-.->'), quote emoji labels - all submission templates with nested code blocks now use 4-backtick outer fences so GitHub stops closing them at the first inner fence - lab1 template + acceptance criteria still referenced /rest/products, which 404s in Juice Shop v20.0.0 (moved to /api/Products) Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
1 parent 64058de commit 1ffc819

8 files changed

Lines changed: 40 additions & 40 deletions

File tree

labs/lab1.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,7 @@ Open `http://127.0.0.1:3000` in your browser. Note what you see:
9595

9696
Create `submissions/lab1.md` and **fill in the template below** with your real observations. Don't paraphrase — record what you actually saw.
9797

98-
```markdown
98+
````markdown
9999
# Lab 1 — Submission
100100

101101
## Triage Report: OWASP Juice Shop
@@ -115,7 +115,7 @@ Create `submissions/lab1.md` and **fill in the template below** with your real o
115115

116116
### Health Check
117117
- HTTP code on `/`: <should be 200>
118-
- API check (first 200 chars of `/rest/products`):
118+
- API check (first 200 chars of `/api/Products`):
119119
```
120120
<paste output>
121121
```
@@ -143,7 +143,7 @@ Which of these are MISSING? (cross-reference Lecture 1 OWASP Top 10:2025 — A06
143143
1. **<risk name>** — <why it matters; map to one OWASP Top 10:2025 category>
144144
2. **<risk name>** — <why; map to OWASP>
145145
3. **<risk name>** — <why; map to OWASP>
146-
```
146+
````
147147

148148
### 1.4: Cleanup (when done)
149149

@@ -274,7 +274,7 @@ A "GitHub Community" section with 1-2 sentences explaining:
274274

275275
### B.3: Document in `submissions/lab1.md`
276276

277-
```markdown
277+
````markdown
278278
## Bonus: CI Smoke Test
279279

280280
- Workflow file: `.github/workflows/lab1-smoke.yml`
@@ -285,7 +285,7 @@ A "GitHub Community" section with 1-2 sentences explaining:
285285
```
286286
<paste your "HTTP/1.1 200 OK ..." block>
287287
```
288-
```
288+
````
289289

290290
---
291291

@@ -316,7 +316,7 @@ PR checklist (paste this into your PR body):
316316

317317
### Task 1 (6 pts)
318318
- ✅ Juice Shop v20.0.0 container running on `127.0.0.1:3000` (proof: `docker ps` output in submission)
319-
- ✅ Homepage returns HTTP 200; `/rest/products` returns a JSON list
319+
- ✅ Homepage returns HTTP 200; `/api/Products` returns a JSON list
320320
- ✅ Triage report has all six sections filled in with **real** values (no template placeholders left)
321321
- ✅ At least three security headers are correctly identified as present or missing
322322
- ✅ Top 3 risks each mapped to an OWASP Top 10:2025 category (A01–A10)

labs/lab11.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,7 @@ curl -skI https://localhost | tee labs/lab11/results/headers.txt
123123

124124
### 11.4: Document in `submissions/lab11.md`
125125

126-
```markdown
126+
````markdown
127127
# Lab 11 — BONUS — Submission
128128

129129
## Task 1: TLS + Security Headers
@@ -155,7 +155,7 @@ curl -skI https://localhost | tee labs/lab11/results/headers.txt
155155
- Referrer-Policy: ...
156156
- Permissions-Policy: ...
157157
- Content-Security-Policy: ...
158-
```
158+
````
159159

160160
---
161161

@@ -212,7 +212,7 @@ Write the 7-step runbook described in Reading 11 (Detect expiry → Order → Va
212212

213213
### 11.8: Document in `submissions/lab11.md`
214214

215-
```markdown
215+
````markdown
216216
## Task 2: Production Posture
217217

218218
### Rate limit proof
@@ -243,7 +243,7 @@ Write the 7-step runbook described in Reading 11 (Detect expiry → Order → Va
243243

244244
### What OCSP stapling buys you (2-3 sentences, reference Reading 11)
245245
Why is OCSP stapling useful for production but not for a self-signed lab cert?
246-
```
246+
````
247247

248248
---
249249

@@ -313,7 +313,7 @@ docker compose exec waf cat /var/log/modsec/audit.log | tail -50 \
313313

314314
### B.5: Document in `submissions/lab11.md`
315315

316-
```markdown
316+
````markdown
317317
## Bonus: WAF Sidecar with OWASP CRS
318318

319319
### Setup choice
@@ -344,7 +344,7 @@ Rule ID: **<e.g. 942100>** — OWASP CRS rule name: **<e.g. SQL Injection Attack
344344
What does the WAF buy you that Lecture 5's SAST + DAST + the L7 Conftest gate didn't already?
345345
What does it COST you? (FP risk at higher paranoia levels; ops overhead; cert/config sprawl.)
346346
When would you NOT deploy a WAF in front of a service?
347-
```
347+
````
348348

