Customizing Security Labs lessons
You can create your own labs using Security Labs as a sandbox, customize the lab assignments and deadlines you give to individual users, and customize the concluding text of labs.
You must contact your Veracode Security Labs team to enable creating your own labs.
Create lessons
You can create lessons using Security Labs as a sandbox. If you need help, Veracode can provide you with a template, or you can create a lesson from scratch.
Before you begin:
Veracode must enable this feature, and you must be the Security Labs standalone administrator to customize labs.
To complete this task:
- Go to https://securitylabs.veracode.com/modules/update. A list of your modules opens.
- To create a module that holds one or more lessons, select Add new module. Or, scroll down to an existing module into which you want to add lessons and select Edit module lessons.
- From the top left select Add new lesson. The new lesson window opens.
- Add the title of your new lesson.
- Add the slug of your lesson. The slug is the last subdirectory of the URL for your lesson. For example, if you add
node-sqli, the URL of your lesson ishttp://securitylabs.veracode.com/lesson/node-sqli. - To specify the language of your lesson, select a stack.
- Select a display type.
- Optionally, to determine the order in which your users see your module relative to other modules, enter an integer for Order.
- Optionally, to categorize your lesson, select a focus from Focus.
- Select Save new lesson. The Edit lesson window opens.
Edit lessons
You can edit the lessons in your modules.
Before you begin:
Veracode must enable this feature, and you must be the Security Labs standalone administrator to customize labs.
To complete this task:
- Go to https://securitylabs.veracode.com/modules/update. A list of your modules opens.
- Select the module with the lab you want to edit. The edit screen of the module opens.
- From the top left, select Edit module lessons. The Lessons screen opens with a list of the lessons on the left.
- Select the edit icon next to the lab you want to edit. The edit page of the lesson opens.
Create modules
Modules are topic holders for one or more labs.
Before you begin:
Veracode must enable this feature, and you must be the Security Labs standalone administrator to customize labs.
To complete this task:
- Go to https://securitylabs.veracode.com/modules/update. A list of your modules opens.
- Select Add new module. The new module title window opens.
- Add the title of the new module.
- Select Save new module. Your new module appears below.
- Add a description.
- For Category, select a category for your audience. If you don't know the category, select owasp.
- Optionally, to determine the order in which your users see your module relative to other modules, enter an integer for Order.
- Select Update module.
- From the top left of your module, select Edit module lessons. The Lessons page opens.
- Select Add new lesson.
- Add your lessons.
- Save your lessons.
- From the top left, select BACK TO MODULES. The Modules window opens.
- To publish your module, scroll down to your module and clear Unpublished.
- Select Update Module.
Edit modules
You can edit the title, description, permissions, categories, and labs of your modules.
Before you begin:
Veracode must enable this feature, and you must be the Security Labs standalone administrator to customize labs.
To complete this task:
- Go to https://securitylabs.veracode.com/modules/update. A list of your modules opens.
- Select the module to edit. The edit window opens.
- Edit the title, description, permissions, categories, and order of your module.
- Select Update module.
Security Labs Edit lesson page
Overview
| Feature | Description |
|---|---|
| Stack | The language of your lesson. |
| Slug | The last subdirectory of the URL for your lesson. For example, if you add node-sqli, the URL of your lesson is http://securitylabs.veracode.com/lesson/node-sqli. |
| Display type | More information. |
| Allow others to view this lesson? | Publish or unpublish a lesson. Any team members can still access an unpublished lesson if they have a direct link to the lab URL, but you cannot assign the lesson to users until you publish. |
| Prevent future edits? | To prevent changes to the lesson, select Locked. |
| Topic | Enter a value to appear in place of the words this topic for the modal shown at the beginning and end of the lesson. This modal displays the message Rate your familiarity with this topic. |
| Points | Optionally, assign points for the difficulty of the lab. 10 points is most common for lessons with average difficulty. For more difficult lessons, increase the points a user can earn to 20 or 30. |
Setup
| Feature | Description |
|---|---|
| Is this a lesson or a challenge? | Select Challenge or Lesson. Challenge labs are typically more difficult and do not provide step-by-step guidance to users. They list as {Title} Challenge and provide a warning to your users that they should be familiar with the topic. |
| Servers | A Docker image based on the applications identified by a language and a security topic. |
| Additional server setup commands | Optionally, include additional setup code. This code runs in Bash shell as the root user after a user selects the lab. |
| Expand paths | Automatically expand any folders in the GUI editor. |
| Editor hints | Place a red dot next to the name of any file or folder specified in the GUI editor. |
Content
You can write all content in Markdown.
To display the current lab URL of the user, use the escape sequence {$VIRTUAL_HOST} in any lesson text. For example, {$VIRTUAL_HOST}/api displays as https://xxxxxx.vsl.dev/api.
| Feature | Description |
|---|---|
| Conclusion | Shows as a final step of instruction text in place of the phrase "You have completed this lab!". |
| Steps | Select to add steps. |
| Summary | Summarize the steps the user needs to take. |
| Hint | Displays if the user has been on a step for a long time, or tries to select Next before completing a step. |
| Solution | Provide a solution for the step that is visible only to administrators. |
| Checks | To determine if the user can progress to the next step, select to run checks every few seconds on a step. The check is Bash code that runs as the root user on the container, and the result is the exact terminal output expected from running the check. |
Display types in lessons
Display type determines how the lab interface displays to a user in a lesson. The following tables describes the display types and how they change lab interfaces:
| Display type | Lab interface change |
|---|---|
| site | Shows the terminal, GUI editor, the web application of the lab in an iframe, and automatically boots the web application. |
| site (no iframe) | Automatically boots the application of the lab, but does not show an iframe. To open the application in a new tab, your users must select the URL. |
| terminal | Shows only the terminal interface and the GUI file editor. You might want to use this feature for topics that are not specific to application security, such as a forensics lab. |
| terminal (no editor) | Shows only the terminal, but not the file editor. You might want to use this feature for topics that are not specific to application security and do not require users to modify files. |
| external | This is CTF-style (Capture the flag). It shows no terminal or application interface, and only shows an input box. You might want to use this feature for open-research-type labs or quizzes. |
Customize concluding content
You can customize the concluding text of labs. For example, to make labs more personal to your learners, add your own policy documents or code examples.
Before you begin:
You must be the Security Labs standalone administrator.
To complete this task:
- Go to https://securitylabs.veracode.com/team/campaigns
- Select Customize content. The Customize lab conclusions page opens.
- Under the lab you want to customize, select Customize or Modify custom text. A text box opens.
- Write or edit your concluding text. To add hyperlinks, use Markdown.
- Select Update conclusion.