Add references to labs for XSS and hardcoded credentials

david-a-wheeler · david-a-wheeler · commit 3e8ffd82c2b0 · 2024-10-10T14:24:59.000-04:00
These are new labs. Make sure the labs are posted before
the links to them are added :-).

Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -2246,6 +2246,12 @@ For outbound authentication, credentials should be stored outside the code in a
 
 🔔 Hardcoded credentials are such a common cause of security vulnerabilities that they are 2021 CWE Top 25 #16 and 2019 CWE Top 25 #19. This weakness is [CWE-798](https://cwe.mitre.org/data/definitions/798.html), *Use of Hard-coded Credentials*. The related *Insufficiently Protected Credentials* is 2021 CWE Top 25 #21 and 2019 CWE Top 25 #27 as [CWE-522](https://cwe.mitre.org/data/definitions/522.html).
 
+##### Lab: Hardcoded credentials
+
+🧪 **Lab: Please try lab [hardcoded](https://best.openssf.org/labs/hardcoded.html), which lets you experiment with how to eliminate hardcoded credentials as a vulnerability.**
+
+*Labs are optional, but you're strongly encouraged to try them!*
+
 #### Quiz 2.2: Avoid Default & Hardcoded Credentials
 
 \>\>Secret keys should be stored in source code so that they cannot be easily read, as they could be if they were stored in separate files. True or False?<<
@@ -3544,6 +3550,12 @@ A very mild hardening measure is to set the attribute **HttpOnly** on cookies. T
 
 XSS is usually best countered by choosing a framework or library that automatically escapes output for you. However, programs often have many outputs. It would be best if we paired this solution with something else that limited the damage when a mistake *is* made. On the web there is a solution: the Content Security Policy (CSP). The next unit will discuss this.
 
+#### Lab: Cross-Site Scripting (XSS)
+
+🧪 **Lab: Please try lab [xss](https://best.openssf.org/labs/xss.html), which lets you experiment with how to counter cross-site scripting (XSS) vulnerabilitiesies.**
+
+*Labs are optional, but you're strongly encouraged to try them!*
+
 #### Quiz 4.2: Countering Cross-Site Scripting (XSS)
 
 \>\>Choosing a framework or library that automatically escapes HTML output is often one of the best ways to counter XSS attacks. True or False?<<
