From 864a9ffe019df7dc6639393b0a4620e6c55ee33d Mon Sep 17 00:00:00 2001 From: Maks Derevencha Date: Tue, 14 Mar 2023 16:42:54 -0400 Subject: [PATCH] Updated Security Section --- .DS_Store | Bin 0 -> 6148 bytes README.md | 12 ++++++++++++ solutions/.DS_Store | Bin 0 -> 6148 bytes 3 files changed, 12 insertions(+) create mode 100644 .DS_Store create mode 100644 solutions/.DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..2d01d6561252b0a876e343de93e69d1f5c83a1f6 GIT binary patch literal 6148 zcmeHKJxc>Y5S@*O#@M8=usjf3F}>g!qJO~7N|Q(;m^&jXDu(9z2 z6box>5qz_|Np5pVuo96O*nM|9Z+2fE+-{bLRIyVn5ao#|i^k~X(2WSrb4x|Wj?4oU z&(WwAwklEBOfh9Z91sWoq67TxdbCV6+NZYj{a!3>CUap_DwP{i8DrV|r_6iz<#yf8 zS10D1^~BzA<)f5ldh1f1I#hO6r_4&4k<^eo{d}+*hUN*Qfs*koM~~kBXc``bv(O&x-w5WwxyejN-x|x4_@M(h zvpKSJ2BjAV!~t=j?*Q))J{n_SF*c~T4s`ko0Q4}d1J8Vy;2PgzU@+IVpSjPljq&$?w@BW^ z0de48IiS4KR;h@eWY5;rkK?n}N83T;U|wucm!Px9v3}sAcmYiZay~x*1BNR^ literal 0 HcmV?d00001 diff --git a/README.md b/README.md index 2c2f2dbc..13248a9c 100644 --- a/README.md +++ b/README.md @@ -1567,12 +1567,24 @@ Security is a broad topic. Unless you have considerable experience, a security * Sanitize all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and [SQL injection](https://en.wikipedia.org/wiki/SQL_injection). * Use parameterized queries to prevent SQL injection. * Use the principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege). +* Threat Model with [STRIDE from Microsoft](https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats) +* Rate Limit Requests to mitigate service distruption and [DDOS](https://catalog.us-east-1.prod.workshops.aws/workshops/4d0b27bc-9f48-4356-8242-d13ca057fff2/en-US/application-layer-defense/rate-based-rules#:~:text=You%20are%20able%20to%20set,the%20protection%20from%20HTTP%20floods). +* Implement a [Web Application Firewall to protect web applications from Exploits](https://aws.amazon.com/waf/) +* If Service A trusts Service B and B Trusts Service C: Service A should not explicitly trust Service A +* Implement a Silo, Pool or Bridge model for [Multi-Tenancy SaaS Applications](https://docs.aws.amazon.com/whitepapers/latest/saas-architecture-fundamentals/tenant-isolation.html) +* Security by Obscurity is Okay and Good but it should not be counted on ex: [Port Knocking](https://en.wikipedia.org/wiki/Port_knocking) +* [Security Architecture Design Principles](https://www.youtube.com/watch?v=443KZj-qjI8&t=756s) +* Compromise Recording - All control plane activity should be logged and monitored. +* Fail Safe Defaults: When a mechanism fails it should Fail Close. Example: If the Logging system is full then no additional traffic should be allowed, because an attacker may artificially fill up the log. + + ### Source(s) and further reading * [API security checklist](https://github.com/shieldfy/API-Security-Checklist) * [Security guide for developers](https://github.com/FallibleInc/security-guide-for-developers) * [OWASP top ten](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) +* [ATT&CK Matrix](https://attack.mitre.org/) ## Appendix diff --git a/solutions/.DS_Store b/solutions/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..513107bb00e1246910e54adc8d68e3a9116ac6a1 GIT binary patch literal 6148 zcmeHK%}T>S5T0p!h=|aWc#^zA!J|Sf@hAv=0HsZ+O4Ag74&DNSZ{r(y^ew#f0elF* z*;#EuG^7Y3Is>!cW_D(i`KIi4h=_-`$$+R&L;+N=vw`6gk#*6Ubi73t+3hi*8#<+& zuIQrXZHC{-fYfdq6&uqfrBtq8N^?{*r34jCfY+$$l;*SPU^L0Ig(ma3w{Cov$MJZU zj}aFfKk>`M^7(N6J(6$lu{bZ~fnP6V3pw6FCF`sq>;2u6X76&2ulL>e92@q}@>NFd zA}Zg1u$1pNF$RnQW1uYqdg@WI**3uZi~(cd-!LHOLkJa&JQj-X=)mAw0ALShCzwkw zAu*xH$YY_16$oo6P(#_b7_8y2hu$ypSSV^Zv2Q-uznOi9!tU+ZKXmTIk)n;pfH6>I zpsSC4x&M#8?*FSn_GAng1AmGE?!}{ch?M-@T1!su+7NmM6%oHe@goEicNN1|uHqf2 a6WBwU03(luA}kR5Bj9MT!5H{a2HpS;rF7B& literal 0 HcmV?d00001