diff --git a/.markdownlint.json b/.markdownlint.json index 8520bb09..048e046e 100644 --- a/.markdownlint.json +++ b/.markdownlint.json @@ -40,7 +40,8 @@ "CertifiedProtocolsWrapper", "MermaidRenderer", "DevOnly", - "BadgeLegend" + "BadgeLegend", + "ExportAllCerts" ] }, "MD037": false, diff --git a/docs/pages/ai-security/ai-browsers.mdx b/docs/pages/ai-security/ai-browsers.mdx index 182cb967..af4e1496 100644 --- a/docs/pages/ai-security/ai-browsers.mdx +++ b/docs/pages/ai-security/ai-browsers.mdx @@ -25,7 +25,7 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr AI browsers are interfaces that enable models to interact with external content, such as web pages, APIs, and online data sources. While they expand the model's context and capability, they also broaden the attack surface by introducing unvalidated, dynamic inputs from the open web. Traditional security assumptions about trusted networks and static -inputs do not hold. +inputs do not hold. ## Real-Time Inspection and Enforcement diff --git a/docs/pages/ai-security/prompt-injection-defenses.mdx b/docs/pages/ai-security/prompt-injection-defenses.mdx index e26ec998..4adcab5e 100644 --- a/docs/pages/ai-security/prompt-injection-defenses.mdx +++ b/docs/pages/ai-security/prompt-injection-defenses.mdx @@ -26,12 +26,13 @@ As LLMs execute based on statistical patterns rather than explicit checks, malic cause the model to ignore safety instructions, reveal sensitive data, or perform unintended actions. Effective mitigation requires intercepting and sanitizing inputs at the execution layer rather than relying solely on upstream policies or prompt templates. Security controls should classify and constrain inputs before they are interpreted by a -model. +model. ## On-Chain Data as Untrusted Input In smart contract tooling, DAO governance assistants, and wallet agents, prompt injection can lead to incorrect -transaction construction or misleading governance actions. Inputs originating from on-chain data or community proposals should be treated as untrusted by default. +transaction construction or misleading governance actions. Inputs originating from on-chain data or community +proposals should be treated as untrusted by default. ## Consider using diff --git a/docs/pages/certs/index.mdx b/docs/pages/certs/index.mdx index 65701348..9754e4aa 100644 --- a/docs/pages/certs/index.mdx +++ b/docs/pages/certs/index.mdx @@ -21,4 +21,3 @@ title: "Certs" - [SFC: Workspace Security](/certs/sfc-workspace-security) - [Certification Guidelines](/certs/certification-guidelines) - [Contributing to SEAL Certifications](/certs/contributions) -- [Certified Protocols](/certs/certified-protocols) diff --git a/docs/pages/config/contributors.json b/docs/pages/config/contributors.json index e2861cd9..60b2a5c5 100644 --- a/docs/pages/config/contributors.json +++ b/docs/pages/config/contributors.json @@ -23,7 +23,7 @@ { "name": "Issue-Opener-5", "assigned": "2024-08-22" }, { "name": "Issue-Opener-10", "assigned": "2024-08-24" }, { "name": "Issue-Opener-25", "assigned": "2024-09-25" }, - { "name": "Active-Last-7d", "lastActive": "2026-02-10" } + { "name": "Active-Last-7d", "lastActive": "2026-03-10" } ] }, "fredriksvantes": { @@ -101,7 +101,8 @@ { "name": "Contributor-5", "assigned": "2025-01-09" }, { "name": "Contributor-10", "assigned": "2025-04-10" }, { "name": "First-Review", "assigned": "2025-08-11" }, - { "name": "Issue-Opener-5", "assigned": "2025-08-12" } + { "name": "Issue-Opener-5", "assigned": "2025-08-12" }, + { "name": "Dormant-90d+", "lastActive": "2025-12-08" } ] }, "tebayoso": { @@ -171,7 +172,7 @@ { "name": "Framework-Steward", "assigned": "2025-07-15", "framework": "Security Testing" }, { "name": "First-Contribution", "assigned": "2025-07-15" }, { "name": "Contributor-5", "assigned": "2025-07-31" }, - { "name": "Dormant-90d+", "lastActive": "2026-07-31" } + { "name": "Dormant-90d+", "lastActive": "2025-07-31" } ] }, "pinalikefruit": { @@ -204,7 +205,8 @@ "role": "contributor", "description": "Frameworks Contributor", "badges": [ - { "name": "First-Contribution", "assigned": "2025-10-29" } + { "name": "First-Contribution", "assigned": "2025-10-29" }, + { "name": "Dormant-90d+", "lastActive": "2025-12-01" } ] }, "dickson": { @@ -226,7 +228,9 @@ { "name": "Contributor-10", "assigned": "2025-12-01" }, { "name": "Contributor-25", "assigned": "2026-02-09" }, { "name": "First-Review", "assigned": "2025-08-11" }, - { "name": "Active-Last-7d", "lastActive": "2026-02-09" } + { "name": "Reviewer-10", "assigned": "2026-02-24" }, + { "name": "Reviewer-25", "assigned": "2024-03-01" }, + { "name": "Active-Last-30d", "lastActive": "2026-03-02" } ] }, "blackbigswan": { @@ -349,7 +353,7 @@ "badges": [ { "name": "Framework-Steward", "assigned": "2025-12-17", "framework": "SEAL Certs" }, { "name": "First-Review", "assigned": "2026-01-26" }, - { "name": "Active-Last-7d", "lastActive": "2026-02-09" } + { "name": "Active-Last-30d", "lastActive": "2026-02-09" } ] }, "geoffrey": { @@ -440,7 +444,7 @@ { "name": "Contributor-25", "assigned": "2025-11-15" }, { "name": "First-Review", "assigned": "2025-08-12" }, { "name": "Reviewer-10", "assigned": "2025-09-12" }, - { "name": "Active-Last-7d", "lastActive": "2026-02-10" } + { "name": "Active-Last-7d", "lastActive": "2026-03-11" } ] }, "gunnim": { @@ -455,8 +459,7 @@ "role": "contributor", "description": "Frameworks Contributor", "badges": [ - { "name": "First-Contribution", "assigned": "2026-01-21" }, - { "name": "Active-Last-30d", "lastActive": "2026-01-22" } + { "name": "First-Contribution", "assigned": "2026-01-21" } ] }, "madjin": { @@ -472,7 +475,7 @@ "description": "Frameworks Contributor", "badges": [ { "name": "First-Contribution", "assigned": "2025-12-16" }, - { "name": "Active-Last-7d", "lastActive": "2026-02-09" } + { "name": "Active-Last-30d", "lastActive": "2026-02-09" } ] }, "monperrus": { @@ -487,8 +490,7 @@ "role": "contributor", "description": "Frameworks Contributor", "badges": [ - { "name": "First-Contribution", "assigned": "2026-01-21" }, - { "name": "Active-Last-30d", "lastActive": "2026-01-21" } + { "name": "First-Contribution", "assigned": "2026-01-21" } ] }, "munamwasi": { @@ -503,7 +505,7 @@ "role": "contributor", "description": "Frameworks Contributor", "badges": [ - { "name": "First-Contribution", "assigned": "2026-02-20" } + { "name": "First-Contribution", "assigned": "2026-02-27" } ] }, "jubos": { @@ -516,7 +518,10 @@ "company": null, "job_title": null, "role": "contributor", - "description": "Frameworks Contributor" + "description": "Frameworks Contributor", + "badges": [ + { "name": "First-Contribution", "assigned": "2026-02-27" } + ] }, "masterfung": { "slug": "masterfung", @@ -528,7 +533,10 @@ "company": null, "job_title": null, "role": "contributor", - "description": "Frameworks Contributor" + "description": "Frameworks Contributor", + "badges": [ + { "name": "First-Contribution", "assigned": "2026-02-27" } + ] }, "quillaudits": { "slug": "quillaudits", @@ -557,7 +565,39 @@ "badges": [ { "name": "First-Contribution", "assigned": "2025-12-03" }, { "name": "Issue-Opener-5", "assigned": "2026-02-05" }, - { "name": "Active-Last-7d", "lastActive": "2026-02-10" } + { "name": "Active-Last-30d", "lastActive": "2026-02-10" } + ] + }, + "davidthegardens": { + "slug": "davidthegardens", + "name": "davidthegardens", + "avatar": "https://avatars.githubusercontent.com/davidthegardens", + "github": "https://github.com/davidthegardens", + "twitter": null, + "website": null, + "company": null, + "job_title": null, + "role": "contributor", + "description": "Frameworks Contributor", + "badges": [ + { "name": "First-Contribution", "assigned": "2025-04-10" }, + { "name": "Dormant-90d+", "lastActive": "2025-11-18" } + ] + }, + "00xwizard": { + "slug": "00xwizard", + "name": "00xwizard", + "avatar": "https://avatars.githubusercontent.com/00xwizard", + "github": "https://github.com/00xwizard", + "twitter": null, + "website": null, + "company": null, + "job_title": null, + "role": "contributor", + "description": "Frameworks Contributor", + "badges": [ + { "name": "First-Contribution", "assigned": "2025-09-18" }, + { "name": "Dormant-90d+", "lastActive": "2025-09-18" } ] } } diff --git a/docs/pages/contribute/index.mdx b/docs/pages/contribute/index.mdx index 692e10a7..521257bf 100644 --- a/docs/pages/contribute/index.mdx +++ b/docs/pages/contribute/index.mdx @@ -14,4 +14,3 @@ title: "Contribute" - [Contributing Guide](/contribute/contributing) - [Spotlight Zone](/contribute/spotlight-zone) - [Becoming a Framework Steward](/contribute/stewards) -- [Champions](/contribute/champions) diff --git a/docs/pages/devsecops/isolation/capability-based-isolation.mdx b/docs/pages/devsecops/isolation/capability-based-isolation.mdx index 1177e5bf..00fab816 100644 --- a/docs/pages/devsecops/isolation/capability-based-isolation.mdx +++ b/docs/pages/devsecops/isolation/capability-based-isolation.mdx @@ -22,15 +22,20 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Capability-based isolation replaces broad ambient permissions with short-lived, task-scoped grants tied to context, so compromised workflows cannot exceed narrowly defined actions. +> πŸ”‘ **Key Takeaway**: Capability-based isolation replaces broad ambient permissions with +> short-lived, task-scoped grants tied to context, so compromised workflows cannot exceed +> narrowly defined