Documentation updates, post run 11 (#38)

* change from RFC6479 to RFC6749

* add missing lightning icons

* remove OWASP from Zap references

* cleanup, also remove secrets from Github

* remove book reference and delete unused abstract flow image

* introduce numbering to preserve sequence ordering

docs/content/security_resources.md

@@ -15,8 +15,3 @@
 * [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/)
 * [OWASP Software Assurance Maturity Model](https://owaspsamm.org/)
 
----
-
-## Going deeper into A&A?
-
-![OAuth2 in Action](content/images/oauth2inaction.jpeg)<!-- .element style="width:40%"-->

docs/content/the_basics_of_aanda_1.md

@@ -78,7 +78,7 @@ Many scenarios will require __your__ app/api's to play multiples roles, often in
 
 [RFC6749 1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-1.2)
 
-![Abstract flow](content/images/rfc6479_abstract_flow.png)<!-- .element style="width:40%"-->
+![Abstract flow](content/images/rfc6749_abstract_flow.png)<!-- .element style="width:40%"-->
 
 <div style="font-size:0.7em">
 
@@ -125,11 +125,11 @@ Many scenarios will require __your__ app/api's to play multiples roles, often in
 
 ---
 
-## The Authorization Code Grant<br/>[rfc6479 - 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
+## The Authorization Code Grant<br/>[rfc6749 - 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
 
 | | |
 | - | - |
-| ![Code Grant](content/images/rfc6479_code_grant.png)<!-- .element style="width:78%"--> | ![Code Grant](content/images/actors.jpg)<!-- .element style="width:70%"--> |
+| ![Code Grant](content/images/rfc6749_code_grant.png)<!-- .element style="width:78%"--> | ![Code Grant](content/images/actors.jpg)<!-- .element style="width:70%"--> |
 
 ---
 

docs/content/wrap-up.md

@@ -6,6 +6,7 @@
 
 * Microsoft Entra ID App Registrations
 * Remove unused Github CodeSpaces
+* Remove unused Github CodeSpace Secrets
 
 ---
 

ex-02/doc/preparing_the_environment.md

@@ -26,4 +26,4 @@ npm test
 ## --Now You--
 
 * Do the steps
-* When done post the time it took to run the tests to the workshop Slack channel
+* When done post the time it took to run the tests to the workshop Slack channel ⚡️

ex-04/doc/exploring_oauth2_frameworks.md

@@ -12,7 +12,7 @@ The purpose of this section is to list and perhaps discuss a few frameworks for
 ## --Now You--
 
 * Spend a few minutes browsing and make yourself familiar with the resources
-* Drop a message on the course slack channel state which authentication library you are using today (if any)
+* Drop a message on the course slack channel state which authentication library you are using today (if any) ⚡️
 
 ## --Discuss security issues and good practices--
 

ex-04/doc/preparing_the_environment.md

@@ -22,4 +22,4 @@ Steps:
 ## --Now You--
 
 * Do the steps
-* When done post the output the last two lines of the **npm test** command to the course Slack channel
+* When done post the output the last two lines of the **npm test** command to the course Slack channel ⚡️

ex-06/doc/scenario_2.md

@@ -40,7 +40,7 @@ Steps:
 * You may have to start / stop the back-end between changes.
 * Do the steps above
 * Login to your application and figure out how to observe the changes (Hint: "id token")
-* When done - post how many AD groups you are member of into the course Slack channel.
+* When done - post how many AD groups you are member of into the course Slack channel. ⚡️
 
 ### --Further experiments-- (🥸)
 

ex-10/doc/registering_api_in_azure_ad.md → ex-10/doc/1_registering_api_in_azure_ad.md

