Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Best Practice Guide]: Security Reference Architecture #109

Open
anrucker opened this issue Sep 27, 2023 · 7 comments
Open

[New Best Practice Guide]: Security Reference Architecture #109

anrucker opened this issue Sep 27, 2023 · 7 comments
Assignees
Labels
high complexity Ticket has multiple difficult sub-tasks requested Requested by community members at a low level software lifecycle Process improvements involving developing, testing, integrating, deploying software

Comments

@anrucker
Copy link

anrucker commented Sep 27, 2023

Checked for duplicates

Yes - I've already checked

Describe the needs

I mentioned these security best practices to Rishi Verma and he suggested that I open a ticket to get the conversation started. (This has also been described as a To-Do's for Developers.)

https://owasp.org/API-Security/editions/2023/en/0x11-t10/

https://owasp.org/www-project-top-ten/

https://owasp.org/www-project-top-10-ci-cd-security-risks/

https://owasp.org/www-project-application-security-verification-standard/

This is the vulnerability scanning tool that I used many years ago (I used the free version): https://portswigger.net/burp

@riverma riverma changed the title [New Best Practice Guide]: [New Best Practice Guide]: Security To-Do's for Devs Sep 27, 2023
@riverma riverma added requested Requested by community members at a low level high complexity Ticket has multiple difficult sub-tasks software lifecycle Process improvements involving developing, testing, integrating, deploying software labels Sep 27, 2023
@riverma
Copy link
Collaborator

riverma commented Sep 28, 2023

Thanks for sharing this @anrucker! I see how the first three items you listed can be interpreted as a list of top security gotchas developers should consider for developing APIs, web applications, and CI/CD pipelines respectively. What is the last link (https://owasp.org/www-project-application-security-verification-standard/) about exactly?

I feel like a best practice guide that cites these first three websites’ security gotchas to consider could be a very advisable step for developers to check against during development. Do you want to work together to get this into a guide? I feel like we could get something simple written up and merged into SLIM during Q1 this year. Thoughts?

Thanks!

@anrucker
Copy link
Author

@riverma
Copy link
Collaborator

riverma commented Dec 18, 2023

Thank you @anrucker - we'll work on integrating the above into #116 . Thanks!

@riverma riverma moved this from 📋 Backlog to 🏗 In Progress in SLIM Planning Board Jan 26, 2024
@riverma riverma moved this from 🏗 In Progress to 👀 In Review in SLIM Planning Board Apr 23, 2024
@ingyhere ingyhere changed the title [New Best Practice Guide]: Security To-Do's for Devs [New Best Practice Guide]: Security reference Architecture Apr 25, 2024
@ingyhere ingyhere changed the title [New Best Practice Guide]: Security reference Architecture [New Best Practice Guide]: Security Reference Architecture Apr 25, 2024
@ingyhere
Copy link
Contributor

After much thought, this ticket has been renamed and should be the genesis of a Security Reference Architecture.

@riverma
Copy link
Collaborator

riverma commented Apr 25, 2024

After much thought, this ticket has been renamed and should be the genesis of a Security Reference Architecture.

Hey @ingyhere - the current PR for this ticket focuses more on listing the top vulnerabilities developers should be aware of. Are you thinking this issue should be resolved with an architecture diagram instead?

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

@ingyhere
Copy link
Contributor

ingyhere commented Apr 25, 2024

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

You're absolutely right. I think it should be reworked to be more like the CI Reference Architecture. But in this case there is so much clear information online, like the OWASP guides, that it could virtually be a writeup based on prevailing industry information. "Security Reference Architecture"? Or, just "Security Best Practices"?

@riverma
Copy link
Collaborator

riverma commented Apr 29, 2024

Also - I should add that I'm not super thrilled with the current PR resolution to this ticket. It tells developers what they should do without providing any tools to do quickly. Thoughts?

You're absolutely right. I think it should be reworked to be more like the CI Reference Architecture. But in this case there is so much clear information online, like the OWASP guides, that it could virtually be a writeup based on prevailing industry information. "Security Reference Architecture"? Or, just "Security Best Practices"?

Thanks @ingyhere - though to be compliant with our infusion strategy of "standards as code" - we'd want to make the architecture realizable somehow through toolage. For example, if we can answer this question for every guide, I think we'll be doing well: "How can my project make / receive a pull request to satisfy this best practice?".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
high complexity Ticket has multiple difficult sub-tasks requested Requested by community members at a low level software lifecycle Process improvements involving developing, testing, integrating, deploying software
Projects
Status: 👀 In Review
Development

No branches or pull requests

3 participants