External Exercises

Practice problems and hands-on exercises from external sources. Use these only after you have completed the concept pages and at least one pass through the practice pages. The goal is fluency, not completion for its own sake. Prefer local exercises first: threat models from diagrams, local OpenTelemetry Collector exports, Prometheus/Grafana/Jaeger/Loki-style tooling, secret-rotation mocks, and static scans all count when they prove the security or observability behavior without paid services.

How To Use This Page

Finish the relevant concept page first.
Do the matching practice exercise or kata from memory.
Only then pick an external exercise from below.
Keep a mistake log with tags such as wrong STRIDE letter, static secret where dynamic was right, cause alert pretending to be symptom, high-cardinality label, runbook lacks verification step.

Track A -- Threat Modeling and Cloud Security Foundations

OWASP Community

OWASP Threat Modeling -- read through one full worked example and produce your own model for a system you use daily (email client, online banking, food delivery). Use STRIDE; aim for one finding per letter.
OWASP Cheat Sheet: Threat Modeling -- work through the step-by-step checklist against your Module 4 (CI/CD) project.

Cloud Provider Self-Assessments

AWS Well-Architected Security Pillar -- run the Security Pillar self-assessment (questionnaire) against a real or sample architecture you control; note the top three gaps.
Google Cloud Well-Architected: Security -- do the same for a GCP system; compare to the AWS answers.
Azure Well-Architected: Security -- same for an Azure system if available.

Zero Trust

NIST SP 800-207: Zero Trust Architecture -- read the deployment models section; for the system you threat-modeled, classify it into one of the NIST deployment models and justify.

Track B -- Secrets and Encryption

HashiCorp Vault Tutorials

HashiCorp Vault docs -- work through the "getting started" and "dynamic secrets" tutorials end-to-end with a local dev Vault. Produce a short demo that issues a 1-minute database credential and watches it expire.
Repeat the tutorial using the KV v2 engine with versioned secrets and manual rotation; compare the operator experience to dynamic secrets.

KMS / Envelope Encryption

Google Cloud KMS: Envelope Encryption -- implement the envelope flow in a tiny script (encrypt a file locally with a DEK, wrap the DEK with a KEK, store both, decrypt). Any language.
Write a short paragraph explaining what your script would still miss if deployed unchanged to production (audit, rotation, IAM scoping).

Track C -- Network and Runtime Security

Network Moat

Local-first: draw two network diagrams and implement equivalent Kubernetes NetworkPolicy/security-group pseudo-rules against kind/minikube/k3d; cloud sandbox only if needed: create two VPCs / networks. In one, configure an "open" posture (mostly-open SGs, default NACLs, no endpoints). In the other, configure a tight moat (LB -> app SG -> DB SG, NACL guardrails, VPC endpoints for managed services). Document a 5-row decision table for which rules were necessary and why, plus teardown evidence for any real cloud networks.

Supply Chain and Image Hardening

SLSA -- produce a SLSA-level self-assessment for your Module 4 pipeline: which level are you at, which requirement is the current blocker, what is the smallest change to reach the next level?
Sigstore -- sign an image with cosign, push to a local registry, configure a verifier, and verify a signature locally. Repeat with a tampered image and confirm the verification fails.
Take a Dockerfile you already have; rewrite it to use a pinned-digest distroless base and multi-stage build. Measure the before/after image size and the before/after list of binaries available inside the running container.

Track D -- Observability

OpenTelemetry

OpenTelemetry Concepts -- pick the language of your choice and follow the official Getting Started guide to instrument a simple HTTP server. Export to a local Collector and inspect the output; do not require a paid tracing backend.
OpenTelemetry Traces -- extend your instrumented server to include a child span for an outbound HTTP call and a child span for a simulated DB query, using semantic conventions.
OpenTelemetry Sampling -- configure head sampling, then tail sampling in the Collector; generate traffic with some induced errors and compare what each strategy keeps.

Prometheus / Metrics

Prometheus: Metric and Label Naming -- take a service you wrote and audit its metric names and label sets. Remove any label you cannot defend under the naming guidance.
Prometheus: Instrumentation -- implement a minimal RED metric set (rate, errors, duration) for one endpoint; export and graph it locally before considering managed metrics.

Logs and Cardinality

OWASP Logging Cheat Sheet -- apply its "what not to log" checklist to a service you run; remove or redact at least three fields.
Grafana Labs: Cardinality Spikes -- reproduce a (tiny) cardinality explosion locally: instrument a metric with an unbounded label, watch it grow, then fix it.

Track E -- Operating Under Observation

SRE Book Chapters

Google SRE: Monitoring Distributed Systems -- extract the Four Golden Signals and apply them to your Module 4 pipeline or any service you own. Draft the 4-row table in 10 minutes.
Google SRE: Practical Alerting -- take any 5 alerts from a system you know and classify each as symptom or cause; where cause, design the symptom alert that should replace it.
Google SRE Book ToC -- skim the Emergency Response, Managing Incidents, and Post-mortem Culture chapters; pull one idea from each into your runbook template.

Reality Check

charity.wtf: Observability is a Many-Splendored Definition -- read and write a one-paragraph reaction: which of your dashboards, in hindsight, are "metric decorations" that would not help at 3 a.m.?

Completion Checklist

At least one exercise from each of Tracks A-E completed with local-first evidence unless paid cloud integration was explicitly justified
Mistake log has at least 10 tagged entries
One full threat model + one full rotation workflow + one instrumented endpoint + one SLO/alert spec + one runbook all exist and reference each other
At least one exercise was re-attempted after the mistake-log review

How To Use This Page​

Track A -- Threat Modeling and Cloud Security Foundations​

OWASP Community​

Cloud Provider Self-Assessments​

Zero Trust​

Track B -- Secrets and Encryption​

HashiCorp Vault Tutorials​

KMS / Envelope Encryption​

Track C -- Network and Runtime Security​

Network Moat​

Supply Chain and Image Hardening​

Track D -- Observability​

OpenTelemetry​

Prometheus / Metrics​

Logs and Cardinality​

Track E -- Operating Under Observation​

SRE Book Chapters​

Reality Check​

Completion Checklist​