@@ -36,5 +36,5 @@ Steps:
 ## --Now You--
 
 * Do the steps above
-* When done; post a message to the course Slack channel and include your api's scope (api://..../...)
+* When done; post a message to the course Slack channel and include your api's scope (api://..../...) ⚡️
 

ex-10/doc/protecting_apis.md → ex-10/doc/7_protecting_apis.md

@@ -60,7 +60,7 @@ There are other security measures in the API implementation that we don't discus
 * Document APIs using Swagger or OpenAPI spec
 * Create security related test
   * Use [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) as an guide line for testing and secure coding practices.
-  * Apply tools to test your API's. (Fuzzers, OWASP ZAP etc..)
+  * Apply tools to test your API's. (Fuzzers, ZAP etc..)
   * Test from the outside (integration, end-to-end) (utilizing all components?)
 * Consult OWASP Top 10's
   * [API](https://owasp.org/www-project-api-security/)

ex-10/readme.md

@@ -4,11 +4,11 @@ In this exercise we will investigate how to protect web api's using OAuth2. We w
 
 ## Outline
 
-* [The Scenario](doc/the_scenario.md)
-* [Registering the API in Microsoft Entra ID](doc/registering_api_in_azure_ad.md)
-* [Exploring the Client Code](doc/exploring_the_client_code.md)
-* [Exploring the API Code](doc/exploring_the_api_code.md)
-* [Configure the Client and the API](doc/configure_client_and_api.md)
-* [Execute the Client and the API](doc/execute_client_and_api.md)
-* [Swapping from Node to Python on the Episodes API](doc/swapping_tech_for_episodes_api.md)
-* [Defense in depth - protecting API's](doc/protecting_apis.md) (🥸)
+* [1. The Scenario](doc/0_the_scenario.md)
+* [Registering the API in Microsoft Entra ID](doc/1_registering_api_in_azure_ad.md)
+* [Exploring the Client Code](doc/2_exploring_the_client_code.md)
+* [Exploring the API Code](doc/3_exploring_the_api_code.md)
+* [Configure the Client and the API](doc/4_configure_client_and_api.md)
+* [Execute the Client and the API](doc/5_execute_client_and_api.md)
+* [Swapping from Node to Python on the Episodes API](doc/6_swapping_tech_for_episodes_api.md)
+* [Defense in depth - protecting API's](doc/7_protecting_apis.md) (🥸)

ex-11/doc/security_considerations.md → ex-11/doc/7_security_considerations.md

@@ -7,7 +7,7 @@
 * Use frameworks as much as possible to handle the flows?
   * Testability and frameworks are a potential issue.
 * Using a lot of different technologies in projects sets high demand to team skills and capabilities.
-* Establish good practice around debugging/tracing to understand network flow (OWASP Zap)
+* Establish good practice around debugging/tracing to understand network flow (Zap)
   * For NodeJS i recommend the Global Agent module to enable debugging using a network proxy 
 * Scan for open source components for known vulnerabilities
 

ex-11/readme.md

@@ -4,11 +4,11 @@ In this exercise we will investigate how to protect web api's using the OBO flow
 
 ## Outline
 
-* [The Scenario](doc/the_scenario.md)
-* [The On-Behalf-Of flow](doc/the_obo_flow.md)
-* [Quotes Api - Code, Config and start](doc/quotes_code_config.md)
-* [Episodes Api - Code, Config and start](doc/episodes_code_config.md)
-* [Client - Code, Config and start](doc/client_code_config.md)
-* [Swapping from Node to Python on the Episodes API](doc/swapping_tech_for_episodes_api.md)
-* [Swapping from Node to .net on the Quotes API](doc/swapping_tech_for_quotes_api.md)
-* [Security Considerations](doc/security_considerations.md)
+* [The Scenario](doc/0_the_scenario.md)
+* [The On-Behalf-Of flow](doc/1_the_obo_flow.md)
+* [Quotes Api - Code, Config and start](doc/2_quotes_code_config.md)
+* [Episodes Api - Code, Config and start](doc/3_episodes_code_config.md)
+* [Client - Code, Config and start](doc/4_client_code_config.md)
+* [Swapping from Node to Python on the Episodes API](doc/5_swapping_tech_for_episodes_api.md)
+* [Swapping from Node to .net on the Quotes API](doc/6_swapping_tech_for_quotes_api.md)
+* [Security Considerations](doc/7_security_considerations.md)