slim icon indicating copy to clipboard operation
slim copied to clipboard

[New Best Practice Guide]: Security Reference Architecture

Open anrucker opened this issue 1 year ago • 7 comments

Checked for duplicates

Yes - I've already checked

Describe the needs

I mentioned these security best practices to Rishi Verma and he suggested that I open a ticket to get the conversation started. (This has also been described as a To-Do's for Developers.)

https://owasp.org/API-Security/editions/2023/en/0x11-t10/

https://owasp.org/www-project-top-ten/

https://owasp.org/www-project-top-10-ci-cd-security-risks/

https://owasp.org/www-project-application-security-verification-standard/

This is the vulnerability scanning tool that I used many years ago (I used the free version): https://portswigger.net/burp

anrucker avatar Sep 27 '23 15:09 anrucker

Thanks for sharing this @anrucker! I see how the first three items you listed can be interpreted as a list of top security gotchas developers should consider for developing APIs, web applications, and CI/CD pipelines respectively. What is the last link (https://owasp.org/www-project-application-security-verification-standard/) about exactly?

I feel like a best practice guide that cites these first three websites’ security gotchas to consider could be a very advisable step for developers to check against during development. Do you want to work together to get this into a guide? I feel like we could get something simple written up and merged into SLIM during Q1 this year. Thoughts?

Thanks!

riverma avatar Sep 28 '23 22:09 riverma

Good morning, I have reviewed and agreed that these resources are good to add to our list of Security Best Practices and Guidelines:

https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf

https://www.computer.org/publications/tech-news/trends/secure-app-development-best-practices

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-218.pdf Take care, Anh

anrucker avatar Dec 14 '23 16:12 anrucker

Thank you @anrucker - we'll work on integrating the above into #116 . Thanks!

riverma avatar Dec 18 '23 22:12 riverma

After much thought, this ticket has been renamed and should be the genesis of a Security Reference Architecture.

ingyhere avatar Apr 25 '24 16:04 ingyhere

After much thought, this ticket has been renamed and should be the genesis of a Security Reference Architecture.

Hey @ingyhere - the current PR for this ticket focuses more on listing the top vulnerabilities developers should be aware of. Are you thinking this issue should be resolved with an architecture diagram instead?

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

riverma avatar Apr 25 '24 22:04 riverma

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

You're absolutely right. I think it should be reworked to be more like the CI Reference Architecture. But in this case there is so much clear information online, like the OWASP guides, that it could virtually be a writeup based on prevailing industry information. "Security Reference Architecture"? Or, just "Security Best Practices"?

ingyhere avatar Apr 25 '24 23:04 ingyhere

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

You're absolutely right. I think it should be reworked to be more like the CI Reference Architecture. But in this case there is so much clear information online, like the OWASP guides, that it could virtually be a writeup based on prevailing industry information. "Security Reference Architecture"? Or, just "Security Best Practices"?

Thanks @ingyhere - though to be compliant with our infusion strategy of "standards as code" - we'd want to make the architecture realizable somehow through toolage. For example, if we can answer this question for every guide, I think we'll be doing well: "How can my project make / receive a pull request to satisfy this best practice?".

riverma avatar Apr 29 '24 19:04 riverma