Learning Goals
3 minBy the end of this lesson you can:
- Explain the CIA triad — Confidentiality, Integrity, Availability — and classify a threat against it.
- State the three ethics rules: authorization, scope, do-no-harm.
- Describe what makes security testing legal vs. a crime.
- Set up a safe, isolated lab so every demo in this level harms nothing real.
Warm-Up · Security Is Already Everywhere You Code
5 minYou've already met security across this course without naming it:
- Level 7: "never put API keys in code," "don't use
shell=Truewith user input," "scrape ethically." - Level 5: "keep the LLM key on the server, never the browser."
- Every web form: "what if the input is malicious?"
Security isn't a separate skill bolted on at the end — it's a lens you apply to everything you build. This level makes that lens explicit. And the first thing a professional learns is not an exploit — it's the line between security work and crime. Cross it and you don't become a hacker; you become a defendant.
New Concept · The CIA Triad & the Rules of Engagement
14 minThe CIA triad — what security protects
CONFIDENTIALITY only authorised people can read the data
broken by: leaks, eavesdropping, stolen DBs
INTEGRITY data is correct and unaltered
broken by: tampering, injection, forged records
AVAILABILITY the system is usable when needed
broken by: ransomware, DoS, deleted backupsEvery attack and every defence maps to one or more of these three. A leaked password list breaks confidentiality; a tampered bank balance breaks integrity; a site knocked offline breaks availability. When you assess any system, ask: which of C, I, A is at risk here?
The three ethics rules — non-negotiable
- Authorization. You only test systems you own or have explicit, written permission to test. "I was just curious" is not a defence in court.
- Scope. Permission covers specific targets and actions. Authorised to scan one server ≠ authorised to scan the whole network, exfiltrate data, or pivot to other machines.
- Do no harm. Even when authorised, you minimise impact — no destroying data, no degrading service, and you report what you find responsibly so it gets fixed.
Unauthorized access to a computer is a crime almost everywhere (the US Computer Fraud and Abuse Act, the UK Computer Misuse Act, Malaysia's Computer Crimes Act 1997, and equivalents worldwide). Port-scanning a stranger, "testing" a login you don't own, or running an exploit against a live site you weren't hired to test can mean prosecution — even if you change nothing. Throughout Level 8 you only ever target your own lab.
Where security work is legal
- Your own machines and networks — your laptop, your home LAN, VMs you created.
- Deliberately vulnerable practice apps — DVWA, OWASP Juice Shop, the demo apps we build, run locally.
- Authorised engagements — a signed penetration-test contract with a defined scope.
- Bug-bounty programs — but strictly within the published rules and scope.
- CTF competitions — capture-the-flag events built for exactly this.
The defender's mindset
You learn attacks so you can stop them. Every "attack" lesson in this level is immediately followed by its defence — because the point isn't to break things, it's to build things that don't break. An engineer who understands SQL injection writes queries that can't be injected.
Worked Example · Classify Threats & Set Up Your Lab
12 minFirst, a tiny tool that classifies a described threat against the CIA triad — to drill the lens until it's automatic.
THREATS = { "an attacker steals the user database": "Confidentiality", "malware encrypts all files for ransom": "Availability", "a forged transaction changes an account balance": "Integrity", "a flood of requests knocks the site offline": "Availability", "someone reads private messages over open wifi": "Confidentiality", "a tampered software update installs a backdoor": "Integrity", } for description, pillar in THREATS.items(): print(f"[{pillar:15}] {description}")
[Confidentiality] an attacker steals the user database [Availability ] malware encrypts all files for ransom [Integrity ] a forged transaction changes an account balance [Availability ] a flood of requests knocks the site offline [Confidentiality] someone reads private messages over open wifi [Integrity ] a tampered software update installs a backdoor
Set up a safe lab
Everything in Level 8 runs against targets you control. The simplest safe lab uses localhost (your own machine) and a Python virtual environment:
# 1. an isolated project + venv (never pollute system Python) python -m venv .venv # activate: Windows .venv\Scripts\activate · macOS/Linux source .venv/bin/activate # 2. the security toolkit we'll use across the level pip install cryptography bcrypt requests psutil flask pyjwt # 3. everything targets localhost / 127.0.0.1 — your own machine only TARGET = "127.0.0.1" # NEVER a third-party host
When we get to scanning and exploits, use a throwaway VM (VirtualBox/UTM) on a host-only network, or containers — so even a mistake can't reach the internet or your real devices. Snapshot the VM first so you can reset. The golden rule never changes: if you don't own it or have written permission, it's off-limits.