actions. -Capability-based isolation limits what automation can do by granting **specific actions under explicit conditions**, instead of broad ambient privileges. +Capability-based isolation limits what automation can do by granting +**specific actions under explicit conditions**, instead of broad ambient +privileges. In practice: do not give a job β€œadmin” rights when it only needs β€œread dependency metadata” or β€œupload artifact to one path”. ## Why this matters in DevSecOps -Many incidents are privilege-shape failures, not code execution failures: compromised workflows succeed because credentials are too broad. +Many incidents are privilege-shape failures, not code execution failures: compromised workflows +succeed because credentials are too broad. Capability scoping reduces blast radius by ensuring that even successful compromise has constrained impact. @@ -96,12 +101,12 @@ Capability revocation should be immediate and automated for suspicious activity. ## References -- NIST SP 800-53 Rev. 5 (least privilege and access control): https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final -- NIST SSDF (SP 800-218): https://csrc.nist.gov/pubs/sp/800/218/final -- NIST glossary, *Least Privilege*: https://csrc.nist.gov/glossary/term/least_privilege -- Kubernetes, *Role Based Access Control*: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ -- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/ -- SLSA specification: https://slsa.dev/spec/v1.0/ +- [NIST SP 800-53 Rev. 5 (least privilege and access control)](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) +- [NIST SSDF (SP 800-218)](https://csrc.nist.gov/pubs/sp/800/218/final) +- [NIST glossary, *Least Privilege*](https://csrc.nist.gov/glossary/term/least_privilege) +- [Kubernetes, *Role Based Access Control*](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) +- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/) +- [SLSA specification](https://slsa.dev/spec/v1.0/) --- diff --git a/docs/pages/devsecops/isolation/execution-sandboxing-practical-guide.mdx b/docs/pages/devsecops/isolation/execution-sandboxing-practical-guide.mdx index 7657443f..4015e00e 100644 --- a/docs/pages/devsecops/isolation/execution-sandboxing-practical-guide.mdx +++ b/docs/pages/devsecops/isolation/execution-sandboxing-practical-guide.mdx @@ -24,7 +24,10 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Start by defining trust zones, then apply matching controls that keep untrusted validation isolated from release paths while enforcing ephemeral runners, short-lived credentials, and deny-by-default egress. +> πŸ”‘ **Key Takeaway**: Start by defining trust zones, then apply matching +> controls that keep untrusted validation isolated from release paths +> while enforcing ephemeral runners, short-lived credentials, +> and deny-by-default egress. This guide translates sandboxing principles into concrete controls for real CI/CD environments. @@ -95,7 +98,9 @@ Only grant elevated scopes per job when required. ### Important workflow safety note -Avoid using `pull_request_target` to run untrusted code with privileged context unless you fully understand and constrain checkout, permissions, and secret access behavior. +Avoid using `pull_request_target` to run untrusted code with privileged context +unless you fully understand and constrain checkout, permissions, +and secret access behavior. ## 3) Secrets and identity controls @@ -114,7 +119,8 @@ Avoid using `pull_request_target` to run untrusted code with privileged context ### Segregate high-impact secrets -Signing keys, registry publish credentials, and production deploy tokens should be available only in protected environments with approval gates. +Signing keys, registry publish credentials, and production deploy tokens +should be available only in protected environments with approval gates. ## 4) Network egress control @@ -220,16 +226,16 @@ Have a playbook for: ## References -- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final -- NIST SP 800-204A, *Building Secure Microservices-based Applications Using Service-Mesh Architecture*: https://csrc.nist.gov/pubs/sp/800/204/a/final -- NIST SSDF (SP 800-218): https://csrc.nist.gov/pubs/sp/800/218/final +- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final) +- [NIST SP 800-204A, *Building Secure Microservices-based Applications Using Service-Mesh Architecture*](https://csrc.nist.gov/pubs/sp/800/204/a/final) +- [NIST SSDF (SP 800-218)](https://csrc.nist.gov/pubs/sp/800/218/final) -- GitHub Actions security hardening: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions -- Docker, *Docker Engine Security*: https://docs.docker.com/engine/security/ -- Kubernetes, *Network Policies*: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/ -- Linux kernel documentation, *Seccomp BPF*: https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html -- SLSA specification: https://slsa.dev/spec/v1.0/ +- [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) +- [Docker, *Docker Engine Security*](https://docs.docker.com/engine/security/) +- [Kubernetes, *Network Policies*](https://kubernetes.io/docs/concepts/services-networking/network-policies/) +- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/) +- [Linux kernel documentation, *Seccomp BPF*](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) +- [SLSA specification](https://slsa.dev/spec/v1.0/) --- diff --git a/docs/pages/devsecops/isolation/execution-sandboxing.mdx b/docs/pages/devsecops/isolation/execution-sandboxing.mdx index fa6a6923..a5a57709 100644 --- a/docs/pages/devsecops/isolation/execution-sandboxing.mdx +++ b/docs/pages/devsecops/isolation/execution-sandboxing.mdx @@ -23,9 +23,14 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Execution sandboxing reduces blast radius by running automation in ephemeral least-privilege environments and enforcing isolation across process, filesystem, identity, and network, with stronger boundaries for higher-risk workflows. +> πŸ”‘ **Key Takeaway**: Execution sandboxing reduces blast radius by running +> automation in ephemeral least-privilege environments and enforcing isolation +> across process, filesystem, identity, and network, with stronger boundaries +> for higher-risk workflows. -Execution sandboxing means running workloads inside controlled boundaries so that compromise of a job, script, or tool does **not** become compromise of your platform. +Execution sandboxing means running workloads inside controlled boundaries +so that compromise of a job, script, or tool does **not** become compromise +of your platform. In DevSecOps, this applies to: @@ -82,7 +87,9 @@ Treat these as separate enforcement planes: ### 2) Use ephemeral runners -Each job should run on fresh infrastructure and be destroyed after completion. Avoid shared mutable state and persistent credentials between jobs. +Each job should run on fresh infrastructure and be destroyed after +completion. Avoid shared mutable state and persistent credentials +between jobs. ### 3) Restrict privileged paths @@ -98,15 +105,15 @@ Build, sign, publish, and deploy should be distinct stages with explicit policy ## References -- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final -- NIST SP 800-53 Rev. 5, *Security and Privacy Controls*: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final +- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final) +- [NIST SP 800-53 Rev. 5, *Security and Privacy Controls*](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) -- Docker, *Docker Engine Security*: https://docs.docker.com/engine/security/ -- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/ -- Linux kernel documentation, *Seccomp BPF*: https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html -- gVisor documentation: https://gvisor.dev/docs/ -- Kata Containers documentation: https://github.com/kata-containers/documentation -- Firecracker documentation: https://github.com/firecracker-microvm/firecracker/tree/main/docs +- [Docker, *Docker Engine Security*](https://docs.docker.com/engine/security/) +- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/) +- [Linux kernel documentation, *Seccomp BPF*](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) +- [gVisor documentation](https://gvisor.dev/docs/) +- [Kata Containers documentation](https://github.com/kata-containers/documentation) +- [Firecracker documentation](https://github.com/firecracker-microvm/firecracker/tree/main/docs) --- diff --git a/docs/pages/devsecops/isolation/network-and-resource-isolation.mdx b/docs/pages/devsecops/isolation/network-and-resource-isolation.mdx index fd5ad271..247ea1ce 100644 --- a/docs/pages/devsecops/isolation/network-and-resource-isolation.mdx +++ b/docs/pages/devsecops/isolation/network-and-resource-isolation.mdx @@ -24,7 +24,9 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Treat network and compute as hard containment boundaries: deny egress by default, segment trust zones to prevent lateral movement, and enforce strict resource limits to block abuse and runaway jobs. +> πŸ”‘ **Key Takeaway**: Treat network and compute as hard containment boundaries: deny egress by default, +> segment trust zones to prevent lateral movement, and enforce strict resource limits to block abuse +> and runaway jobs. Network and compute controls are critical containment layers for sandboxed