Updated Security Section
parent
2d8231663f
commit
864a9ffe01
12
README.md
12
README.md
|
@ -1567,12 +1567,24 @@ Security is a broad topic. Unless you have considerable experience, a security
|
||||||
* Sanitize all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).
|
* Sanitize all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).
|
||||||
* Use parameterized queries to prevent SQL injection.
|
* Use parameterized queries to prevent SQL injection.
|
||||||
* Use the principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege).
|
* Use the principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege).
|
||||||
|
* Threat Model with [STRIDE from Microsoft](https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats)
|
||||||
|
* Rate Limit Requests to mitigate service distruption and [DDOS](https://catalog.us-east-1.prod.workshops.aws/workshops/4d0b27bc-9f48-4356-8242-d13ca057fff2/en-US/application-layer-defense/rate-based-rules#:~:text=You%20are%20able%20to%20set,the%20protection%20from%20HTTP%20floods).
|
||||||
|
* Implement a [Web Application Firewall to protect web applications from Exploits](https://aws.amazon.com/waf/)
|
||||||
|
* If Service A trusts Service B and B Trusts Service C: Service A should not explicitly trust Service A
|
||||||
|
* Implement a Silo, Pool or Bridge model for [Multi-Tenancy SaaS Applications](https://docs.aws.amazon.com/whitepapers/latest/saas-architecture-fundamentals/tenant-isolation.html)
|
||||||
|
* Security by Obscurity is Okay and Good but it should not be counted on ex: [Port Knocking](https://en.wikipedia.org/wiki/Port_knocking)
|
||||||
|
* [Security Architecture Design Principles](https://www.youtube.com/watch?v=443KZj-qjI8&t=756s)
|
||||||
|
* Compromise Recording - All control plane activity should be logged and monitored.
|
||||||
|
* Fail Safe Defaults: When a mechanism fails it should Fail Close. Example: If the Logging system is full then no additional traffic should be allowed, because an attacker may artificially fill up the log.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Source(s) and further reading
|
### Source(s) and further reading
|
||||||
|
|
||||||
* [API security checklist](https://github.com/shieldfy/API-Security-Checklist)
|
* [API security checklist](https://github.com/shieldfy/API-Security-Checklist)
|
||||||
* [Security guide for developers](https://github.com/FallibleInc/security-guide-for-developers)
|
* [Security guide for developers](https://github.com/FallibleInc/security-guide-for-developers)
|
||||||
* [OWASP top ten](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet)
|
* [OWASP top ten](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet)
|
||||||
|
* [ATT&CK Matrix](https://attack.mitre.org/)
|
||||||
|
|
||||||
## Appendix
|
## Appendix
|
||||||
|
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue