fix some issues and change to light theme

Author: redteamrecipe

_config.yml

@@ -140,7 +140,7 @@ gh_edit_branch: "main" # the branch that your docs is served from
 gh_edit_view_mode: "tree" # "tree" or "edit" if you want the user to jump into the editor immediately
 
 # Color scheme currently only supports "dark", "light"/nil (default), or a custom scheme that you define
-color_scheme: dark
+color_scheme: light
 
 callouts_level: quiet # or loud
 callouts:

_sass/base.scss

@@ -16,7 +16,8 @@ body {
   font-size: inherit;
   line-height: $body-line-height;
   color: $body-text-color;
-  background-color: #1b1a1c;
+  /*background-color: #1b1a1c;*/
+  background-color: #ffffff;
   overflow-wrap: break-word;
 }
 

_sass/layout.scss

@@ -4,7 +4,8 @@
   z-index: 0;
   display: flex;
   flex-wrap: wrap;
-  background-color: #1b1a1c;
+  /*background-color: #1b1a1c;*/
+  background-color: #ffffff;
 
   @include mq(md) {
     flex-flow: column nowrap;

assets/images/hadess-logo.png renamed to assets/images/hadess-logo_dark.png

@@ -102,7 +102,7 @@ By evaluating each of these factors, organizations can assign a score to a parti
 
 ### Response:
 
-1. Execute incident response plan 
+* Execute incident response plan 
 
 ## OWASP SAMM 
 

assets/images/hadess-logo_light.png

@@ -60,12 +60,36 @@ Authentication, Session Management, Access Control, Malicious Input handling, Ou
 
 ### Code Review
 
-* Static Application Security Testing (SAST) -> FindSecbugs, Fortify, Coverity, klocwork.
-* Dynamic Application Security Testing (DAST) -> OWASP ZAP, BurpSuite
-* Interactive Application Security Testing (IAST) -> CheckMarks Varacode
-* Run-time Application Security Protection(RASP) -> OpenRASP
-* SEI CERT Coding: https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards
-* Software Assurance Marketplace (SWAMP): https://www.mir-swamp.org/
+* **Static Application Security Testing (SAST)** 
+
+{: .highlight }
+FindSecbugs, Fortify, Coverity, klocwork.
+
+* **Dynamic Application Security Testing (DAST)**
+
+{: .highlight }
+OWASP ZAP, BurpSuite
+
+* **Interactive Application Security Testing (IAST)** 
+
+{: .highlight }
+CheckMarks Varacode
+
+
+* **Run-time Application Security Protection(RASP)** 
+
+{: .highlight }
+OpenRASP
+
+* **SEI CERT Coding**
+
+{: .highlight }
+https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards
+
+* **Software Assurance Marketplace (SWAMP)**
+
+{: .highlight }
+https://www.mir-swamp.org/
 
 ### Environment Hardening 
 
@@ -74,16 +98,24 @@ Authentication, Session Management, Access Control, Malicious Input handling, Ou
 
 ### Constant monitoring mechanism
 
-1. Common vulnerabilities and exposures (CVEs) 
+* **Common vulnerabilities and exposures (CVEs)** 
+
+{: .highlight }
 OpenVAS, NMAP 
 
-2. Integrity monitoring
+* **Integrity monitoring**
+
+{: .highlight }
 OSSEC
 
-3. Secure configuration compliance
+* **Secure configuration compliance**
+
+{: .highlight }
 OpenSCAP
 
-4. Sensitive information exposure 
+* **Sensitive information exposure** 
+
+{: .note }
 No specific open source tool in this area. However, we may define specific regular expression patterns
 
 

docs/plan-develop/appsec.md

@@ -78,82 +78,116 @@ The Microsoft SDL includes specific practices and tools for each stage of the de
 
 ## Security guidelines and processes 
 
-1- Security training:
+- [ ] **Security training**
+
 Security awareness, Security certification program, Case study knowledge base, Top common issue, Penetration learning environment
 OWASP top 10, CWE top 25, OWASP VWAD
 
-2- Security maturity assessment
+- [ ] **Security maturity assessment**
+
 Microsoft SDL, OWASP SAMM self-assessment for maturity level
 Microsoft SDL, OWASP SAMM
 
-3- Secure design
+- [ ] **Secure design**
+
 Threat modeling templates (risks/mitigation knowledge base), Security requirements for release gate, Security design case study, Privacy protection 
 OWASP ASVS, NIST, Privacy risk assessment
 
-4- Secure coding
+- [ ] **Secure coding**
+
 Coding guidelines (C++, Java, Python, PHP, Shell, Mobile), Secure coding scanning tools, Common secure coding case study 
 CWE, Secure coding, CERT OWASP
 
-5- Security testing
+- [ ] **Security testing**
+
 Secure compiling options such as Stack Canary, NX, Fortify Source, PIE, and RELRO, Security testing plans, Security testing cases, Known CVE testing, Known secure coding issues, API-level security testing tools, Automation testing tools, Fuzz testing, Mobile testing, Exploitation and penetration, Security compliance
 Kali Linux tools, CIS
 
-6- Secure deployment
+- [ ] **Secure deployment**
+
 Configuration checklist, Hardening guide, Communication ports/protocols, Code signing
 CIS Benchmarks, CVE
 
-7- Incident and vulnerability handling
+- [ ] **Incident and vulnerability handling**
+
 Root cause analysis templates, Incident handling process and organization
 NIST SP800-61
 