Read the result
Two habits start here and run all level: classify every threat by which pillar of C-I-A it attacks (it sharpens what you're actually defending), and contain every experiment in a lab you own. Get these reflexes now and the rest of Level 8 is safe, legal, and genuinely useful.
Try It Yourself
13 minList five security incidents you've heard about in the news. For each, write which CIA pillar(s) it broke and one sentence on why. Some break more than one.
For each scenario, decide "legal" or "crime" and state which ethics rule applies: (a) scanning your own router; (b) testing a friend's site "to help" without asking; (c) a signed pentest of one server, then scanning the rest of their network; (d) solving a CTF challenge.
Check your answers
(a) legal — you own it. (b) crime — no authorization. (c) crime for the extra hosts — out of scope. (d) legal — built for testing. Rules: authorization (b), scope (c).
Create the project: a venv, install the toolkit, and write lab_check.py that prints the Python version, confirms cryptography and requests import, and prints the target it's allowed to touch (127.0.0.1). This is your sandbox for the whole level.
Hint
import sys print("Python", sys.version.split()[0]) for mod in ("cryptography", "requests", "bcrypt", "psutil"): try: __import__(mod); print(f" ✓ {mod}") except ImportError: print(f" ✗ {mod} — run: pip install {mod}") print("Authorized target: 127.0.0.1 (localhost only)")
Mini-Challenge · Write Your Rules of Engagement
8 minReal security professionals sign a "Rules of Engagement" document before any test. Write your own one-page RoE for your Level 8 lab: the authorized targets, what you will and won't do, and how you'll reset/clean up. You'll re-read it before every hands-on lesson.
Show an example RoE
RULES OF ENGAGEMENT — Advaslearning Level 8 Lab
Authorized targets:
- 127.0.0.1 / localhost (my own machine)
- VM "sec-lab" on a host-only network (I created it)
- Deliberately vulnerable apps I run locally (Juice Shop, DVWA)
I WILL: only test the above; snapshot the VM before exploits;
stop and reset if anything behaves unexpectedly;
treat every finding as something to FIX.
I WILL NOT: touch any host I don't own or lack written permission
for; run attacks over the public internet; exfiltrate
real personal data; leave systems in a broken state.
If in doubt → do not proceed. Curiosity is not authorization.Non-negotiables: explicit target list, do/don't lists, a reset plan, and the "curiosity ≠ authorization" principle.
Recap
3 minSecurity protects three things — Confidentiality, Integrity, Availability — and every threat maps to one or more. Before any technique come the three ethics rules: authorization (only what you own or have written permission for), scope (only the specific targets/actions agreed), and do no harm (minimise impact, report responsibly). Unauthorized access is a crime regardless of intent or outcome, so every Level 8 demo runs in a lab you control (localhost or an isolated VM). You learn attacks to build defences — that's the defender's mindset that turns a coder into a security engineer.
Vocabulary Card
- CIA triad
- Confidentiality, Integrity, Availability — the three properties security protects.
- authorization
- Explicit, usually written, permission to test a specific system.
- scope
- The exact targets and actions a permission covers — nothing beyond.
- rules of engagement
- The agreed boundaries and rules for a security test.
Homework
4 minPick a system you use daily (your phone, a bank app, a social network). Write a one-page analysis: for each of C, I, and A, name one thing the system does to protect it and one thing that could go wrong. Finish your lab setup and RoE so you're ready for the hands-on lessons ahead.
Sample · CIA analysis of a banking app
CONFIDENTIALITY protects: TLS encrypts traffic; data encrypted at rest. risk: a phishing page captures my login → leak. INTEGRITY protects: every transaction is signed + double-entry ledger. risk: a man-in-the-middle alters a transfer amount. AVAILABILITY protects: redundant servers, DDoS protection. risk: an outage during payday locks me out of my money. Lab + RoE: done — venv created, toolkit installed, targets limited to 127.0.0.1 and my "sec-lab" VM.
Non-negotiables: a concrete protection AND a concrete risk for each of C, I, A — and a finished, target-scoped lab.