Skip to content

Proposed structure

Jump to bottom
Jon Gadsden edited this page Apr 7, 2023 · 13 revisions

This is the proposed structure of the new Developer Guide (Chapter Headings/Outline -> Shruti) :

  • Audience
  • Background
  • Abstract
  • Introduction

SSDLC:

  • Security requirements
    • Threat modeling (hive off to threat modeling material on OWASP)
    • Regulatory / statutory requirements
  • Secure design
    • Secure coding guidelines
      • Authentication
        • User
        • Server
        • Password policy
      • Authorisation
        • Access control
        • Session management
        • JWT
        • SAML
      • Input data validation
      • Output data encoding
      • Connection with backend
      • Canonicalisation
      • Insecure direct object references
      • Unvalidated redirects
      • JSON
      • Usage of DOM and functions
    • Cryptographic practices
      • Data protection
      • Communication security
      • TLS certificate management
      • Database security
      • Hashes
      • File hashes, password hashes, salting
      • Verification of hashes for integrity and signature
      • Secrets handling
      • Keys (generation, lifecycle management), secrets, API keys
    • Application spoofing
      • domain squatting
      • typo squatting
    • Content Security policy
    • Exception / error handling
      • Fail secure
      • Logging
    • File management
    • Memory management
  • Container security
    • Image security
    • Container scanning
  • Open source software
    • Static Code Analysis for licencing and dependencies
    • Third Party Software / Libraries (hive off to OWASP’s Dependency Tracker)
  • Secure environment
    • System hardening
    • File systems and downloads
  • Security testing and validation
    • Security test cases
    • SAST
    • DAST (hive off to OWASP ASVS and OWASP WSTG)
Clone this wiki locally