-8- Security training
+- [ ] **Security training**
+
 Security awareness by email, Case study newsletter, Toolkit usage hands-on training, Security certificate and exam 
 NIST 800- 50, NIST 800- 16, SAFECode security engineering training
 
 
 
-## Stage 1 – basic security control 
+Stage 1 
+{: .label }
+
+## basic security control 
 
 * Leverage third-party cloud service provider security mechanisms (for example, AWS provides IAM, KMS, security groups, WAF, Inspector, CloudWatch, and Config) 
 * Secure configuration replies on external tools such as AWS Config and Inspector 
 * Service or operation monitoring may apply to AWS Config, Inspector, CloudWatch, WAF, and AWS shield
 
-Stage 2 – building a security testing team
 
-Vulnerability assessment:
+Stage 2 
+{: .label }
+## building a security testing team
+
+**Vulnerability assessment**
+
+{: .highlight }
 NMAP, OpenVAS
 
-Static security analysis:
+**Static security analysis:**
+
+{: .highlight }
 FindBugs for Java, Brakeman for Ruby on Rails, Infer for Java, C++, Objective C and C
 
-Web security:
+**Web security:**
+
+{: .highlight }
 OWASP dependency check, OWASP ZAP, Archni-Scanner, Burp Suite, SQLMap, w3af
 
-Communication:
+**Communication:**
+
+{: .highlight }
 Nmap, NCAT, Wireshark, SSLScan, sslyze
 
-Infrastructure security:
+**Infrastructure security:**
+
+{: .highlight }
 OpenSCAP, InSpec
 
-VM Toolset:
+**VM Toolset:**
+
+{: .highlight }
 Pentest Box for Windows, Kali Linux, Mobile Security Testing Framework
 
-Security monitoring:
+**Security monitoring:**
+
+{: .highlight }
 ELK, MISP—Open source Threat Intelligence Platform, OSSCE—Open source HIDS Security, Facebook/osquery—performant endpoint visibility, AlienValut OSSIM—opensource SIEM
 
-Stage 3 – SDL activities 
+Stage 3 
+{: .label }
+## SDL activities 
 
 * Security shifts to the left and involves every stakeholder 
 * Architect and design review is required to do threat modeling 
 * Developers get secure design and secure coding training 
 * Operation and development teams are as a closed-loop collaboration 
 * Adoption of industry best practices such as OWASP SAMM and Microsoft SDL for security maturity assessment 
 
-Stage 4 – self-build security services 
+Stage 4
+{: .label }
+## self-build security services 
 
 Take Salesforce as an example—the Salesforce Developer Center portal provides security training modules, coding, implementation guidelines, tools such as assessment tools, code scanning, testing or CAPTCHA modules, and also a developer forum. Whether you are building an application on top of salesforce or not, the Salesforce Developer Center is still a good reference not only for security knowledge but also for some open source tools you may consider applying.
 
-Stage 5 – big data security analysis and automation
+Stage 5 
+{: .label }
+## big data security analysis and automation
 
 Key characteristics at this stage are: 
 
@@ -170,31 +204,31 @@ Typical open source technical components in big data analysis frameworks include
 
 The key stages in big data security analysis are explained in the table: 
 
-Data collection:
+**Data collection:**
 
 Collects logs from various kinds of sources and systems such as firewalls, web services, Linux, networking gateways, endpoints, and so on. 
 
-Data normalization:
+**Data normalization:**
 
 Sanitizes or transforms data formats into JSON, especially, for critical information such as IP, hostname, email, port, and MAC.
 
-Data enrich/label:
+**Data enrich/label:**
 
 In terms of IP address data, it will further be associated with GeoIP and WhoIS information. Furthermore, it may also be labeled if it's a known black IP address. 
 
-Correlation:
+**Correlation:**
 
 The correlation analyzes the relationship between some key characteristics such as IP, hostname, DNS domain, file hash, email address, and threat knowledge bases.
 
-Storage:
+**Storage:**
 
 There are different kinds of data that will be stored —the raw data from the source, the data with enriched information, the results of correlation, GeoIP mapping, and the threat knowledge base. 
 
-Alerts:
+**Alerts:**
 
 Trigger alerts if threats were identified or based on specified alerting rules. 
 
-Presentation/query:
+**Presentation/query:**
 
 Security dashboards for motoring and queries. ElasticSearch, RESTful API, or third-party SIEM.
 
@@ -203,7 +237,7 @@ Security dashboards for motoring and queries. ElasticSearch, RESTful API, or thi
 
 ## Role of a security team in an organization
 
-1- Security office under a CTO 
+- [ ] **Security office under a CTO**
 
 ![Security office under a CTO](../../../assets/images/model1.png)
 
@@ -218,7 +252,7 @@ Security dashboards for motoring and queries. ElasticSearch, RESTful API, or thi
 
 
 
-2-Dedicated security team  
+- [ ] **Dedicated security team**  
 
 ![Dedicated security team](../../../assets/images/model2.png)
 
@@ -231,7 +265,7 @@ Security dashboards for motoring and queries. ElasticSearch, RESTful API, or thi
 
 
 
-3- Security technical committee (taskforce)
+- [ ] **Security technical committee (taskforce)**
 
 ![Security technical committee (taskforce)](../../../assets/images/model3.png)