Embedded Files
TeamMentor to help educating people about security
TeamMentor to help educating people about security
https://teammentor.net/angular/user/index
TEAM Mentor is an interactive Application Security eKnowledge base with thousands of articles on how to prevent vulnerabilities during application development.
Secure development lifecycle
Secure development lifecycle
Security in design phase
Security in design phase
Threat modeling helps you anticipate security risks and concerns.Following are the three general approaches to threat modeling:
Attacker-centric
Software-centric
Asset-centric
The following application security principles provide a foundation for designing and developing a secure application:
– Attack surface reduction
– Secure defaults
– Least privilege
– Defense in depth
– Compartmentalization
– Policy compliance
Security in implementation phase
Security in implementation phase
Apply secure coding principles:
– Use input validation.
– Use security libraries.
– Leverage language, compiler, and platform
protection.
Perform security code analysis and review:
– Static code analysis
– Binary analysis
– Manual security code review
Use fault injection.
Use vulnerability scanning.
Use penetration testing.
Security in deployment and maintenance phase
Security in deployment and maintenance phase
Key secure deployment concepts for the Deployment and Maintenance phase include the following:
Least privilege deployment
Incident response plan
Patching plan
How to detect direct object reference attack
How to detect direct object reference attack
It can be detected using code review or manual testing. Automated tool may not help in this regard
To avoid this, use random names instead of exposing same object name to client
Care while storing sensitive data
Care while storing sensitive data
When storing sensitive data, avoid these common errors.
Failure to encrypt sensitive data.
Using homegrown algorithms.
Using weak, out-of-date algorithms.
Using insufficient key lengths.
Using weak random number generation.
Failure to use salt with password hashes.
Poor key management.
Allowing front end to decrypt database directly. In this case, a hacker can decrypt other data as well.
Secure development models in practice
Secure development models in practice
Open Web Application Security Project (OWASP) Top 10
The OWASP Top 10 provides guidance on how to recognize and mitigate risks from the most common Web vulnerabilities. This list is updated every few years.
Microsoft Security Development Lifecycle (SDL)
It defines practices for secure development.
CWE/SANS Top 25 Most Dangerous Software Errors
The MITRE Common Weakness Enumeration (CWE) group and the SANS Institute published the Top 25 Most Dangerous Software Errors report in 2011. Nearly all of the coding errors cited are still relevant today.
Payment Application Data Security Standard (PA-DSS)
The Payment Application Data Security Standard (PA-DSS) is a set of fourteen protection requirements and security assessment procedures for vendors developing payment applications
The fourteen PA-DSS Requirements and Security Assessment Procedures are:
1. Do not retain full track data card verification code or PIN block data.
2. Protect stored cardholder data.
3. Provide secure authentication features.
4. Log payment application activity.
5. Develop secure payment applications.
6. Protect wireless transmissions.
7. Test payment applications to address vulnerabilities and maintain payment application updates.
8. Facilitate secure network implementation.
9. Do not allow cardholder data to be stored on a server connected to the Internet.
10. Facilitate secure remote access to payment application.
11. Encrypt sensitive traffic over public networks.
12. Encrypt all non-console administrative access.
13. Maintain a PA-DSS implementation guide for customers, resellers, and integrators.
14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel,
customers, resellers, and integrators
Cloud Security Alliance (CSA) Notorious Nine Report
The Cloud Security Alliance (CSA) provides an up-to-date report on the top threats to cloud computing called “The Notorious Nine”. Organizations can use this guide to make better decisions about the risks related to cloud technology adoption.
Cloud Security Alliance (CSA) Top 10 Big Data Security and Privacy Challenges
In 2012, the CSA published the Top 10 Big Data Security and Privacy Challenges report. It covers the following issues important to application developers:
1. Secure computations in distributed programming frameworks
2. Security best practices for non-relational data stores
3. Secure data storage and transactions logs
4. Endpoint input validation/filtering
5. Real-time security monitoring
6. Scalable and composable privacy-preserving data mining and analytics
7. Cryptographically enforced data-centric security
8. Granular access control
OpenSAMM - Software Assurance Maturity Model (SAMM)
The Software Assurance Maturity Model (SAMM) is an open software security framework known as OpenSAMM. It helps organizations accomplish the following:
Evaluate existing security software practices.
Build a software security program.
Demonstrate improvements to a security assurance program.
Define and measure security-related activities.
Building Security In Maturity Model (BSIMM)
Comprehensive Lightweight Application Security Process (CLASP)
The Comprehensive Lightweight Application Security Process (CLASP) is an OWASP project. It defines a process to handle security issues and concerns early in the software development lifecycle. CLASP provides the following key resources:
Security best practices
Fundamental security goals and principles
Activities to improve your secure software development process
Secure software engineering roadmaps
A downloadable book and searchable vulnerability checklist for use by development teams
The Common Criteria for Information Technology Security Evaluation (CC)
The Common Criteria (CC) for Information Technology Security Evaluation is a certification standard for computer security products (ISO/IEC 15408). It defines a repeatable framework for specification, implementation, and evaluation of computer security products.
OWASP code review guidelines
OWASP code review guidelines
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Several resources are available to help you perform a security code review. For example, the OWASP Code Review Project has produced the OWASP Code Review Guide, which explains how to review code for a large number of vulnerability types.
Stride model to provide threat modeling
Stride model to provide threat modeling
https://www.owasp.org/index.php/Threat_Risk_Modeling
https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
Sans Org listing top software errors causing security issues
Sans Org listing top software errors causing security issues
https://www.sans.org/top25-software-errors/
HttpOnly flag for cookie
HttpOnly flag for cookie
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.
Key derivation functions
Key derivation functions
Algorithms such as PBKDF2, bcrypt, and scrypt are all common key-derivation functions.
Comparison of TLS versions
Comparison of TLS versions
AWS Security features
AWS Security features
AWS provides multiple services and features that can be used to protect your application. These services include:
Key Management Service (KMS)
Hardware Security Module (HSM)
Identity and Access Management (IAM)
CloudWatch
Web service authentication protocols
Web service authentication protocols
There are multiple ways to handle web services authentication, including these common methods:
Basic authentication over TLS
OpenID 2.0 authentication - Below example picture
OAuth authorization
Open ID Connect authentication
Token-based authentication
Common mistakes in cloud application
Common mistakes in cloud application
The security frame categorizes common mistakes observed in a cloud application
Secure code testing tools
Secure code testing tools
Developers can use Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to assist in writing secure code.
Identity and Access Management (IAM) Technologies
Identity and Access Management (IAM) Technologies
Several types of IAM available from various vendors, including the following:
Federated identity
Security Assertion Markup Language (SAML)
Web Services – Trust Language (WS-Trust)
Representational State Transfer (REST)
Active Directory Federation Service (ADFS)
Microsoft Federation Gateway (MFG)
Amazon Web Services (AWS)
Reference
Reference
https://www.owasp.org/index.php/HttpOnly
e-training on security
http://www.keylength.com
http://csrc.nist.gov/groups/ST/toolkit
http://en.wikipedia.org/wiki/Key_size
https://www.citrix.com/blogs/2015/09/11/openid-connectoauth-2-0-integration-with-xenapp-through-unified-gateway/
https://developers.google.com/youtube/v3/guides/moving_to_oauth
https://cloudsecurityalliance.org/download/expanded-top-ten-big-data-security-and-privacy-challenges/
https://aws.amazon.com/security/
https://cloudsecurityalliance.org/
http://csrc.nist.gov/publications/PubsSPs.html#800-145
https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project
Page updated
Google Sites
Report abuse