execution. @@ -39,7 +41,8 @@ Without them, a compromised build or tool can: ### 1) Default deny egress -Start with no outbound access. Add explicit allow rules only for required destinations (SCM host, package registries, artifact storage, approved APIs). +Start with no outbound access. Add explicit allow rules only for required destinations +(SCM host, package registries, artifact storage, approved APIs). ### 2) Separate trust zones @@ -99,14 +102,14 @@ These controls are both security and reliability controls. ## References -- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final -- NIST SP 800-53 Rev. 5 (network and resource control families): https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final +- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final) +- [NIST SP 800-53 Rev. 5 (network and resource control families)](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) -- Kubernetes, *Network Policies*: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -- Kubernetes, *Resource Management for Pods and Containers*: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -- Docker, *Docker Engine Security*: https://docs.docker.com/engine/security/ -- gVisor documentation: https://gvisor.dev/docs/ -- Firecracker documentation: https://github.com/firecracker-microvm/firecracker/tree/main/docs +- [Kubernetes, *Network Policies*](https://kubernetes.io/docs/concepts/services-networking/network-policies/) +- [Kubernetes, *Resource Management for Pods and Containers*](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) +- [Docker, *Docker Engine Security*](https://docs.docker.com/engine/security/) +- [gVisor documentation](https://gvisor.dev/docs/) +- [Firecracker documentation](https://github.com/firecracker-microvm/firecracker/tree/main/docs) --- diff --git a/docs/pages/devsecops/isolation/sandboxing-and-isolation.mdx b/docs/pages/devsecops/isolation/sandboxing-and-isolation.mdx index 8039a9f7..52549272 100644 --- a/docs/pages/devsecops/isolation/sandboxing-and-isolation.mdx +++ b/docs/pages/devsecops/isolation/sandboxing-and-isolation.mdx @@ -21,9 +21,14 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Assume execution can be untrusted and apply layered containment across identity, runtime, filesystem, network, and resources, increasing isolation strength with workload risk. +> πŸ”‘ **Key Takeaway**: Assume execution can be untrusted and apply layered +> containment across identity, runtime, filesystem, network, and resources, +> increasing isolation strength with workload risk. -This section is the DevSecOps guide for **running untrusted or semi-trusted execution safely**: CI jobs, pull request validation, build scripts, plugins, package hooks, internal automation, and AI agents (as one automation category among many). +This section is the DevSecOps guide for **running untrusted or semi-trusted +execution safely**: CI jobs, pull request validation, build scripts, plugins, +package hooks, internal automation, and AI agents (as one automation category +among many). The core objective is simple: **assume compromise can happen, then contain blast radius by design**. @@ -38,7 +43,8 @@ Treat sandboxing decisions as a threat-modeling exercise across four dimensions: | Privileges | What authority does runtime hold? (filesystem write, network egress, cloud IAM, package publish, deployment rights) | | Impact | What is worst-case outcome? (secret exfiltration, artifact tampering, lateral movement, production change, financial loss) | -**Default assumption:** code from external contributors, third-party actions, and newly introduced dependencies are untrusted until verified. +**Default assumption:** code from external contributors, third-party actions, +and newly introduced dependencies are untrusted until verified. ## Decision tree: choose isolation depth @@ -87,20 +93,25 @@ At minimum, enforce the following: ## Start here (section map) - [Execution Sandboxing](/devsecops/isolation/execution-sandboxing) β€” principles and runtime design choices. -- [Execution Sandboxing: A Practical Guide](/devsecops/isolation/execution-sandboxing-practical-guide) β€” implementation blueprint for teams and platforms. -- [Network & Resource Isolation](/devsecops/isolation/network-and-resource-isolation) β€” egress controls, quotas, and anti-exfiltration patterns. -- [Sandboxing for Tool Execution](/devsecops/isolation/sandboxing-for-tool-execution) β€” controlling high-risk tool calls and side effects. -- [Capability-Based Isolation](/devsecops/isolation/capability-based-isolation) β€” breaking broad permissions into constrained capabilities. -- [Sandboxing & Policy Enforcement](/devsecops/isolation/sandboxing-and-policy-enforcement) β€” integrating policy-as-code with runtime isolation. +- [Execution Sandboxing: A Practical Guide](/devsecops/isolation/execution-sandboxing-practical-guide) β€” implementation +blueprint for teams and platforms. +- [Network & Resource Isolation](/devsecops/isolation/network-and-resource-isolation) β€” egress controls, quotas, and +anti-exfiltration patterns. +- [Sandboxing for Tool Execution](/devsecops/isolation/sandboxing-for-tool-execution) β€” controlling high-risk tool +calls and side effects. +- [Capability-Based Isolation](/devsecops/isolation/capability-based-isolation) β€” breaking broad permissions into +constrained capabilities. +- [Sandboxing & Policy Enforcement](/devsecops/isolation/sandboxing-and-policy-enforcement) β€” integrating +policy-as-code with runtime isolation. ## References -- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final -- NIST SP 800-53 Rev. 5, *Security and Privacy Controls*: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final -- Linux kernel documentation, *Seccomp BPF*: https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html -- Docker, *Docker Engine Security*: https://docs.docker.com/engine/security/ -- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/ -- SLSA specification: https://slsa.dev/spec/v1.0/ +- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final) +- [NIST SP 800-53 Rev. 5, *Security and Privacy Controls*](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) +- [Linux kernel documentation, *Seccomp BPF*](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) +- [Docker, *Docker Engine Security*](https://docs.docker.com/engine/security/) +- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/) +- [SLSA specification](https://slsa.dev/spec/v1.0/) --- diff --git a/docs/pages/devsecops/isolation/sandboxing-and-policy-enforcement.mdx b/docs/pages/devsecops/isolation/sandboxing-and-policy-enforcement.mdx index a9613508..ce02a16a 100644 --- a/docs/pages/devsecops/isolation/sandboxing-and-policy-enforcement.mdx +++ b/docs/pages/devsecops/isolation/sandboxing-and-policy-enforcement.mdx @@ -23,7 +23,8 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Policy decides what may run and sandboxing limits damage if it fails, so both must be enforced before, during, and after execution to close control gaps. +> πŸ”‘ **Key Takeaway**: Policy decides what may run and sandboxing limits damage if it fails, +> so both must be enforced before, during, and after execution to close control gaps. Sandboxing and policy enforcement solve different problems and must be used together: @@ -93,13 +94,13 @@ A practical stack for pipelines: ## References -- NIST SP 800-53 Rev. 5 (policy, audit, and access controls): https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final -- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final -- NIST SSDF (SP 800-218): https://csrc.nist.gov/pubs/sp/800/218/final +- [NIST SP 800-53 Rev. 5 (policy, audit, and access controls)](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) +- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final) +- [NIST SSDF (SP 800-218)](https://csrc.nist.gov/pubs/sp/800/218/final) -- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/ -- Kubernetes, *Admission Controllers*: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ -- SLSA specification: https://slsa.dev/spec/v1.0/ +- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/) +- [Kubernetes, *Admission Controllers*](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) +- [SLSA specification](https://slsa.dev/spec/v1.0/) --- diff --git a/docs/pages/devsecops/isolation/sandboxing-for-tool-execution.mdx b/docs/pages/devsecops/isolation/sandboxing-for-tool-execution.mdx index d4ee9cf0..2d8c354c 100644 --- a/docs/pages/devsecops/isolation/sandboxing-for-tool-execution.mdx +++ b/docs/pages/devsecops/isolation/sandboxing-for-tool-execution.mdx @@ -23,9 +23,12 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Every tool invocation should pass policy, run in a constrained sandbox, and leave auditable evidence, with stronger gates for high-impact actions like deploy, merge, and publish. +> πŸ”‘ **Key Takeaway**: Every tool invocation should pass policy, run in a +> constrained sandbox, and leave auditable evidence, with stronger gates +> for high-impact actions like deploy, merge, and publish. -Tool execution is where automation becomes real-world side effects: file changes, API mutations, infrastructure updates, deployments, or financial transactions. +Tool execution is where automation becomes real-world side effects: file changes, +API mutations, infrastructure updates, deployments, or financial transactions. This is often the highest-risk path in DevSecOps workflows. @@ -92,14 +95,14 @@ A secure flow is: ## References -- NIST SP 800-53 Rev. 5 (least privilege, audit, execution controls): https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final -- NIST SP 800-190, *Application Container Security Guide*: https://csrc.nist.gov/pubs/sp/800/190/final +- [NIST SP 800-53 Rev. 5 (least privilege, audit, execution controls)](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) +- [NIST SP 800-190, *Application Container Security Guide*](https://csrc.nist.gov/pubs/sp/800/190/final) -- Linux kernel documentation, *Seccomp BPF*: https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html -- Docker, *Docker Engine Security*: https://docs.docker.com/engine/security/ -- Kubernetes, *Pod Security Standards*: https://kubernetes.io/docs/concepts/security/pod-security-standards/ -- Firecracker documentation: https://github.com/firecracker-microvm/firecracker/tree/main/docs -- gVisor documentation: https://gvisor.dev/docs/ +- [Linux kernel documentation, *Seccomp BPF*](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) +- [Docker, *Docker Engine Security*](https://docs.docker.com/engine/security/) +- [Kubernetes, *Pod Security Standards*](https://kubernetes.io/docs/concepts/security/pod-security-standards/) +- [Firecracker documentation](https://github.com/firecracker-microvm/firecracker/tree/main/docs) +- [gVisor documentation](https://gvisor.dev/docs/) --- diff --git a/docs/pages/devsecops/overview.mdx b/docs/pages/devsecops/overview.mdx index 1739e722..9fd4ed92 100644 --- a/docs/pages/devsecops/overview.mdx +++ b/docs/pages/devsecops/overview.mdx @@ -18,7 +18,9 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: DevSecOps works when security is embedded from planning through delivery, automated checks stop unsafe changes before production, and sandboxed execution contains risk when untrusted code or tooling runs. +> πŸ”‘ **Key Takeaway**: DevSecOps works when security is embedded from planning through +> delivery, automated checks stop unsafe changes before production, and sandboxed +> execution contains risk when untrusted code or tooling runs. Traditionally, rapid development and deployment is often prioritized at the expense of security considerations. This is generally speaking no different in web3, but it is important to take integrity, confidentiality, and availability into @@ -32,28 +34,40 @@ operations and security teams. Some of the key areas to consider are: 1. Integrate security measures early in the development process, such as by utilizing security tools such as fuzzing, - static and dynamic analysis tools in your CI/CD process, to identify and mitigate vulnerabilities before they turn into - critical issues. + static and dynamic analysis tools in your CI/CD process, to identify and mitigate vulnerabilities before they turn + into critical issues. 2. Implement automated security testing and monitoring. 3. Development, Operations and Security teams should be aligned and work closely together. -4. Use **sandboxing & isolation** to reduce blast radius when running tooling, builds, plugins, and other potentially risky execution. +4. Use **sandboxing & isolation** to reduce blast radius when running tooling, builds, + plugins, and other potentially risky execution. - See: [Sandboxing & Isolation](/devsecops/isolation/sandboxing-and-isolation) ## What’s inside DevSecOps - **Isolation & Sandboxing** - - [Sandboxing & Isolation](/devsecops/isolation/sandboxing-and-isolation): Core guidance for containment patterns across CI/CD and automation workflows. - - [Execution Sandboxing](/devsecops/isolation/execution-sandboxing): Core runtime isolation controls to limit blast radius and privilege abuse. - - [Execution Sandboxing: A Practical Guide](/devsecops/isolation/execution-sandboxing-practical-guide): Implementation playbook for runners, untrusted PRs, secrets, and egress. - - [Capability-Based Isolation](/devsecops/isolation/capability-based-isolation): Replace broad privileges with explicit, auditable capability grants. - - [Network & Resource Isolation](/devsecops/isolation/network-and-resource-isolation): Enforce deny-by-default networking and strict CPU/memory/resource boundaries. - - [Sandboxing for Tool Execution](/devsecops/isolation/sandboxing-for-tool-execution): Secure high-risk tool invocation with constrained runtime and auditable effects. - - [Sandboxing & Policy Enforcement](/devsecops/isolation/sandboxing-and-policy-enforcement): Combine sandbox boundaries with policy-as-code for defense in depth. -- [Securing CI/CD Pipelines](/devsecops/continuous-integration-continuous-deployment): Build safer pipelines with testing, scanning, deterministic builds, and access controls. -- [Repository Hardening](/devsecops/repository-hardening): Protect repos with branch policies, signed commits, and hardened automation settings. + - [Sandboxing & Isolation](/devsecops/isolation/sandboxing-and-isolation): Core guidance for containment patterns + across CI/CD and automation workflows. + - [Execution Sandboxing](/devsecops/isolation/execution-sandboxing): Core runtime isolation controls to limit blast + radius and privilege abuse. + - [Execution Sandboxing: A Practical Guide](/devsecops/isolation/execution-sandboxing-practical-guide): + Implementation playbook for runners, untrusted PRs, secrets, and egress. + - [Capability-Based Isolation](/devsecops/isolation/capability-based-isolation): Replace broad privileges with + explicit, auditable capability grants. + - [Network & Resource Isolation](/devsecops/isolation/network-and-resource-isolation): Enforce deny-by-default + networking and strict CPU/memory/resource boundaries. + - [Sandboxing for Tool Execution](/devsecops/isolation/sandboxing-for-tool-execution): Secure high-risk tool + invocation with constrained runtime and auditable effects. + - [Sandboxing & Policy Enforcement](/devsecops/isolation/sandboxing-and-policy-enforcement): Combine sandbox + boundaries with policy-as-code for defense in depth. +- [Securing CI/CD Pipelines](/devsecops/continuous-integration-continuous-deployment): Build safer pipelines with +testing, scanning, deterministic builds, and access controls. +- [Repository Hardening](/devsecops/repository-hardening): Protect repos with branch policies, signed commits, and +hardened automation settings. - [Security Testing](/devsecops/security-testing): Shift-left with SAST, DAST, IAST, and fuzzing to catch issues early. -- [Implementing Code Signing](/devsecops/code-signing): Strengthen integrity with signed commits/PRs and disciplined key management. -- [Securing Development Environments](/devsecops/integrated-development-environments): Reduce IDE and local environment risk with trusted tooling and isolation. +- [Implementing Code Signing](/devsecops/code-signing): Strengthen integrity with signed commits/PRs and disciplined +key management. +- [Securing Development Environments](/devsecops/integrated-development-environments): Reduce IDE and local environment +risk with trusted tooling and isolation. --- diff --git a/docs/pages/guides/endpoint-security/zoom-hardening.mdx b/docs/pages/guides/endpoint-security/zoom-hardening.mdx index b1e97fd5..3bd82fe2 100644 --- a/docs/pages/guides/endpoint-security/zoom-hardening.mdx +++ b/docs/pages/guides/endpoint-security/zoom-hardening.mdx @@ -23,43 +23,64 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Zoom's remote control and accessibility features are active attack vectors. Disable remote control, use browser-based Zoom when possible, deploy PPPC profiles on macOS, and train users to reject unexpected permission requests. +> πŸ”‘ **Key Takeaway**: Zoom's remote control and accessibility features are active attack vectors. +> Disable remote control, use browser-based Zoom when possible, deploy PPPC profiles on macOS, +> and train users to reject unexpected permission requests. ## Why Zoom is a target -Zoom's **remote control** feature allows a participant to request full control of another user's computer once screen sharing is active. Threat actors social-engineer victims into sharing their entire screen, then request remote control to install malware and exfiltrate credentials, private keys, and session tokens. +Zoom's **remote control** feature allows a participant to request full control of another user's +computer once screen sharing is active. Threat actors social-engineer victims into sharing their +entire screen, then request remote control to install malware and exfiltrate credentials, private +keys, and session tokens. -The most prominent example is **ELUSIVE COMET** β€” a threat actor impersonating investors, journalists, and podcast hosts to lure crypto holders onto Zoom calls, pressure them into full-screen sharing (claiming audio/video issues), then take over their machine via remote control. +The most prominent example is **ELUSIVE COMET** β€” a threat actor impersonating investors, +journalists, and podcast hosts to lure crypto holders onto Zoom calls, pressure them into +full-screen sharing (claiming audio/video issues), then take over their machine via remote control. -If already compromised, see the [ELUSIVE COMET incident response playbook](/incident-management/playbooks/hacked-elusive-comet). +If already compromised, see the +[ELUSIVE