Shift3 / standards-and-practices

Standards and Practices for Bitwise Industries
https://shift3.github.io/standards-and-practices/
63 stars 41 forks source link

Bring App Security Class content into this repo #35

Open coreyshuman opened 6 years ago

coreyshuman commented 6 years ago

Add documentation and resources from the application security class.

Topics:

Tools:

coreyshuman commented 6 years ago

@ryekerjh | @vperezma | @mwallert Most of these topics are difficult to split into client-side and server-side (the way the current folder structure is setup). Would you guys be interested in creating a top-level security folder to add these topics into?

vperezma commented 6 years ago
I like that idea. Something like this? Security --- client-side        ---- security topics
--- server-side
       ---- security topics
zbyte64 commented 6 years ago

Most of the topics look to be considerations done on the server-side. Client security concerns are much simpler: am I talking to the right server and am I using SSL, rarely would we even consider locally encrypting data.

I would be interested in grouping them by theme: Sanitization vs escaping in regards to query injection, XSS and form validation; Browser security settings; Penetration testing with the tools listed; Keeping (and passing) secrets with encryption and tokens; And a large overarching theme: DON'T TRUST THE CLIENT

michaelachrisco commented 4 years ago

Is this still being worked on?

michaelachrisco commented 3 years ago

@coreyshuman and/or @jecallaway What information should we add to bring security into the S&P repo. I would love your input on the matter!

michaelachrisco commented 3 years ago

I went ahead and had a discussion with @jecallaway today. Some of the highlights:

  1. We need more docs on the client/server side of the S&P.
  2. @jecallaway pointed me at a really excellent website: https://owasp.org/www-project-top-ten/# that contains some of the above topics.
  3. Developers should be aware of Shift3 Cybersecurity cybersecurity@bitwiseindustries.com maillist and be able to request a security audit. We discussed what that would entail. Namely at least a sandbox site of sorts and some specific topic they wish the security team to take a look at. Probably a good idea to have further discussion at some point.
  4. It sounds like QA should be involved.

Im thinking to kick this off, we should at least have the https://owasp.org/ pages referenced in the Serverside security page.

michaelachrisco commented 3 years ago

@jecallaway Do you know if we have any SOWs/recommended tutorials on Kali Linux and the assorted tools?