349349
---
350350

labs/lab12.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ cat labs/lab12/results/kata-kernel.txt
106106

107107
### 12.3: Document in `submissions/lab12.md`
108108

109-
```markdown
109+
````markdown
110110
# Lab 12 — BONUS — Submission
111111

112112
## Task 1: Install + Hello-World
@@ -137,7 +137,7 @@ cat labs/lab12/results/kata-kernel.txt
137137
### Why the kernel differs (Reading 12)
138138
Reading 12 explains the model. Reference Lecture 7 slide 14 — runc CVE-2024-21626 ("Leaky Vessels").
139139
What does the kernel difference imply for that attack class? (2-3 sentences.)
140-
```
140+
````
141141

142142
---
143143

@@ -193,7 +193,7 @@ done | tee labs/lab12/results/io-bench.txt
193193

194194
### 12.6: Document in `submissions/lab12.md`
195195

196-
```markdown
196+
````markdown
197197
## Task 2: Isolation + Performance
198198

199199
### Isolation: /dev diff
@@ -229,7 +229,7 @@ kata:
229229
When is the security gain (separate kernel, runc-CVE class blocked) worth the cost?
230230
When isn't it? Give one example each (e.g., "multi-tenant SaaS workloads = yes;
231231
single-tenant batch jobs = no").
232-
```
232+
````
233233

234234
---
235235

@@ -286,7 +286,7 @@ sudo cat /tmp/lab12-target
286286

287287
### B.4: Document in `submissions/lab12.md`
288288

289-
```markdown
289+
````markdown
290290
## Bonus: Container-Escape PoC
291291

292292
### Vector chosen
@@ -329,7 +329,7 @@ Host verification:
329329
- Why does Kata block what runc allows? (Reference: Kata's micro-VM filesystem IS NOT the host filesystem — bind mounts are virtualized via virtio-fs/9p inside the VM.)
330330
- What real-world threat does this map to? (Multi-tenant CI runners running `--privileged` containers; misconfigured Kubernetes pods.)
331331
- What does this NOT block? (Pure side-channel attacks on the kernel itself, cross-tenant timing attacks. Reading 12's "Confidential Containers" section is where THOSE get defenses.)
332-
```
332+
````
333333

334334
---
335335

labs/lab6.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -254,7 +254,7 @@ jq '.results.failed_checks[] | select(.check_id | startswith("CKV2_CUSTOM_"))' \
254254

255255
### B.5: Document in `submissions/lab6.md`
256256

257-
```markdown
257+
````markdown
258258
## Bonus: Custom Checkov Policy
259259

260260
### Policy file (paste full contents of labs/lab6/policies/my-custom-policy.yaml)
@@ -271,7 +271,7 @@ Output of `jq '.results.failed_checks[] | select(.check_id | startswith("CKV2_CU
271271
### Why this rule matters
272272
2-3 sentences: what real-world incident or compliance requirement does your custom policy address?
273273
(References to specific incidents or NIST/CIS controls strengthen the answer.)
274-
```
274+
````
275275

276276
---
277277

labs/lab7.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -226,7 +226,7 @@ trivy k8s --namespace juice-shop \
226226

227227
### 7.8: Document in `submissions/lab7.md`
228228

229-
```markdown
229+
````markdown
230230
## Task 2: Kubernetes Hardening
231231

232232
### Manifests (paste relevant snippets)
@@ -258,7 +258,7 @@ Output of `kubectl get pod -n juice-shop -l app=juice-shop`:
258258
### What broke and how you fixed it (2-3 sentences)
259259
`readOnlyRootFilesystem: true` likely broke Juice Shop. What paths did it need to write?
260260
How did you fix it (which emptyDir mounts)?
261-
```
261+
````
262262

263263
---
264264

@@ -316,7 +316,7 @@ conftest test /tmp/bad-pod.yaml --policy labs/lab7/policies
316316

317317
### B.3: Document in `submissions/lab7.md`
318318

319-
```markdown
319+
````markdown
320320
## Bonus: Conftest Policy
321321

322322
### Policy (paste labs/lab7/policies/pod-hardening.rego)
@@ -337,7 +337,7 @@ conftest test /tmp/bad-pod.yaml --policy labs/lab7/policies
337337
### What this prevents at CI time (2-3 sentences)
338338
Reference Lecture 7 slide 16 (admission control diagram). What Class of bug does this
339339
policy catch BEFORE `kubectl apply` runs? Why is catching at CI-time better than at admission-time?
340-
```
340+
````
341341

342342
---
343343

labs/lab8.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,7 @@ cosign verify \
160160

161161
### 8.6: Document in `submissions/lab8.md`
162162

163-
```markdown
163+
````markdown
164164
# Lab 8 — Submission
165165

166166
## Task 1: Sign + Tamper Demo
@@ -196,7 +196,7 @@ Output of `cosign verify` on tampered digest:
196196
### Why digest binding matters (Lecture 8 slide 6)
197197
2-3 sentences. The tampered re-tag pointed to a DIFFERENT digest; your signature was bound to the
198198
ORIGINAL digest. What would have broken if Cosign had signed the tag instead?
199-
```
199+
````
200200

201201
---
202202

@@ -271,7 +271,7 @@ cosign verify-attestation \
271271

272272
### 8.9: Document in `submissions/lab8.md`
273273

274-
```markdown
274+
````markdown
275275
## Task 2: SBOM + Provenance Attestations
276276

277277
### SBOM attestation
@@ -292,7 +292,7 @@ cosign verify-attestation \
292292
Lecture 8 slide 12 + Lecture 9 slide 4 — at K8s admission time, a Kyverno verify-images policy
293293
can require BOTH signatures AND specific attestation predicates. What's the operational difference
294294
between a "signed but no SBOM" image and a "signed with SBOM" image when the next Log4Shell hits?
295-
```
295+
````
296296

297297
---
298298

@@ -374,7 +374,7 @@ cat /tmp/blob-tamper.txt # paste this into submission
374374

375375
### B.5: Document in `submissions/lab8.md`
376376

377-
```markdown
377+
````markdown
378378
## Bonus: Blob Signing (Codecov 2021 mitigation)
379379

380380
### Sign + verify
@@ -394,7 +394,7 @@ Codecov's bash uploader was distributed via `curl | bash` without signature veri
394394
If their CI consumers had been running `cosign verify-blob` before `bash`-ing the script,
395395
how would the attack have failed? Reference Lecture 8 slide 14 + the specific cosign command
396396
that would have caught it.
397-
```
397+
````
398398

399399
---
400400

labs/lab9.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,7 @@ grep "Write to /tmp by container" labs/lab9/falco/logs/falco.log | head -5
144144

145145
### 9.6: Document in `submissions/lab9.md`
146146

147-
```markdown
147+
````markdown
148148
# Lab 9 — Submission
149149

150150
## Task 1: Runtime Detection with Falco
@@ -175,7 +175,7 @@ Falco log line showing your custom rule:
175175
Your custom "write to /tmp" rule will fire on legitimate uses too (logging frameworks
176176
often write to /tmp). What's your tuning approach? (2-3 sentences referencing the
177177
`exceptions:` block vs `and not proc.name=...` patterns from Lecture 9.)
178-
```
178+
````
179179

180180
---
181181

@@ -237,7 +237,7 @@ conftest test labs/lab9/manifests/bad-pod-no-resources.yaml \
237237

238238
### 9.10: Document in `submissions/lab9.md`
239239

240-
```markdown
240+
````markdown
241241
## Task 2: Conftest Policy-as-Code
242242

243243
### My policy file (paste labs/lab9/policies/extra/hardening.rego)
@@ -263,7 +263,7 @@ conftest test labs/lab9/manifests/bad-pod-no-resources.yaml \
263263
### Why CI-time vs admission-time (Lecture 9 slide 9)
264264
2-3 sentences. CI-time Conftest happens during PR review; admission-time Conftest happens at
265265
`kubectl apply`. What's the operational benefit of running BOTH (defense in depth)?
266-
```
266+
````
267267

268268
---
269269

@@ -311,7 +311,7 @@ grep "Cryptominer" labs/lab9/falco/logs/falco.log
311311

312312
### B.4: Document in `submissions/lab9.md`
313313

314-
```markdown
314+
````markdown
315315
## Bonus: Cryptominer Detection Rule
316316

317317
### Rule (paste)
@@ -328,7 +328,7 @@ grep "Cryptominer" labs/lab9/falco/logs/falco.log
328328
- Which 2 indicators did you use and why?
329329
- What does this miss? (i.e., the false-negative case — e.g., obfuscated mining over HTTPS)
330330
- How would you combine this with the Lecture 9 SLA matrix?
331-
```
331+
````
332332

333333
---
334334

lectures/lec1.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,10 @@ graph LR
7070

7171
```mermaid
7272
flowchart LR
73-
Dev[👩‍💻 Dev] -.--> Build[🏗️]
74-
Ops[🖥️ Ops] -.--> Build
75-
Sec[🛡️ Sec] -.--> Build
76-
Build --> DevSecOps[🚀 DevSecOps<br/>Continuous, automated security<br/>at every stage]
73+
Dev["👩‍💻 Dev"] -.-> Build["🏗️ Build"]
74+
Ops["🖥️ Ops"] -.-> Build
75+
Sec["🛡️ Sec"] -.-> Build
76+
Build --> DevSecOps["🚀 DevSecOps<br/>Continuous, automated security<br/>at every stage"]
7777
7878
style DevSecOps fill:#FF9800,color:#fff
7979
```

0 commit comments

Comments
 (0)