COMET incident response playbook](/incident-management/playbooks/hacked-elusive-comet). ## Immediate hardening steps -Apply these settings in the [Zoom web portal](https://zoom.us/profile/setting). Sign in, click **Settings** in the left sidebar, then navigate to the **Meeting** tab. +Apply these settings in the [Zoom web portal](https://zoom.us/profile/setting). Sign in, +click **Settings** in the left sidebar, then navigate to the **Meeting** tab. ### Required -These mitigations address the specific attack vectors described in the Trail of Bits ELUSIVE COMET research and should be treated as **non-negotiable** for any organization handling sensitive assets. +These mitigations address the specific attack vectors described in the Trail of Bits ELUSIVE +COMET research and should be treated as **non-negotiable** for any organization handling +sensitive assets. - [ ] **Disable remote control**: Settings > Meeting > In Meeting (Basic) > Remote control > **OFF** -- [ ] **Disable participant screen sharing (host only)**: Settings > Meeting > In Meeting (Basic) > Screen sharing > Who can share? > **Host Only** -- [ ] **Never grant Zoom accessibility permissions (macOS)**: If Zoom prompts for accessibility access, **deny it**. These permissions let remote control interact with your entire system. -- [ ] **Prefer browser-based Zoom**: Join via `zoom.us/join` instead of the desktop client. No remote control capability, no accessibility permissions. -- [ ] **Use SSO/OAuth authentication**: Use SSO or OAuth instead of Zoom-native accounts for centralized credential management and MFA. -- [ ] **Deploy PPPC profiles / revoke TCC permissions (macOS)**: See [macOS mitigations](#macos-specific-mitigations) below. -- [ ] **Remove Zoom desktop client when possible**: Uninstall entirely to eliminate the attack surface. +- [ ] **Disable participant screen sharing (host only)**: Settings > Meeting > In Meeting (Basic) > + Screen sharing > Who can share? > **Host Only** +- [ ] **Never grant Zoom accessibility permissions (macOS)**: If Zoom prompts for accessibility + access, **deny it**. These permissions let remote control interact with your entire system. +- [ ] **Prefer browser-based Zoom**: Join via `zoom.us/join` instead of the desktop client. + No remote control capability, no accessibility permissions. +- [ ] **Use SSO/OAuth authentication**: Use SSO or OAuth instead of Zoom-native accounts for + centralized credential management and MFA. +- [ ] **Deploy PPPC profiles / revoke TCC permissions (macOS)**: See + [macOS mitigations](#macos-specific-mitigations) below. +- [ ] **Remove Zoom desktop client when possible**: Uninstall entirely to eliminate the + attack surface. ### Optional -General Zoom security best practices. These do not directly mitigate the ELUSIVE COMET attack but improve overall meeting security hygiene. +General Zoom security best practices. These do not directly mitigate the ELUSIVE COMET attack +but improve overall meeting security hygiene. - [ ] **Enable waiting rooms**: Settings > Meeting > Security > Waiting Room > **ON** -- [ ] **Require meeting passcodes**: Settings > Meeting > Security > Require a passcode when scheduling new meetings > **ON** -- [ ] **Disable automatic recording**: Settings > Meeting > Recording > Automatic recording > **OFF** (enable only when explicitly needed) +- [ ] **Require meeting passcodes**: Settings > Meeting > Security > + Require a passcode when scheduling new meetings > **ON** +- [ ] **Disable automatic recording**: Settings > Meeting > Recording > + Automatic recording > **OFF** (enable only when explicitly needed) ## macOS-specific mitigations -macOS TCC governs per-app accessibility permissions. Trail of Bits published scripts to lock this down: +macOS TCC governs per-app accessibility permissions. Trail of Bits published scripts to lock +this down: ### Revoke existing Zoom accessibility permissions @@ -70,11 +91,13 @@ If Zoom already has accessibility access, revoke it immediately: tccutil reset Accessibility us.zoom.xos ``` -Verify removal in **System Settings > Privacy & Security > Accessibility** β€” Zoom should no longer appear or should be toggled off. +Verify removal in **System Settings > Privacy & Security > Accessibility** β€” Zoom should no +longer appear or should be toggled off. ### Deploy PPPC profiles to block accessibility requests -PPPC profiles block Zoom from receiving accessibility permissions even if a user clicks "Allow." Deploy fleet-wide via MDM/Jamf or manually via `profiles`/Apple Configurator. +PPPC profiles block Zoom from receiving accessibility permissions even if a user clicks +"Allow." Deploy fleet-wide via MDM/Jamf or manually via `profiles`/Apple Configurator. ### Complete Zoom uninstallation @@ -87,11 +110,14 @@ For teams, DAOs, and organizations handling sensitive assets: ### Prefer alternative meeting platforms for sensitive discussions -Use **Google Meet**, **Jitsi**, or other browser-native platforms for calls involving treasury operations, key ceremonies, or sensitive governance decisions. These platforms do not have a remote control feature. +Use **Google Meet**, **Jitsi**, or other browser-native platforms for calls involving treasury +operations, key ceremonies, or sensitive governance decisions. These platforms do not have a +remote control feature. ### Enforce browser-based Zoom when Zoom is required -If a counterparty insists on Zoom, join through the browser (`zoom.us/join`). The web client lacks the remote control feature entirely and cannot request accessibility permissions. +If a counterparty insists on Zoom, join through the browser (`zoom.us/join`). The web client +lacks the remote control feature entirely and cannot request accessibility permissions. ### Regularly purge the Zoom desktop client @@ -106,13 +132,15 @@ Train all team members on the remote control attack pattern: 3. Attacker (or a bot named "Zoom") requests remote control access. 4. Victim approves the request, and the attacker installs malware. -> **If a meeting participant asks you to share your screen and then requests remote control, END THE CALL IMMEDIATELY.** This is the single most effective defense. +> **If a meeting participant asks you to share your screen and then requests remote control, +> END THE CALL IMMEDIATELY.** This is the single most effective defense. ### Meeting hygiene policies - Only the host should share their screen by default. - Never share your entire screen β€” share a specific window if you must. -- Do not join meetings from unknown or unsolicited links without verifying the organizer's identity through a separate channel. +- Do not join meetings from unknown or unsolicited links without verifying the organizer's + identity through a separate channel. ## Detection signals @@ -127,13 +155,16 @@ Red flags during a Zoom call that suggest an attack in progress: | Request from unknown **"investors"** or **"journalists"** for a Zoom call | Common ELUSIVE COMET pretext β€” verify identity through independent channels before joining | | Zoom suddenly requests **accessibility permissions** on macOS | Indicates an attempt to enable remote control capabilities | -**Response:** Do not approve any request. Leave the call immediately. If compromised, follow the [ELUSIVE COMET playbook](/incident-management/playbooks/hacked-elusive-comet). +**Response:** Do not approve any request. Leave the call immediately. If compromised, follow +the [ELUSIVE COMET playbook](/incident-management/playbooks/hacked-elusive-comet). ## Further reading - [Trail of Bits β€” Zoom mitigations (PPPC profiles, tccutil scripts, uninstall scripts)](https://github.com/trailofbits/it-releases/tree/main/Zoom%20migitations) -- [ELUSIVE COMET incident response playbook](/incident-management/playbooks/hacked-elusive-comet) β€” what to do if you've already been compromised -- [SEAL Advisories](https://securityalliance.org) β€” ongoing threat intelligence for the crypto ecosystem +- [ELUSIVE COMET incident response playbook](/incident-management/playbooks/hacked-elusive-comet) + β€” what to do if you've already been compromised +- [SEAL Advisories](https://securityalliance.org) β€” ongoing threat intelligence for the + crypto ecosystem - [Zoom Security Settings documentation](https://support.zoom.us/hc/en-us/articles/360043150271-Zoom-security-settings) --- diff --git a/docs/pages/guides/index.mdx b/docs/pages/guides/index.mdx index a2502078..13c06c3a 100644 --- a/docs/pages/guides/index.mdx +++ b/docs/pages/guides/index.mdx @@ -13,3 +13,4 @@ title: "Guides" - [Guides](/guides/overview) - [Account Management](/guides/account-management) +- [Endpoint Security](/guides/endpoint-security) diff --git a/docs/pages/opsec/appendices/index.mdx b/docs/pages/opsec/appendices/index.mdx index bd9e4459..6b9de14d 100644 --- a/docs/pages/opsec/appendices/index.mdx +++ b/docs/pages/opsec/appendices/index.mdx @@ -12,6 +12,3 @@ title: "Appendices" ## Pages - [OpSec Resources & Appendices](/opsec/appendices/overview) -- [OpSec Case Studies](/opsec/appendices/case-studies) -- [Security Glossary](/opsec/appendices/glossary) -- [Security Policy Templates](/opsec/appendices/policies) diff --git a/docs/pages/opsec/control-domains/index.mdx b/docs/pages/opsec/control-domains/index.mdx index fa3c68c2..333fec8d 100644 --- a/docs/pages/opsec/control-domains/index.mdx +++ b/docs/pages/opsec/control-domains/index.mdx @@ -12,7 +12,3 @@ title: "Control Domains" ## Pages - [OpSec Control Domains](/opsec/control-domains/overview) -- [Organizational](/opsec/control-domains/organizational) -- [People](/opsec/control-domains/people) -- [Physical Environmental](/opsec/control-domains/physical-environmental) -- [Technical](/opsec/control-domains/technical) diff --git a/docs/pages/opsec/control-domains/organizational/index.mdx b/docs/pages/opsec/control-domains/organizational/index.mdx deleted file mode 100644 index ae0d443f..00000000 --- a/docs/pages/opsec/control-domains/organizational/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Organizational" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Organizational - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Compliance Regulatory Alignment](/opsec/control-domains/organizational/compliance-regulatory-alignment) -- [Supply Chain Security](/opsec/control-domains/organizational/supply-chain-security) diff --git a/docs/pages/opsec/control-domains/people/index.mdx b/docs/pages/opsec/control-domains/people/index.mdx deleted file mode 100644 index 96e156dd..00000000 --- a/docs/pages/opsec/control-domains/people/index.