Manage Security Labs learning

A Security Labs Administrator manages Security Labs learning using:

• Campaigns
• Reporting
• Customized labs

Campaigns

You create campaigns to assign lessons to learners. A campaign has one or more lab assignments. An assignment is a grouping of related labs within a campaign. You assign a campaign to one or more teams. For in-app guidance while creating a campaign, select .

You assign content to your campaign in one of the following ways:

• Automatically
• Manually

Create campaign and assign content automatically

You can create a campaign to automatically select content based on given criteria. We recommend you assign content automatically.

To complete this task:

1. In the top-right of a Security Labs page, select your username to open the main menu.

2. Select Assign Content. The Assign content through campaigns page opens.

3. Select Create New Campaign. The Create New Campaign dialog window opens.

4. Enter a name for the new campaign and select the teams. The campaign is assigned to the users belonging to the selected teams.

5. Select Automatically, and then select Next.

   • Under Select languages, select the icons for the languages you want in the assignment, or select Select all to include all languages.
   • In Select Schedule, select the frequency of the labs.
   • In Select Focus, select the focus area or level.

6. Select Next. The campaign summary window opens. Set the start date and time. If applicable, set the end date and time. If you had selected Quarterly Deadlines for a Year or Monthly Topics for a Year from the Select Schedule menu, the End date selection is not available.

7. Select the configuration option for your campaign.

8. Select Create. The Create campaign dialog window opens.

9. Select whether to launch the campaign immediately or leave it inactive (paused).

10. Select Create. The new campaign appears in the list of campaigns as either live or paused.

Create campaign and assign content manually

You can create a campaign where you assign content manually. When you assign content manually, you filter and select content based on module name, lesson name or CWE flaw, so you can select the content you want to assign to learners.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.

2. Select Assign Content. The Assign content through campaigns page opens.

3. Select Create New Campaign. The Create New Campaign dialog window opens.

4. Enter a name for the new campaign and select the teams. The campaign is assigned to the users belonging to the selected teams.

5. Select Manually, and then select Create. The campaign displays in the list of current campaigns.

6. For Select language(s), select or unselect the languages for the assignment. The color of a selected language is yellow.

7. Select the configuration option for your campaign.

8. Select Add an assignment. The assignment section displays.

9. In Assignment title, enter a name for the assignment and select Update assigned content. The Assign content window opens with a list of all the available labs for the languages you selected.

10. Search for labs or lessons by entering the module name, lab name, lesson name, or CWE error in the search field.

11. To select a lab to include in the assignment, select the Assign lab checkbox for the lab. To set the lab as an optional lesson in the assignment, select Make optional.

12. After including all the labs for the assignment, select Add content.

13. In Start date, enter the date and time when learners must start the assignment.

14. In Due date, select one of the following options:

    • None if you don't want a due date for the campaign.
    • Fixed if you want to specify the due date for the campaign.
    • Relative if you want to specify the number of days, weeks, or months from the assignment date the user has to complete the campaign.

15. Select Notify users by email when this assignment starts if needed. Then, select Save

16. Create additional assignments as required.

Configure a campaign

You can configure a campaign in the following ways:

• Continuous Schedule: Turn this on if you want the first lab in next assignment to become available after the learner completes the current assignment.

• Competition mode: Turn this on to gamify Security Labs and motivate your users. There are two ways to evaluate competitions:

  • Compete by User: Select this to evaluate each user's score and allow users to compete with one another.
  • Compete by Team: Select this to evaluate the consolidated score of users in a team and allow competition based on team.

• Allow users to take labs after campaign deadlines have passed: Select this option to enforce a time limit for learners to complete the campaign.

• Consider a lab complete if the user completed it prior to this campaign: Turn on this option to count lessons completed before the campaign start date.

Launch and pause campaigns

A campaign has two states: Launched and Paused. When a campaign is in the Launched state, users can access the assignments in the campaign. Similarly, when a campaign is in the Paused state, users cannot access the assignments in the campaign.

When a campaign is created, it is in the Launched state. You can pause a campaign or launch a campaign that was paused.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.
2. Select Assign Content. The Assign content through campaigns page opens.
3. Select the campaign that you want to launch of pause.
4. Select the Launch campaign or Pause campaign button for the campaign.

