Add learning objectives and extend curriculum

[mkoppmann]

I avoided touching existing content for now and mainly extended the curriculum. Some chapters might include too much, but we can always remove them later.

In a future PR, I want to consolidate the existing content, reformat it according mostly to Markdownlint rules, consolidate the various WIP files, and polish everything up in general.

Also, content wise, there is some overlap between “5. Cryptography and Key Management” and “9. Secure Communications” or “4. Input Validation and Output Encoding” and “10. Malicious Code and Software Supply Chain Security”. Probably in other chapters too.

[Copilot]

Pull request overview

This PR extends the Module 3 (Authorisation) curriculum by adding clear learning objectives at the top of the module to make the outcomes explicit for learners.

Changes:

• Added a "Learning Objectives" section to the Authorisation module.
• Introduced specific outcome-oriented bullets covering RBAC/ABAC, least privilege, privilege escalation prevention, and OLAC/FLAC.
• Separated learning objectives from the existing content with a horizontal rule for readability.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mkoppmann]

I don’t know why Copilot did a review, but it failed anyway.

[Shruti-s-kulkarni]

I don’t know why Copilot did a review, but it failed anyway.

what can I say

[ManeleKh]

We can enhance the curriculum and provide clearer guidance on the knowledge required for certification, we can structure each domain using the following format:

• Scope
• Topics
• Exclusions
  This approach ensures clarity and defines precise learning boundaries for each domain.

Example:
Domain 2: Authentication and Credential Management

• Scope: Provide a general understanding of authentication mechanisms, credential lifecycle management, and secure handling practices within application design and development.
• Topics:
  2.1 What is Authentication?
  2.2 Entities Requiring Authentication
  ....
• Exclusions:
  Does not include identity provider configuration, enterprise IAM deployment, cryptographic algorithm implementation...

Additionally, we can define specific reference materials for each domain (specific sections from OWASP documentation). This can ensure that developers who complete the material and read the references will have sufficient information to confidently answer certification related questions.

[mkoppmann]

Great idea. We definitely should put everything into one coherent form. I could start working on it, after this PR has been merged.

[mkoppmann]

Sorry, didn’t notice for some time that there was a merge conflict to fix. I rebased my commit, as there were over 100 new commits in the main branch. Tried to incorporate my changes into the new structure, but I still need to adopt my previous Learning Objectives to the new x.00 - Objectives.md format. That’s why I set this PR to a draft again, until I’ve done that.