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: "People" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# People - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Insider Threat Mitigation](/opsec/control-domains/people/insider-threat-mitigation) -- [Security Training Culture](/opsec/control-domains/people/security-training-culture) -- [Social Engineering Defense](/opsec/control-domains/people/social-engineering-defense) diff --git a/docs/pages/opsec/control-domains/physical-environmental/index.mdx b/docs/pages/opsec/control-domains/physical-environmental/index.mdx deleted file mode 100644 index b9ef9b8c..00000000 --- a/docs/pages/opsec/control-domains/physical-environmental/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Physical Environmental" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Physical Environmental - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Secure Workspace Travel](/opsec/control-domains/physical-environmental/secure-workspace-travel) -- [Tamper Evidence](/opsec/control-domains/physical-environmental/tamper-evidence) diff --git a/docs/pages/opsec/control-domains/technical/index.mdx b/docs/pages/opsec/control-domains/technical/index.mdx deleted file mode 100644 index 30f57c3d..00000000 --- a/docs/pages/opsec/control-domains/technical/index.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: "Technical" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Technical - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Cryptocurrency Controls](/opsec/control-domains/technical/cryptocurrency-controls) -- [Device Hardening](/opsec/control-domains/technical/device-hardening) -- [Encrypted Storage Backups](/opsec/control-domains/technical/encrypted-storage-backups) -- [Network Communication Security](/opsec/control-domains/technical/network-communication-security) -- [Two Factor Hardware Auth](/opsec/control-domains/technical/two-factor-hardware-auth) diff --git a/docs/pages/opsec/improvement/index.mdx b/docs/pages/opsec/improvement/index.mdx deleted file mode 100644 index cdeda304..00000000 --- a/docs/pages/opsec/improvement/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Improvement" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Improvement - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Post Mortem](/opsec/improvement/post-mortem) -- [Security Kpis](/opsec/improvement/security-kpis) diff --git a/docs/pages/opsec/index.mdx b/docs/pages/opsec/index.mdx index fdc4eae2..dc2e72eb 100644 --- a/docs/pages/opsec/index.mdx +++ b/docs/pages/opsec/index.mdx @@ -19,10 +19,7 @@ title: "Opsec" - [Core Concepts](/opsec/core-concepts) - [Endpoint](/opsec/endpoint) - [Google](/opsec/google) -- [Improvement](/opsec/improvement) - [Integration](/opsec/integration) - [Mfa](/opsec/mfa) -- [Old](/opsec/old) - [Passwords](/opsec/passwords) -- [Principles](/opsec/principles) - [Travel](/opsec/travel) diff --git a/docs/pages/opsec/integration/index.mdx b/docs/pages/opsec/integration/index.mdx index 06ebacdf..5a19e77e 100644 --- a/docs/pages/opsec/integration/index.mdx +++ b/docs/pages/opsec/integration/index.mdx @@ -12,6 +12,3 @@ title: "Integration" ## Pages - [OpSec Integration](/opsec/integration/overview) -- [Devsecops](/opsec/integration/devsecops) -- [Governance](/opsec/integration/governance) -- [Privacy](/opsec/integration/privacy) diff --git a/docs/pages/opsec/old/cloud-third-party/index.mdx b/docs/pages/opsec/old/cloud-third-party/index.mdx deleted file mode 100644 index b9ced2d3..00000000 --- a/docs/pages/opsec/old/cloud-third-party/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Cloud Third Party" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Cloud Third Party - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [G Suite Security](/opsec/old/cloud-third-party/g-suite-security) -- [Overview](/opsec/old/cloud-third-party/overview) diff --git a/docs/pages/opsec/old/data-protection/index.mdx b/docs/pages/opsec/old/data-protection/index.mdx deleted file mode 100644 index 2cc2967f..00000000 --- a/docs/pages/opsec/old/data-protection/index.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "Data Protection" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Data Protection - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Overview](/opsec/old/data-protection/overview) diff --git a/docs/pages/opsec/old/device-endpoint-security/index.mdx b/docs/pages/opsec/old/device-endpoint-security/index.mdx deleted file mode 100644 index e893ddfa..00000000 --- a/docs/pages/opsec/old/device-endpoint-security/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Device Endpoint Security" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Device Endpoint Security - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Overview](/opsec/old/device-endpoint-security/overview) -- [Standard Operating Environment](/opsec/old/device-endpoint-security/standard-operating-environment) diff --git a/docs/pages/opsec/old/digital-identity-access/index.mdx b/docs/pages/opsec/old/digital-identity-access/index.mdx deleted file mode 100644 index a6c3a8f0..00000000 --- a/docs/pages/opsec/old/digital-identity-access/index.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: "Digital Identity Access" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Digital Identity Access - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Overview](/opsec/old/digital-identity-access/overview) -- [Password Secrets Management](/opsec/old/digital-identity-access/password-secrets-management) -- [Sim Swapping](/opsec/old/digital-identity-access/sim-swapping) diff --git a/docs/pages/opsec/old/governance/index.mdx b/docs/pages/opsec/old/governance/index.mdx deleted file mode 100644 index 564a270b..00000000 --- a/docs/pages/opsec/old/governance/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Governance" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Governance - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Security Policies Roles](/opsec/old/governance/security-policies-roles) -- [Third Party Vendor Governance](/opsec/old/governance/third-party-vendor-governance) diff --git a/docs/pages/opsec/old/human-centered-security/index.mdx b/docs/pages/opsec/old/human-centered-security/index.mdx deleted file mode 100644 index f702f5c6..00000000 --- a/docs/pages/opsec/old/human-centered-security/index.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: "Human Centered Security" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Human Centered Security - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Detecting And Mitigating Insider Threats](/opsec/old/human-centered-security/detecting-and-mitigating-insider-threats) -- [Overview](/opsec/old/human-centered-security/overview) -- [Personal Opsec](/opsec/old/human-centered-security/personal-opsec) -- [Social Engineering Defense](/opsec/old/human-centered-security/social-engineering-defense) -- [Travel Security](/opsec/old/human-centered-security/travel-security) diff --git a/docs/pages/opsec/old/incident-response/index.mdx b/docs/pages/opsec/old/incident-response/index.mdx deleted file mode 100644 index 693f82d6..00000000 --- a/docs/pages/opsec/old/incident-response/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Incident Response" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Incident Response - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Containment Recovery](/opsec/old/incident-response/containment-recovery) -- [Playbooks](/opsec/old/incident-response/playbooks) diff --git a/docs/pages/opsec/old/index.mdx b/docs/pages/opsec/old/index.mdx deleted file mode 100644 index 43eef3cd..00000000 --- a/docs/pages/opsec/old/index.