[New Best Practice Guide]: Security Reference Architecture

[anrucker]

Checked for duplicates

Yes - I've already checked

Describe the needs

I mentioned these security best practices to Rishi Verma and he suggested that I open a ticket to get the conversation started. (This has also been described as a To-Do's for Developers.)

https://owasp.org/API-Security/editions/2023/en/0x11-t10/

https://owasp.org/www-project-top-ten/

https://owasp.org/www-project-top-10-ci-cd-security-risks/

https://owasp.org/www-project-application-security-verification-standard/

This is the vulnerability scanning tool that I used many years ago (I used the free version): https://portswigger.net/burp

[riverma]

Thanks for sharing this @anrucker! I see how the first three items you listed can be interpreted as a list of top security gotchas developers should consider for developing APIs, web applications, and CI/CD pipelines respectively. What is the last link (https://owasp.org/www-project-application-security-verification-standard/) about exactly?

I feel like a best practice guide that cites these first three websites’ security gotchas to consider could be a very advisable step for developers to check against during development. Do you want to work together to get this into a guide? I feel like we could get something simple written up and merged into SLIM during Q1 this year. Thoughts?

Thanks!

[anrucker]

Good morning, I have reviewed and agreed that these resources are good to add to our list of Security Best Practices and Guidelines:

https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf

https://www.computer.org/publications/tech-news/trends/secure-app-development-best-practices

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-218.pdf Take care, Anh

[riverma]

Thank you @anrucker - we'll work on integrating the above into #116 . Thanks!

[ingyhere]

After much thought, this ticket has been renamed and should be the genesis of a Security Reference Architecture.

[riverma]

After much thought, this ticket has been renamed and should be the genesis of a Security Reference Architecture.

Hey @ingyhere - the current PR for this ticket focuses more on listing the top vulnerabilities developers should be aware of. Are you thinking this issue should be resolved with an architecture diagram instead?

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

[ingyhere]

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

You're absolutely right. I think it should be reworked to be more like the CI Reference Architecture. But in this case there is so much clear information online, like the OWASP guides, that it could virtually be a writeup based on prevailing industry information. "Security Reference Architecture"? Or, just "Security Best Practices"?

[riverma]

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

You're absolutely right. I think it should be reworked to be more like the CI Reference Architecture. But in this case there is so much clear information online, like the OWASP guides, that it could virtually be a writeup based on prevailing industry information. "Security Reference Architecture"? Or, just "Security Best Practices"?

Thanks @ingyhere - though to be compliant with our infusion strategy of "standards as code" - we'd want to make the architecture realizable somehow through toolage. For example, if we can answer this question for every guide, I think we'll be doing well: "How can my project make / receive a pull request to satisfy this best practice?".