Security Labs Reporting

You can use Security Labs reporting to:

View the progress of your users in multiple locations in Security Labs. Download CSV files with different types of reporting that support PCI compliance and auditing. Configure the Security Labs API to programmatically send you progress data.

View Security Labs Reporting

You use the Reporting page to view information about how people are using Security Labs. The page consists of a dashboard with sections that report on different metrics.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.
2. Select Reporting. The Reporting page opens.
3. From Timeframe , select a time period for which you want view information. By default, the timeframe begins when your organization created the account. To view information for a specific campaign, select Campaign Duration as the timeframe. The Campaign dropdown menu displays. Use this menu to select the campaign for which you want to view information.
4. From Team menu, select one or more teams for which you want view information.
5. Select a link in any section to see more details.

View progress reports for Security Labs users

You can view and download progress reports on all users or individual users you manage. You can use these reports for PCI compliance.

You can also get reports with the REST API.

To complete this task:

1. In the top-right of a Security Labs page, select your username to open the main menu.

2. Select All users. The All users page opens.

3. To download a CSV file report with the overall progress of all your users, select Export Progress CSV. This is the most common report you use for PCI compliance reporting.

   To view the progress of a single user, select the View progress button for the user whose progress you want to view. The progress page for the user opens. To download a CSV file report for the user, select Export CSV.

View Security Labs user reports for campaigns and assignments

You can view and download progress reports on all users in a campaign and all users of an assignment. You can use these reports for PCI compliance.

You can also get reports with the REST API.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.

2. Select Assign Content. The Assign content through campaigns page opens.

3. Select the campaign for which you want to see progress. The campaign opens.

   • Select View Reporting for the campaign to view the reporting page for the campaign.
   • Select Export campaign progress for the campaign to download the CSV file that has the names, emails, and assignment progress of your users in the campaign.

4. To download user progress reports on a specific assignment in the campaign, scroll to the assignment on which you want a report. Select Export assignment progress to download the CSV file that has the names, emails, and progress of your users in that assignment.

Get Security Labs reports with the REST API

You can use Security Labs API documentation to configure and use the API. With the API, you can get information on the progress of your team and individual users in your company dashboard or LMS.

Customizing Security Labs lessons

If you have Custom labs and Custom conclusions enabled, you can create your own labs using Security Labs as a sandbox, customize the lab assignments and deadlines you give to individual users, and customize the concluding text of labs.

You must contact your Veracode Security Labs team to enable this feature.

Create modules

You create lessons within modules.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.
2. Select Manage Custom Content. The Modules page opens. You can create a new module and add lessons, or add lessons to existing modules.
3. To create a new module, select Add new module. In New module title, enter a name for the module and then select Save new module. The newly created module is listed under Modules.
4. Select the module that you just created. Enter a description.
5. For Category, select your audience category. If you don't know the category, select owasp.
6. Optionally, in Order, specify the order in which users see this module relative to other modules. Enter an integer.
7. After you have created lessons for this module, in Allow others to view this module?, switch to Published to publish the module.
8. Select Update Module.

Create lessons

You can create lessons using Security Labs as a sandbox. If you need help, Veracode can provide you with a template, or you can create a lesson from scratch. You create a lesson within a module.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.
2. Select Manage Custom Content. The Modules page opens.
3. Select the module to which you want to add a lesson. The module section displays. Select Edit module lessons under the module name. The Lessons page for the module opens.
4. From the left, select Add new lesson. The new lesson window opens. Provide the following details for the new lesson:

Field	Description
New lesson title	Title of the lesson.
New lesson slug	The slug is the last subdirectory of the URL for your lesson. For example, if you add node-sqli, the URL of your lesson is http://securitylabs.veracode.com/lesson/node-sqli.
Stack	The language of your lesson.
Slug	The last subdirectory of the URL for your lesson. For example, if you add node-sqli, the URL of your lesson is http://securitylabs.veracode.com/lesson/node-sqli.
Display type	More information.
New lesson description	Description for the lesson.
New lesson order	The order in which your users see your lesson relative to other lessons. Enter an integer.
Focus	To categorize your lesson based on focus, select a focus.

5. Select Save new lesson. The edit page of the lesson opens.

Security Labs - edit lesson page

The edit page of a Security Labs lesson has three sections:

• Overview
• Setup
• Content

Overview

Feature	Description
Stack	The language of your lesson.
Slug	The last subdirectory of the URL for your lesson. For example, if you add node-sqli, the URL of your lesson is http://securitylabs.veracode.com/lesson/node-sqli.
Display type	More information.
Allow others to view this lesson?	Publish or unpublish a lesson. Any team members can still access an unpublished lesson if they have a direct link to the lab URL, but you cannot assign the lesson to users until you publish.
Prevent future edits?	To prevent changes to the lesson, select Locked.
Topic	Enter a value to appear in place of the words this topic for the modal shown at the beginning and end of the lesson. This modal displays the message Rate your familiarity with this topic.
Points	Optionally, assign points for the difficulty of the lab. 10 points is most common for lessons with average difficulty. For more difficult lessons, increase the points a user can earn to 20 or 30.

Setup

Feature	Description
Is this a lesson or a challenge?	Select Challenge or Lesson. Challenge labs are typically more difficult and do not provide step-by-step guidance to users. They list as {Title} Challenge and provide a warning to your users that they should be familiar with the topic.
Servers	A Docker image based on the applications identified by a language and a security topic.
Additional server setup commands	Optionally, include additional setup code. This code runs in Bash shell as the root user after a user selects the lab.
Expand paths	Automatically expand any folders in the GUI editor.
Editor hints	Place a red dot next to the name of any file or folder specified in the GUI editor.

Content

You can write all content in Markdown.

To display the current lab URL of the user, use the escape sequence {$VIRTUAL_HOST} in any lesson text. For example, {$VIRTUAL_HOST}/api displays as https://xxxxxx.vsl.dev/api.

Feature	Description
Conclusion	Shows as a final step of instruction text in place of the phrase "You have completed this lab!".
Steps	Select to add steps.
Summary	Summarize the steps the user needs to take.
Hint	Displays if the user has been on a step for a long time, or tries to select Next before completing a step.
Solution	Provide a solution for the step that is visible only to administrators.
Checks	To determine if the user can progress to the next step, select to run checks every few seconds on a step. The check is Bash code that runs as the root user on the container, and the result is the exact terminal output expected from running the check.

Edit modules

You can edit the details of a module.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.
2. Select Manage Custom Content. The Modules page opens.
3. Select the module you want to edit. The module section displays.
4. Edit the title, description, publishing status, categories, and order of your module.
5. Select Update module.

Edit lessons

You can add new lessons to a module or update existing lessons in a module.

To complete this task:

1. At the top-right of a Security Labs page, select your username to open the main menu.
2. Select Manage Custom Content. The Modules page opens.
3. Select the module to which you want to add a lesson. The module section displays.
4. Select Edit module lessons under the module name. The Lessons page for the module opens.
5. From here you can create a new lesson or edit an existing lesson.

Display types in lessons

Display type determines how the lab interface displays to a user in a lesson. The following table describes the display types and how they change lab interfaces:

Display type	Lab interface change
site	Shows the terminal, GUI editor, the web application of the lab in an iframe, and automatically boots the web application.
site (no iframe)	Automatically boots the application of the lab, but does not show an iframe. To open the application in a new tab, your users must select the URL.
terminal	Shows only the terminal interface and the GUI file editor. You might want to use this feature for topics that are not specific to application security, such as a forensics lab.
terminal (no editor)	Shows only the terminal, but not the file editor. You might want to use this feature for topics that are not specific to application security and do not require users to modify files.
external	This is CTF-style (Capture the flag). It shows no terminal or application interface, and only shows an input box. You might want to use this feature for open-research-type labs or quizzes.

Customize concluding content

You can customize the concluding text of labs. For example, to make labs more personal to your learners, add your own policy documents or code examples.

Before you begin:

You must be the Security Labs standalone administrator.

To complete this task:

1. Go to the Campaigns page.
2. Select Customize content. The Customize lab conclusions page opens.
3. Under the lab you want to customize, select Customize or Modify custom text. A text box opens.
4. Write or edit your concluding text. To add hyperlinks, use Markdown.
5. Select Update conclusion.