Updated Security Section

pull/754/head
Maks Derevencha 2023-03-14 16:42:54 -04:00
parent 2d8231663f
commit 864a9ffe01
3 changed files with 12 additions and 0 deletions

BIN
.DS_Store vendored Normal file

Binary file not shown.

View File

@ -1567,12 +1567,24 @@ Security is a broad topic. Unless you have considerable experience, a security
* Sanitize all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and [SQL injection](https://en.wikipedia.org/wiki/SQL_injection). * Sanitize all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).
* Use parameterized queries to prevent SQL injection. * Use parameterized queries to prevent SQL injection.
* Use the principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege). * Use the principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege).
* Threat Model with [STRIDE from Microsoft](https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats)
* Rate Limit Requests to mitigate service distruption and [DDOS](https://catalog.us-east-1.prod.workshops.aws/workshops/4d0b27bc-9f48-4356-8242-d13ca057fff2/en-US/application-layer-defense/rate-based-rules#:~:text=You%20are%20able%20to%20set,the%20protection%20from%20HTTP%20floods).
* Implement a [Web Application Firewall to protect web applications from Exploits](https://aws.amazon.com/waf/)
* If Service A trusts Service B and B Trusts Service C: Service A should not explicitly trust Service A
* Implement a Silo, Pool or Bridge model for [Multi-Tenancy SaaS Applications](https://docs.aws.amazon.com/whitepapers/latest/saas-architecture-fundamentals/tenant-isolation.html)
* Security by Obscurity is Okay and Good but it should not be counted on ex: [Port Knocking](https://en.wikipedia.org/wiki/Port_knocking)
* [Security Architecture Design Principles](https://www.youtube.com/watch?v=443KZj-qjI8&t=756s)
* Compromise Recording - All control plane activity should be logged and monitored.
* Fail Safe Defaults: When a mechanism fails it should Fail Close. Example: If the Logging system is full then no additional traffic should be allowed, because an attacker may artificially fill up the log.
### Source(s) and further reading ### Source(s) and further reading
* [API security checklist](https://github.com/shieldfy/API-Security-Checklist) * [API security checklist](https://github.com/shieldfy/API-Security-Checklist)
* [Security guide for developers](https://github.com/FallibleInc/security-guide-for-developers) * [Security guide for developers](https://github.com/FallibleInc/security-guide-for-developers)
* [OWASP top ten](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) * [OWASP top ten](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet)
* [ATT&CK Matrix](https://attack.mitre.org/)
## Appendix ## Appendix

BIN
solutions/.DS_Store vendored Normal file

Binary file not shown.