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: "Old" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Old - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Cloud Third Party](/opsec/old/cloud-third-party) -- [Core Opsec Principles](/opsec/old/core-opsec-principles) -- [Data Protection](/opsec/old/data-protection) -- [Device Endpoint Security](/opsec/old/device-endpoint-security) -- [Digital Identity Access](/opsec/old/digital-identity-access) -- [Governance](/opsec/old/governance) -- [Governance Program Management](/opsec/old/governance-program-management) -- [Human Centered Security](/opsec/old/human-centered-security) -- [Incident Response](/opsec/old/incident-response) -- [Incident Response Recovery](/opsec/old/incident-response-recovery) -- [Lifecycle](/opsec/old/lifecycle) -- [Monitoring](/opsec/old/monitoring) -- [Monitoring Detection](/opsec/old/monitoring-detection) -- [Network Communication](/opsec/old/network-communication) -- [Overview](/opsec/old/overview) -- [Physical Security](/opsec/old/physical-security) -- [Risk Management](/opsec/old/risk-management) -- [Risk Management Overview](/opsec/old/risk-management-overview) -- [Threat Modeling Overview](/opsec/old/threat-modeling-overview) -- [Web3 Specific Opsec](/opsec/old/web3-specific-opsec) diff --git a/docs/pages/opsec/old/lifecycle/index.mdx b/docs/pages/opsec/old/lifecycle/index.mdx deleted file mode 100644 index 158e3c58..00000000 --- a/docs/pages/opsec/old/lifecycle/index.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: "Lifecycle" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Lifecycle - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Countermeasures](/opsec/old/lifecycle/countermeasures) -- [Identify](/opsec/old/lifecycle/identify) -- [Lifecycle](/opsec/old/lifecycle/overview) -- [Risk Prioritization](/opsec/old/lifecycle/risk-prioritization) -- [Threat Modeling](/opsec/old/lifecycle/threat-modeling) -- [Vulnerability Assessment](/opsec/old/lifecycle/vulnerability-assessment) diff --git a/docs/pages/opsec/old/monitoring/index.mdx b/docs/pages/opsec/old/monitoring/index.mdx deleted file mode 100644 index 82c3f8cd..00000000 --- a/docs/pages/opsec/old/monitoring/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Monitoring" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Monitoring - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Alert Thresholds](/opsec/old/monitoring/alert-thresholds) -- [Log Management](/opsec/old/monitoring/log-management) diff --git a/docs/pages/opsec/old/network-communication/index.mdx b/docs/pages/opsec/old/network-communication/index.mdx deleted file mode 100644 index 1d399848..00000000 --- a/docs/pages/opsec/old/network-communication/index.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: "Network Communication" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Network Communication - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Overview](/opsec/old/network-communication/overview) -- [Telegram](/opsec/old/network-communication/telegram) -- [Wireless Security](/opsec/old/network-communication/wireless-security) diff --git a/docs/pages/opsec/old/physical-security/index.mdx b/docs/pages/opsec/old/physical-security/index.mdx deleted file mode 100644 index 8c18192b..00000000 --- a/docs/pages/opsec/old/physical-security/index.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "Physical Security" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Physical Security - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Overview](/opsec/old/physical-security/overview) diff --git a/docs/pages/opsec/old/risk-management/index.mdx b/docs/pages/opsec/old/risk-management/index.mdx deleted file mode 100644 index 74a75ae9..00000000 --- a/docs/pages/opsec/old/risk-management/index.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: "Risk Management" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Risk Management - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Risk Assessment Prioritization](/opsec/old/risk-management/risk-assessment-prioritization) -- [Risk Management](/opsec/old/risk-management/overview) -- [Trade Off Analysis](/opsec/old/risk-management/trade-off-analysis) diff --git a/docs/pages/opsec/old/web3-specific-opsec/index.mdx b/docs/pages/opsec/old/web3-specific-opsec/index.mdx deleted file mode 100644 index b9a37077..00000000 --- a/docs/pages/opsec/old/web3-specific-opsec/index.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "Web3 Specific Opsec" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Web3 Specific Opsec - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Overview](/opsec/old/web3-specific-opsec/overview) diff --git a/docs/pages/opsec/principles/index.mdx b/docs/pages/opsec/principles/index.mdx deleted file mode 100644 index 4ca8c29d..00000000 --- a/docs/pages/opsec/principles/index.mdx +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: "Principles" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# Principles - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Five OpSec Steps](/opsec/principles/five-steps) -- [OpSec Core Principles](/opsec/principles/principles) -- [OpSec Principles & Concepts](/opsec/principles/overview) -- [Web3 OpSec Considerations](/opsec/principles/web3-considerations) diff --git a/docs/pages/user-team-security/index.mdx b/docs/pages/user-team-security/index.mdx deleted file mode 100644 index d4127911..00000000 --- a/docs/pages/user-team-security/index.mdx +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: "User Team Security" ---- - -{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} - -# User Team Security - -> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of -> navigating directory paths directly. - -## Pages - -- [Overview](/user-team-security/overview) -- [Phishing Social Engineering](/user-team-security/phishing-social-engineering) -- [Security Aware Culture](/user-team-security/security-aware-culture) -- [Security Training](/user-team-security/security-training) diff --git a/docs/pages/wallet-security/index.mdx b/docs/pages/wallet-security/index.mdx index 3ee2b17c..5ebf0883 100644 --- a/docs/pages/wallet-security/index.mdx +++ b/docs/pages/wallet-security/index.mdx @@ -19,9 +19,7 @@ title: "Wallet Security" - [Secure Multisig Best Practices](/wallet-security/secure-multisig-best-practices) - [Account Abstraction Wallets](/wallet-security/account-abstraction) - [TEE-based Encumbered Wallets](/wallet-security/encumbered-wallets) +- [Smart Contract Interaction Security](/wallet-security/smart-contract-interaction-security) - [Seed Phrase Management](/wallet-security/seed-phrase-management) - [Wallet Security Tools & Resources](/wallet-security/tools-and-resources) -- [Hardware Wallets](/wallet-security/hardware-wallets) - [Signing And Verification](/wallet-security/signing-and-verification) -- [Signing Schemes](/wallet-security/signing-schemes) -- [Software Wallets](/wallet-security/software-wallets) diff --git a/docs/pages/wallet-security/smart-contract-interaction-security.mdx b/docs/pages/wallet-security/smart-contract-interaction-security.mdx index 3741ea59..23768086 100644 --- a/docs/pages/wallet-security/smart-contract-interaction-security.mdx +++ b/docs/pages/wallet-security/smart-contract-interaction-security.mdx @@ -23,29 +23,47 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> πŸ”‘ **Key Takeaway**: Before interacting with any smart contract, verify the contract address, simulate the transaction, review all approvals, and understand what you are signing. Most fund losses come from user-side interaction mistakes, not wallet compromises. +> πŸ”‘ **Key Takeaway**: Before interacting with any smart contract, verify the contract address, +> simulate the transaction, review all approvals, and understand what you are signing. Most fund +> losses come from user-side interaction mistakes, not wallet compromises. -This page assumes you already have a properly secured wallet (see [Wallet Security overview](/wallet-security/overview)). For verifying contract addresses, transaction data, and signatures before signing, see [Signing & Verification](/wallet-security/signing-and-verification/signing-verification) and [Verifying Standard Transactions](/wallet-security/signing-and-verification/verifying-standard-transactions). For simulation and verification tools, see [Tools & Resources](/wallet-security/tools-and-resources). +This page assumes you already have a properly secured wallet (see +[Wallet Security overview](/wallet-security/overview)). For verifying contract addresses, +transaction data, and signatures before signing, see +[Signing & Verification](/wallet-security/signing-and-verification/signing-verification) and +[Verifying Standard Transactions](/wallet-security/signing-and-verification/verifying-standard-transactions). +For simulation and verification tools, see +[Tools & Resources](/wallet-security/tools-and-resources). -This page focuses on **approval management, permit risks, MEV protection, and common attack patterns**. +This page focuses on **approval management, permit risks, MEV protection, and common attack +patterns**. ## Token Approval Hygiene -Every `approve()` call grants a spender address permission to move your tokens. Most dApps request unlimited approval by default. +Every `approve()` call grants a spender address permission to move your tokens. Most dApps +request unlimited approval by default. -- **Set exact amounts.** Approve only what the current transaction needs, not `type(uint256).max`. This limits exposure if the spender contract is later exploited. -- **Revoke unused approvals.** Use [Revoke.cash](https://revoke.cash/) or the [Etherscan Token Approval Checker](https://etherscan.io/tokenapprovalchecker) to audit and revoke outstanding approvals. +- **Set exact amounts.** Approve only what the current transaction needs, not + `type(uint256).max`. This limits exposure if the spender contract is later exploited. +- **Revoke unused approvals.** Use [Revoke.cash](https://revoke.cash/) or the + [Etherscan Token Approval Checker](https://etherscan.io/tokenapprovalchecker) to audit + and revoke outstanding approvals. - **Audit approvals regularly.** Schedule periodic reviews, especially after heavy dApp usage. ### The `permit()` and EIP-2612 Risk -EIP-2612 `permit()` allows approvals via off-chain signatures instead of on-chain transactions. This is more dangerous: no on-chain transaction is visible until the permit is submitted by a third party, and users can unknowingly authorize token transfers on phishing sites. +EIP-2612 `permit()` allows approvals via off-chain signatures instead of on-chain transactions. +This is more dangerous: no on-chain transaction is visible until the permit is submitted by a +third party, and users can unknowingly authorize token transfers on phishing sites. -A common pattern is a fake "login" prompt that is actually a permit signature request. **If a signature contains fields like `spender`, `value`, `nonce`, and `deadline`, you are signing a permit β€” not a login message.** +A common pattern is a fake "login" prompt that is actually a permit signature request. **If a +signature contains fields like `spender`, `value`, `nonce`, and `deadline`, you are signing a +permit β€” not a login message.** ## Slippage and MEV Protection -When trading on DEXes, your transactions are visible in the public mempool before execution, creating MEV (Maximal Extractable Value) attack opportunities. +When trading on DEXes, your transactions are visible in the public mempool before execution, +creating MEV (Maximal Extractable Value) attack opportunities. ### Slippage Tolerance @@ -55,34 +73,56 @@ When trading on DEXes, your transactions are visible in the public mempool befor ### MEV Protection -- **Use private mempools.** [Flashbots Protect](https://protect.flashbots.net/) and [MEV Blocker](https://mevblocker.io/) route transactions through private channels invisible to MEV searchers. +- **Use private mempools.** [Flashbots Protect](https://protect.flashbots.net/) and + [MEV Blocker](https://mevblocker.io/) route transactions through private channels invisible + to MEV searchers. - **Set transaction deadlines.** Prevent stale transactions from executing at unfavorable prices. -- **Inspect multi-hop routes.** Aggregators can route through intermediary tokens/pools you did not intend to touch. Verify the full path before signing, especially for illiquid or newly listed assets. +- **Inspect multi-hop routes.** Aggregators can route through intermediary tokens/pools you did + not intend to touch. Verify the full path before signing, especially for illiquid or newly + listed assets. ## Common Attack Patterns ### Address Poisoning -An attacker sends tiny (often 0-value) transactions from an address resembling yours or a known recipient, polluting your transaction history. They may also airdrop scam tokens/NFTs that surface in explorers, Safe interfaces, or wallet UIs to bait bad copy-paste behavior. **Always verify the full address**, not just the first and last characters, and do not copy recipients from "recent activity" alone. +An attacker sends tiny (often 0-value) transactions from an address resembling yours or a known +recipient, polluting your transaction history. They may also airdrop scam tokens/NFTs that +surface in explorers, Safe interfaces, or wallet UIs to bait bad copy-paste behavior. **Always +verify the full address**, not just the first and last characters, and do not copy recipients +from "recent activity" alone. ### Clipboard Malware -Malware monitors your clipboard and replaces copied addresses with attacker-controlled ones. **Verify the pasted address character-by-character** in your wallet's confirmation screen. If you suspect clipboard hijacking, stop transacting immediately and move funds from a known-clean device after rotating credentials. +Malware monitors your clipboard and replaces copied addresses with attacker-controlled ones. +**Verify the pasted address character-by-character** in your wallet's confirmation screen. If +you suspect clipboard hijacking, stop transacting immediately and move funds from a known-clean +device after rotating credentials. ### Fake Airdrops and Approval Traps -Unknown tokens appear in your wallet. Interacting with them (swapping or "claiming") triggers a malicious `approve()` or `setApprovalForAll()` granting the attacker control over your legitimate tokens. **Ignore unknown tokens.** +Unknown tokens appear in your wallet. Interacting with them (swapping or "claiming") triggers a +malicious `approve()` or `setApprovalForAll()` granting the attacker control over your +legitimate tokens. **Ignore unknown tokens.** ### Ice Phishing -The victim signs an `approve()` setting the attacker as spender. Unlike credential phishing, this grants direct on-chain token access through a legitimate mechanism. The deception is in the social engineering, not the transaction itself. This pattern is commonly referred to as ["ice phishing"](https://www.microsoft.com/en-us/security/blog/2022/02/16/ice-phishing-on-the-blockchain/) in Microsoft threat research. +The victim signs an `approve()` setting the attacker as spender. Unlike credential phishing, +this grants direct on-chain token access through a legitimate mechanism. The deception is in the +social engineering, not the transaction itself. This pattern is commonly referred to as +["ice phishing"](https://www.microsoft.com/en-us/security/blog/2022/02/16/ice-phishing-on-the-blockchain/) +in Microsoft threat research. ## Quick Reference Checklist -- [ ] **Verify the contract address** β€” Cross-reference against official docs and block explorer labels (see [Verifying Standard Transactions](/wallet-security/signing-and-verification/verifying-standard-transactions)) -- [ ] **Simulate the transaction** β€” Preview balance changes before signing (see [Tools & Resources](/wallet-security/tools-and-resources)) -- [ ] **Check approval amounts** β€” Set exact amounts, not unlimited. Revoke approvals you no longer need. -- [ ] **Read what you are signing** β€” Inspect EIP-712 domains, types, and values. If you don't understand it, don't sign it. +- [ ] **Verify the contract address** β€” Cross-reference against official docs and block explorer + labels (see + [Verifying Standard Transactions](/wallet-security/signing-and-verification/verifying-standard-transactions)) +- [ ] **Simulate the transaction** β€” Preview balance changes before signing (see + [Tools & Resources](/wallet-security/tools-and-resources)) +- [ ] **Check approval amounts** β€” Set exact amounts, not unlimited. Revoke approvals you no + longer need. +- [ ] **Read what you are signing** β€” Inspect EIP-712 domains, types, and values. If you don't + understand it, don't sign it. - [ ] **Use MEV protection for DEX trades** β€” Route through Flashbots Protect or MEV Blocker. --- diff --git a/utils/fetched-tags.json b/utils/fetched-tags.json index dd4d6e4f..5a109dbc 100644 --- a/utils/fetched-tags.json +++ b/utils/fetched-tags.json @@ -476,6 +476,10 @@ "/guides/account-management/vercel": [ "DevOps Accounts" ], + "/guides/endpoint-security/zoom-hardening": [ + "Security Specialist", + "Operations & Strategy" + ], "/guides/overview": [ "Security Specialist" ], @@ -1095,6 +1099,10 @@ "Engineer/Developer", "Security Specialist" ], + "/wallet-security/smart-contract-interaction-security": [ + "Engineer/Developer", + "Security Specialist" + ], "/wallet-security/tools-and-resources": [ "Engineer/Developer", "Security Specialist" @@ -1138,6 +1146,7 @@ "Treasury Operations": "treasury-operations", "Guides": "guides", "Account Management": "guides", + "Endpoint Security": "guides", "SEAL Certifications": "certs", "SEAL Certification Frameworks": "certs", "Contributing": "contribute" diff --git a/utils/generate-folder-indexes.js b/utils/generate-folder-indexes.js index 182e98d9..a8975195 100644 --- a/utils/generate-folder-indexes.js +++ b/utils/generate-folder-indexes.js @@ -279,10 +279,7 @@ function buildAllowedRouteSet(branchName) { const orderMap = new Map(); collectRoutesFromSidebar(config.sidebar, routes, orderMap); - // Only filter routes on main branch - const allowedRoutes = branchName === 'main' ? routes : null; - - return { allowedRoutes, orderMap }; + return { allowedRoutes: routes, orderMap }; } // Tests if a route is allowed to appear based on the current branch rules. @@ -492,7 +489,7 @@ function writeIndex(dirPath, pageEntries) { // Filter system/hidden directories that should not appear in the docs. function shouldIgnoreDirectory(name) { - return name.startsWith('.') || name === 'node_modules'; + return name.startsWith('.') || name === 'node_modules' || name === 'config'; } // Recursively traverses the docs tree, generating indexes bottom-up. diff --git a/wordlist.txt b/wordlist.txt index 88e7f2d6..71349ab7 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -307,3 +307,29 @@ reauthentication CAIP unbonding unbond +Zenity +Cowork +nsjail +unvalidated +exfiltrated +permissioned +agentic +Palo +Cyberhaven +Acuvity +Reco +AccuKnox +Adversa +Lakera +PPPC +Jamf +tccutil +pcaversaccio +recoverooor +Degen +Zyfai +SSDF +SLSA +pids +Kata +rootfs \ No newline at end of file