Blue belt activities

[mvollmary]

DAST Threat Modeling Awareness

• [x] Conduction of threat modelling
  • STRIDE
  • requires understanding of company security policies
  • includes Regularly review the security mechanisms of your architecture
• [x] Approval by reviewing any new version // Code Review on all changes (Yellow Security Code review: add 'on each code change')
  • requires Security Champion knowledge
• [x] PII (personally identifiable information) logging concept
• [x] Basic Scan
  • tools Burp, ZAP
  • includes OWASP Testing Guide 4.5.2
• [x] API Fuzzing
  • requires Simple Scan
  • tools Burp/ZAP + OpenApi/Swagger
  • includes Coverage of hidden endpoints (word list)
• [x] Load tests
• [x] Testing for Bypassing Authentication Schema
  • tools gobuster, dirbuster
  • use OpenAPI
  • OWASP Testing Guide 4.4.4
• [x] Advanced Mob-Hacking
  • include usage of tools like Burp
• [x] Get to know your Design Flaws releated: Get to know Security by Design Principles

[wurstbrot]

I like " Testing for Bypassing Authentication Schema". Maybe you add OpenAPI to this activity, too. It will give an idea of endpoints to test.

[wurstbrot]

"Approval by reviewing any new version" is not clear to me, but I assume you will add a description later.

[bob5ec]

@wurstbrot: See DSOMM: Approval by reviewing any new version 😁