Initial Attempts and Feedback Loops

[ppremk]

This issue is to document the initial approach and ideas which we had experimented before deciding on the final structure of the security-template repo for the learning lab.

💡 Ideas

1️⃣The idea to have this course extensible with other features

• The idea is not implemented because the goal is to have learning lab courses to be stand alone implementations in order to highlight key features being taught

2️⃣@brianamarie and I had the idea of introducing a vulnerability in a projects' dependency via a user activity to highlight and educate the user of the new security feature.

• For this we decided to experiment by building a react application where introducing a dependency in the package.json file would trigger the security feature

3️⃣I created a template repo (security-template) using the create-react-app to experiment how far we could go with this approach. Here are some feedback from the attempt

• I tried to recreate the Octocat Memory Game as a react app by referencing the following link shared by @JasonEtco in slack
• To get this to work some extra work is needed to convert the existing js into react ready code
• For the users to have a working copy of the react app on their local machines, they would need to spin up the cloned repo with yarn start or npm start to see the final result of the game in their browser
• Stumbled upon a bug in the create-react-app if you have a mixed case in the path name. yarn start will throw an error cannot resolve path. More on it in this issue in fb\cra repo I do not know if this is fixed since there is some open threads after the issue is closed

🔔 Conclusion 🔔

Based on the progress made, it is not a good option to proceed with the idea of having a react app to finalise this security-template repo for the learning labs. Why? Because:

• There is no value add having an working react app which the users would not be deploying
• There is no option for us to keep track of terminal interactions of the users at this moment
• Depending on a third party app to spin up a working web app could lead to having unnecessary bugs that might have not been directly related to learning labs. We would end up fire fighting issues that are not directly related to us

☝️ the conclusion above are also values and points both @brianamarie and I share and agree upon. We also learned a good deal by keeping the feedback loop in small iterations and failing fast.

🎉 Next Steps 🎉

• Moving Forward, we plan to keep the security-template repo to be simple and easy to work with. Thus we have decided to use the github-games repo to achieve the goals of the security learning lab courses because it already has some gemlock vulnerabilities that sits well in our outline of responses flow
• @brianamarie and I will continue to sync up on the responses and template repo related tasks
• we will reach out to bounce ideas or if need help

🗣CC @hectorsector, @hollenberry, @a-a-ron, @beardofedu and @crichID

[brianamarie]

@ppremk Thank you for this detailed overview! 🎉

Let's sync again today in our 1:1 on this course, because more iterations are underway. Namely

• I met with @hectorsector last week, and got some good feedback on the length of the course and how we can extend it just a touch to really focus on practical advice for security.
• Based on feedback from @crichID, we may want to still find a different project than GitHub-Games. Let's brainstorm this today.

[brianamarie]

Thank you for documenting this, @ppremk. I am going to close out as we have continued work on the template repository, and are currently moving conversations to #6. Please reopen if there's other things here to discuss. 😊