Bring App Security Class content into this repo

[coreyshuman]

Add documentation and resources from the application security class.

Topics:

• [ ] Introduction to Secure Software Development Cycle
• [ ] SQL Injection
• [ ] MongoDb Query Injection
• [x] Cross Site Scripting (XSS)
• [ ] Cross Site Request Forgery (CSRF)
• [ ] Session hijacking / session replay
• [ ] User Data Sanitization
• [ ] Cross-Origin Resource Sharing (CORS)
• [ ] Content Security Policy (CSP)
• [ ] Passwords and Validation
• [ ] Authorization (tokens, cookies, etc)
• [ ] Authentication (User roles and permissions)
• [ ] Cryptography (Encryption, Hashing, etc)
• [ ] Error Handling
• [ ] Auditing and Logging
• [ ] Setting up SSL
• [ ] Handling Sensitive Data

Tools:

• [ ] Kali Linux
  • WPScan
  • nmap
• [ ] Wireshark
• [ ] Postman
• [ ] Postico

[coreyshuman]

@ryekerjh | @vperezma | @mwallert Most of these topics are difficult to split into client-side and server-side (the way the current folder structure is setup). Would you guys be interested in creating a top-level security folder to add these topics into?

[vperezma]

I like that idea. Something like this? Security	--- client-side		---- security topics
--- server-side
	---- security topics

[zbyte64]

Most of the topics look to be considerations done on the server-side. Client security concerns are much simpler: am I talking to the right server and am I using SSL, rarely would we even consider locally encrypting data.

I would be interested in grouping them by theme: Sanitization vs escaping in regards to query injection, XSS and form validation; Browser security settings; Penetration testing with the tools listed; Keeping (and passing) secrets with encryption and tokens; And a large overarching theme: DON'T TRUST THE CLIENT

[michaelachrisco]

Is this still being worked on?

[michaelachrisco]

@coreyshuman and/or @jecallaway What information should we add to bring security into the S&P repo. I would love your input on the matter!

[michaelachrisco]

I went ahead and had a discussion with @jecallaway today. Some of the highlights:

1. We need more docs on the client/server side of the S&P.
2. @jecallaway pointed me at a really excellent website: https://owasp.org/www-project-top-ten/# that contains some of the above topics.
3. Developers should be aware of Shift3 Cybersecurity cybersecurity@bitwiseindustries.com maillist and be able to request a security audit. We discussed what that would entail. Namely at least a sandbox site of sorts and some specific topic they wish the security team to take a look at. Probably a good idea to have further discussion at some point.
4. It sounds like QA should be involved.

Im thinking to kick this off, we should at least have the https://owasp.org/ pages referenced in the Serverside security page.

[michaelachrisco]

@jecallaway Do you know if we have any SOWs/recommended tutorials on Kali Linux and the assorted tools?