From b45dd4020ce23634f4356d34f46d980f8fb42e67 Mon Sep 17 00:00:00 2001 From: Chad Furman Date: Mon, 5 Sep 2016 16:30:13 -0400 Subject: [PATCH 1/2] Added checklists, wargames, osec, auto-audit Links to OWASP checklists Links to CTFs / websec war games -- think like a hacker to beat hackers Mentioning of WAF and IDS Mentioning automated auditing tools (static analysis, dynamic analysis) --- security-checklist.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/security-checklist.md b/security-checklist.md index 40ddcfb..5e11462 100644 --- a/security-checklist.md +++ b/security-checklist.md @@ -72,6 +72,12 @@ - [ ] Be prepared for bad actors & DDOS - use a hosting service that has DDOS mitigation. - [ ] Set up monitoring for your systems, and log stuff (use [New Relic](https://newrelic.com/) or something like that). - [ ] If developing for enterprise customers, adhere to compliance requirements. If AWS S3, consider using the feature to [encrypt data](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html). If using AWS EC2, consider using the feature to use encrypted volumes (even boot volumes can be encrypted now). +- [ ] Setup and configure a Web Application Firewall (like dotDefender: http://www.applicure.com/download-latest) +- [ ] Setup and configure an Intrustion Detection System (like Snort: https://www.snort.org/) + +##### STATIC AND DYANMIC ANALYSIS +- [ ] Static analysis is available for some languages and can trace user input through a system while exposing potentially vulnerable code (eval, exec, fgets sprintf vs snprintf, etc). An example for PHP is RIPS https://www.ripstech.com +- [ ] Dynamic analysis leverages fuzzing (automatically generated user input) and error detection (do we see PHP errors? does the page render our JavaScript? etc) -- the best fuzzers are targeted to the application and created by hand, but some tools like w3af, the professional version of Burpsuite, Nessus, and sqlmap provide a solid base-line. ##### PEOPLE - [ ] Set up an email (e.g. security@coolcorp.io) and a page for security researchers to report vulnerabilities. @@ -80,3 +86,15 @@ - [ ] Have your code review done by a fellow developer from a secure coding perspective. (More eyes) - [ ] In case of a hack or data breach, check previous logs for data access, ask people to change passwords. You might require an audit by external agencies depending on where you are incorporated. - [ ] Set up [Netflix's Scumblr](https://github.com/Netflix/Scumblr) to hear about talks about your organization on social platforms and Google search. + +##### OTHER CHECKLISTS +- [ ] https://www.owasp.org/index.php/Testing_Checklist +- [ ] https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_Checklist +- [ ] https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet + +##### WEB SECURITY WARGAMES +- [ ] http://overthewire.org/wargames/natas/ +- [ ] https://www.hackthissite.org/ +- [ ] https://www.hellboundhackers.org/ + + From 7023a46b59535da435e66d1b118fa2b430a82e42 Mon Sep 17 00:00:00 2001 From: Chad Furman Date: Mon, 5 Sep 2016 16:35:06 -0400 Subject: [PATCH 2/2] extra whitespace removed --- security-checklist.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/security-checklist.md b/security-checklist.md index 5e11462..249af05 100644 --- a/security-checklist.md +++ b/security-checklist.md @@ -96,5 +96,3 @@ - [ ] http://overthewire.org/wargames/natas/ - [ ] https://www.hackthissite.org/ - [ ] https://www.hellboundhackers.org/ - -