Labs

These are labs for those who are learning how to develop secure software. See our introduction for more information. They’re designed to support our free course Developing Secure Software (LFD121).

You can download the labs in these sections, e.g., to run locally without Internet access. Labs with a locale prefix are for that locale (e.g., ja_hello is the Japanese translation of hello).

We want people to create more labs! Here’s more information about how to do that and the labs we’d like created.

Sample available labs

Here are some of the labs available, which you can use as examples:

• hello - simple “Hello, world!” demo. (ja_hello, fr_hello)
• input1 - input validation (simple types)
• regex0 - regular expressions (regexes) - introduction
• regex1 - regular expressions (regexes)
• input2 - input validation (more complex situations)
• csp1 - Content Security Policy (CSP)
• oob1 - Out-of-bounds (OOB)
• handling-errors - Handling errors

We also have a template available.

Please contribute labs

Please help us create labs! See “Please help us create labs!” for why it’s important to help us create labs.

We would love to have people contribute relevant labs to help people learn how to develop secure software. We’d be happy to give you credit through a “wall of fame”.

If you’re interested, please contact David A. Wheeler. See below for how to create labs and our lab roadmap.

Please help us translate labs

We’d love to have labs available in various natural languages! You can take existing labs and translate them. For technical details, see the information on lab localization. Let us know if you’re doing it! Please see how to contribute labs for more.

How to create and submit labs

See create labs if you want to learn how to create labs. In particular, that page will link to how to create labs using checker. We suggest using the template as a start.

To submit new or updated labs, create a pull request on the OpenSSF Best Practices Working Group (WG) repository under the docs/labs directory. Simply fork the repository, add your proposed lab in the docs/labs directory, and create a pull request.

Lab Roadmap

We plan to create labs for the secure software development fundamentals course; here is its development website.

Below are the sections where we plan to create labs, along with mappings to existing labs or people who have agreed to work on one. The items marked “PLANNED” with “-1” are those we intend to do first; “PLANNED” with “-2” are planned in a second pass, “PLANNED” with “-0” were done early. The term “PLANNED” is replaced with “DONE” as they’re done. The ones marked “UNASSIGNED” are ones where no one has (yet) agreed to work on.

• Input Validation
  • Input Validation Basics
    • Input Validation Basics Introduction - DONE-0 hello ja_hello
    • How Do You Validate Input?, Input Validation: Numbers and Text
  • Input Validation: Numbers and Text
    • Input Validation: A Few Simple Data Types - DONE-0 input1
    • Sidequest: Text, Unicode, and Locales
    • Validating Text
    • Introduction to Regular Expressions - DONE-0 regex0
    • Using Regular Expressions for Text Input Validation - DONE-0 regex1, input2
    • Countering ReDoS Attacks on Regular Expressions - DONE-2 (Camila Vilarinho, 2026-07-19) redos
  • Input Validation: Beyond Numbers and Text
    • Insecure Deserialization - PLANNED-2 (Camila Vilarinho) deserialization
    • Input Validation: Beyond Numbers and Text - PLANNED-2 UNASSIGNED
    • Minimizing Attack Surface, Identification, Authentication, and Authorization - PLANNED-2 UNASSIGNED
    • Search Paths and Environment Variables (including setuid/setgid Programs) - PLANNED-2 UNASSIGNED
    • Special Inputs: Secure Defaults and Secure Startup - PLANNED-2 UNASSIGNED
  • Consider Availability on All Inputs
    • Consider Availability on All Inputs Introduction - PLANNED-2 UNASSIGNED
• Processing Data Securely
  • Processing Data Securely: General Issues
    • Prefer Trusted Data. Treat Untrusted Data as Dangerous - PLANNED-2 UNASSIGNED
    • Avoid Default & Hardcoded Credentials - DONE-1 (David A. Wheeler) hardcoded
    • Avoid Incorrect Conversion or Cast - DONE-2 (Keith Grant via Vincent Danen, by 2024-07-26) conversion
  • Processing Data Securely: Undefined Behavior / Memory Safety
    • Countering Out-of-Bounds Reads and Writes (Buffer Overflow) - DONE-0 oob1
    • Double-free, Use-after-free, and Missing Release - DONE-1 (David A. Wheeler) free
    • Avoid Undefined Behavior - PLANNED-2 UNASSIGNED
  • Processing Data Securely: Calculate Correctly
    • Avoid Integer Overflow, Wraparound, and Underflow - PLANNED-2, first draft by 2024-07-19 (Petr Matousek via Vincent Danen)
• Calling Other Programs
  • Introduction to Securely Calling Programs
    • Introduction to Securely Calling Programs - The Basics
  • Calling Other Programs: Injection and Filenames
    • SQL Injection - DONE-1 (@Elijah Everett, 2024-08-13) sql-injection
    • OS Command (Shell) injection - DONE-1 (Marta Rybczynska) shell-injection argument-injection
    • Other Injection Attacks - PLANNED-2 (Dhananjay Arunesh via Vincent Danen, 2026-07-26)
    • Filenames (Including Path Traversal and Link Following) - PLANNED-2 UNASSIGNED
  • Calling Other Programs: Other Issues
    • Call APIs for Programs and Check What Is Returned - PLANNED-2 UNASSIGNED
    • Handling Errors - DONE-2 (Avishay Balter) handling-errors
    • Logging - PLANNED-2 UNASSIGNED
    • Debug and Assertion Code - DONE-1 (David A. Wheeler) assert
    • Countering Denial-of-Service (DoS) Attacks - PLANNED-2 UNASSIGNED
• Sending Output
  • Introduction to Sending Output - PLANNED-2 UNASSIGNED
  • Countering Cross-Site Scripting (XSS) - DONE-1 (David A. Wheeler) xss
  • Content Security Policy (CSP) - DONE-0 csp1
  • Other HTTP Hardening Headers - (probably continue csp1) PLANNED-2 UNASSIGNED
  • Cookies Cookies & Login Sessions Login Sessions - PLANNED-2 (Dhananjay Arunesh via Vincent Danen)
  • CSRF / XSRF - PLANNED-2 UNASSIGNED
  • Open Redirects and Forwards - PLANNED-2 UNASSIGNED
  • HTML target and JavaScript window.open() - PLANNED-2 UNASSIGNED
  • Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF) - PLANNED-2 UNASSIGNED
  • Same-Origin Policy and Cross-Origin Resource Sharing (CORS) - PLANNED-2 UNASSIGNED
  • Format Strings and Templates - DONE-1 (Jason Shepherd) format-strings
  • Minimize Feedback / Information Exposure - PLANNED-2 (Ibrahim Mukherjee, 2026-08-07)
  • Avoid caching sensitive information - PLANNED-2 UNASSIGNED
  • Side-Channel Attacks - PLANNED-2 UNASSIGNED

Our thanks

Thanks to the following people who have created or offered to create labs (sorted by given/first name):

• Avishay Balter (Microsoft)
• Camila Vilarinho
• David A. Wheeler (Linux Foundation)
• Dhananjay Arunesh
• Elijah Everett
• Emily Lovell
• Jason Shepherd
• Jeremiah Howard
• Keith Grant
• Liran Tal
• Marta Rybczynska
• Petr Matousek
• Tapas Jena

Other information

You can find the current version of this page at the OpenSSF Best Practices WG labs site.

All code to implement the labs is released under the MIT license. All text is released under the Creative Commons Attribution (CC-BY-4.0) license.

This site is open source. Improve this page.