First draft text of proposed video clips

This creates simple text to introduce major sections with
short video clips. I intend for one to be done by CRob.

One feedback item we got was that many people wanted a little
more media (video) to break the monotony. The problem is that
creating videos takes a lot of time, and more importantly, makes
editing the material hard. We might be able to resolve
that with AI, but that's a separate discussion. The proposed
solution is to have short video clips that introduce
chapters - they are unlikely to need updating, yet they'll help
break up the material.

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

secure_software_development_fundamentals.md

@@ -176,6 +176,8 @@ With that, let’s begin.
 
 # Security Basics
 
+> 🎥 This chapter provides a high-level overview about security, including definitions of security and privacy, requirements, and risk management. We need to know these security basics so we can understand how to develop software that supports these basics.
+
 This chapter provides a high-level overview about security, including definitions of security and privacy, requirements, and risk management.
 
 Learning Objectives:
@@ -760,6 +762,8 @@ Identifying common kinds of vulnerabilities has another advantage, too: It will
 
 # Design
 
+> 🎥 This chapter describes how to design software to be secure, focusing on key secure design principles such as least privilege, complete mediation, and input validation. These principles will help you avoid common problems and make your software harder to attack.
+
 This chapter describes how to design software to be secure, focusing on key secure design principles such as least privilege, complete mediation, and input validation.
 
 Learning objectives:
@@ -1104,6 +1108,8 @@ A good example of this is the Content Security Policy (CSP) supported by modern
 
 # Reusing External Software
 
+> 🎥 Hi, I'm CRob. I work at Intel corporation and lead the Open Source Security Foundation Best Practices Working Group. When developing software today we typically don't develop everything from scratch, but instead we typically reuse a lot of existing software. This chapter describes how to reuse software with security in mind, including selecting, downloading, installing, and updating such software.
+
 This chapter describes how to reuse software with security in mind, including selecting, downloading, installing, and updating such software.
 
 Learning objectives:
@@ -1338,6 +1344,8 @@ Practically all programs have to accept input. So we will begin examining how to
 
 # Input Validation
 
+> 🎥 The first step in developing secure software is to only input that should be accepted. This chapter describes how to validate input, including how to validate numbers and text, the importance of minimizing attack surfaces, and how to improve availability by considering the inputs.
+
 This chapter describes how to validate input, including how to validate numbers and text, the importance of minimizing attack surfaces, and how to improve availability by considering the inputs.
 
 Learning objectives:
@@ -1950,7 +1958,9 @@ Rate limiting is not a complete solution, but it is an easy and inexpensive appr
 
 # Processing Data Securely
 
-This chapter describes how to process data within software with security in mind, including treating untrusted data as dangerous, avoiding default and hardcoded credentials, avoiding memory safety issues (such as buffer overflows), and avoiding undefined behavior.
+> 🎥 This chapter describes how to process data with security in mind, including treating untrusted data as dangerous, avoiding default and hardcoded credentials, avoiding memory safety issues (such as buffer overflows), and avoiding undefined behavior.
+
+This chapter describes how to process data with security in mind, including treating untrusted data as dangerous, avoiding default and hardcoded credentials, avoiding memory safety issues (such as buffer overflows), and avoiding undefined behavior.
 
 Learning objectives:
 
@@ -2306,6 +2316,8 @@ No. The range of possible values varies by language and types used, but attacker
 
 # Calling Other Programs
 
+> 🎥 Real-world programs often call out to other programs, such as the operating system, database, and supporting browser. This chapter describes how to call other programs securely, including how to counter injection attacks (including SQL injection and OS command injection) and how to properly handle filenames/pathnames.
+
 This chapter describes how to call other programs securely, including how to counter injection attacks (including SQL injection and OS command injection) and how to properly handle filenames/pathnames.
 
 Learning objectives:
@@ -3085,6 +3097,8 @@ Make sure that you have backups of important datasets and a workable recovery pr
 
 # Sending Output
 
+> 🎥 This chapter describes how to send output securely, including how to counter cross-site scripting (XSS) attacks, using HTTP hardening headers, and securely using formatting systems.
+
 This chapter describes how to send output securely, including how to counter cross-site scripting (XSS) attacks, using HTTP hardening headers, and securely using formatting systems.
 
 Learning objectives:
@@ -3686,6 +3700,8 @@ Thankfully, other than attacks on cryptographic systems, side-channel attacks ar
 
 # Verification
 
+> 🎥 This chapter describes how to verify for security, including the limitations of tools, the meaning of *static analysis* and *dynamic analysis*, and common types of tools such as security code scanners/static application security testing (SAST) tools, fuzzers, and web application scanners.
+
 This chapter describes how to verify for security, including the limitations of tools, the meaning of *static analysis* and *dynamic analysis*, and common types of tools such as security code scanners/static application security testing (SAST) tools, fuzzers, and web application scanners.
 
 Learning objectives:
@@ -4099,6 +4115,8 @@ If you are using OSS, consider preferring OSS who have earned a badge. If you ar
 
 # Threat Modeling
 
+> 🎥 This chapter describes the basics of threat modeling along with a specific threat modeling approach called STRIDE.
+
 This chapter describes the basics of threat modeling along with a specific threat modeling approach called STRIDE.
 
 Learning objectives:
@@ -4207,6 +4225,8 @@ Threat modeling may be overkill if you do not have significant security threats,
 
 # Cryptography
 
+> 🎥 This chapter describes the basics of how to use cryptography to help develop secure software, including the basics of symmetric/shared key encryption algorithms, cryptographic hashes, public-key (asymmetric) encryption, how to securely store passwords, cryptographically secure pseudo-random number generators (CSPRNG), and Transport Layer Security (TLS).
+
 This chapter describes the basics of how to use cryptography to help develop secure software, including the basics of symmetric/shared key encryption algorithms, cryptographic hashes, public-key (asymmetric) encryption, how to securely store passwords, cryptographically secure pseudo-random number generators (CSPRNG), and Transport Layer Security (TLS).
 
 Learning objectives:
@@ -4630,6 +4650,8 @@ Similarly, seek advice from experts, and weigh that advice carefully. Errors in
 
 # Other Topics
 
+> 🎥 This chapter describes topics on the fundamentals of developing secure software that have not been covered elsewhere, including handling vulnerability disclosures, assurance cases, the basics after development, formal methods, and top vulnerability lists.
+
 This chapter describes topics on the fundamentals of developing secure software that have not been covered elsewhere, including handling vulnerability disclosures, assurance cases, the basics after development, formal methods, and top vulnerability lists.
 
 Learning objectives: