Create SECURITY.md

[GuruOz]

lets not take security lightly. will update this when I will update this when soon.

My discord username: aosroyal

[DrewMcArthur]

also wanna loop in #11 and @jbwaclawski

[jbwaclawski]

also wanna loop in #11 and @jbwaclawski

Thanks for the mention!

I'm going to be drafting some ideas down in OneNote tonight/tomorrow. As soon as I have more than a few bullet points and some organization wrapped around it I'll post the notebook somewhere, probably my other issue, maybe Discord if I can scoop up an invite. Either way we should be ready to start talking real talk within a couple days.

I definitely don't want to rush things, we have the opportunity to do things right from the ground up here. If you're interested in security and want to help, start putting your ideas to paper.. or keyboard.. or mic, whatever you use. We'll come together and figure out what suits the project's longevity soon enough!

[GuruOz]

@jbwaclawski absolutely. would love to collaborate with you on this. What is your situation with discord? i thought you were messaging in the server

[jbwaclawski]

@jbwaclawski absolutely. would love to collaborate with you on this. What is your situation with discord? i thought you were messaging in the server

I was in there briefly last night on my new laptop as beeficecream, but then Discord dropped and the invite link was removed from it's issue here on Github so I couldn't get back in when I got signed into Discord on my desktop.

Last night I submitted a request through the new form to do so, but haven't heard back yet.

[pdeneka]

Good security is like an onion. It makes you cry at every layer.

Security is a primary goal and will drive development. I've provided instructions to the Security and Testing Teams to generate a suite of principles to guide the Front End Developers, Back End Developer, and any other relevant Teams.

[pdeneka]

Quick note: Netflix Chaos monkey uses automation to deliberately induce problems. https://netflix.github.io/chaosmonkey/

Someone more familiar with security should review and implement it/similar.

We Eng-y folk defer to you Security folk on policy.

[pdeneka]

Please also add UX/UI security.

In this hypothetical, I am assuming there is advertisements running on the page. I have no idea if this will happen. I am using this only as a hypothetical example for unintentional UX/UI data leak.

For example, if we have a UI Stats Page, and it displayed something like, "1000 users searched for item $YFS," (and malicious scraping can generate this data down to a small unit of time), and those users had, "Do not personalize ads," enabled, that same savvy 3rd party ad service generating us revenue could aggregate the total searches, and math out % of users associated with search item $YFS, convert that to a confidence interval, and leverage it in advertising targeting.

The 3rd party ad server sending us ads to help cover costs just circumvented, "Do not personalize ads."

Again, this is a purely hypothetical example with regard to any sort of finance discussion.

The method used in the hypothetical is not hypothetical.

Please give it some thought and keep it in mind when evaluating any UX/UI later.

Thank you!

[pdeneka]

Please add OPT IN as a security & design principle. Please add OPT OUT AT WILL (clearly labeled, easy to do, confirmation) as a security & design principle.

I don't know how to manage FOIA & Delete My Data type requests, but those should be security & design principles. Please add them, too.

Thank you!

[GuruOz]

Looks good. Some notes in the thread above* for future additions.

added the requested things. still work in progress tho

[JackDawsen]

Hey all! Thanks for working on this, I was just tipped to it and want to give the SME channel time to take a look and provide input as well. It might be a little while longer, but overall this is a great starting point for their discussion.

[JackDawsen]

Thanks to @GuruOz for getting the ball rolling, we needed to get this started. Some information was removed because it belonged in another group's lane, language sharpened, and a few more specifics put down. If you have anything you still want to add please let us know. Haven't seen you in the #security channel on Discord yet, drop by if you want to chat!