standards-and-practices icon indicating copy to clipboard operation
standards-and-practices copied to clipboard

Published 20 hours ago verified publisher icon Shift3

Bring App Security Class content into this repo

Open coreyshuman opened this issue 7 years ago • 7 comments

Add documentation and resources from the application security class.

Topics:

  • [ ] Introduction to Secure Software Development Cycle
  • [ ] SQL Injection
  • [ ] MongoDb Query Injection
  • [x] Cross Site Scripting (XSS)
  • [ ] Cross Site Request Forgery (CSRF)
  • [ ] Session hijacking / session replay
  • [ ] User Data Sanitization
  • [ ] Cross-Origin Resource Sharing (CORS)
  • [ ] Content Security Policy (CSP)
  • [ ] Passwords and Validation
  • [ ] Authorization (tokens, cookies, etc)
  • [ ] Authentication (User roles and permissions)
  • [ ] Cryptography (Encryption, Hashing, etc)
  • [ ] Error Handling
  • [ ] Auditing and Logging
  • [ ] Setting up SSL
  • [ ] Handling Sensitive Data

Tools:

  • [ ] Kali Linux
    • WPScan
    • nmap
  • [ ] Wireshark
  • [ ] Postman
  • [ ] Postico

coreyshuman avatar Apr 03 '18 03:04 coreyshuman

@ryekerjh | @vperezma | @mwallert Most of these topics are difficult to split into client-side and server-side (the way the current folder structure is setup). Would you guys be interested in creating a top-level security folder to add these topics into?

coreyshuman avatar Apr 03 '18 03:04 coreyshuman

I like that idea. Something like this? Security |--- client-side |      |---- security topics | |--- server-side       | ---- security topics

vperezma avatar Apr 03 '18 03:04 vperezma

Most of the topics look to be considerations done on the server-side. Client security concerns are much simpler: am I talking to the right server and am I using SSL, rarely would we even consider locally encrypting data.

I would be interested in grouping them by theme: Sanitization vs escaping in regards to query injection, XSS and form validation; Browser security settings; Penetration testing with the tools listed; Keeping (and passing) secrets with encryption and tokens; And a large overarching theme: DON'T TRUST THE CLIENT

zbyte64 avatar Jul 23 '18 21:07 zbyte64

Is this still being worked on?

michaelachrisco avatar Oct 07 '20 18:10 michaelachrisco

@coreyshuman and/or @jecallaway What information should we add to bring security into the S&P repo. I would love your input on the matter!

michaelachrisco avatar Feb 24 '21 21:02 michaelachrisco

I went ahead and had a discussion with @jecallaway today. Some of the highlights:

  1. We need more docs on the client/server side of the S&P.
  2. @jecallaway pointed me at a really excellent website: https://owasp.org/www-project-top-ten/# that contains some of the above topics.
  3. Developers should be aware of Shift3 Cybersecurity [email protected] maillist and be able to request a security audit. We discussed what that would entail. Namely at least a sandbox site of sorts and some specific topic they wish the security team to take a look at. Probably a good idea to have further discussion at some point.
  4. It sounds like QA should be involved.

Im thinking to kick this off, we should at least have the https://owasp.org/ pages referenced in the Serverside security page.

michaelachrisco avatar Mar 15 '21 20:03 michaelachrisco

@jecallaway Do you know if we have any SOWs/recommended tutorials on Kali Linux and the assorted tools?

michaelachrisco avatar Apr 09 '21 15:04 michaelachrisco