GITBOOK-16: more content...

Author: piraces

README.md

@@ -1,8 +1,8 @@
 ---
 description: >-
-  "DevSec" is a derived name from "DevSecOps" and "SecDevOps", a idea to
-  aggregate all things related to a secure development & operations (always from
-  the DEV perspective).
+  "DevSec", "DevSecOps", "SecDevOps"...  lots of buzzwords, but here the idea is
+  to aggregate all things related to a secure development & operations (always
+  from the DEV perspective).
 ---
 
 # DevSec
@@ -23,6 +23,8 @@ With **DevOps**, we shifted to make developers more accountable for operational
 
 In lots of products or projects we are already shifting left a lot of controls earlier in the development lifecycle, where the development teams are (such as testing)... So why not including security testing to an earlier step? We could make fewer mistakes, and we can move more quickly (quickly addressing newly discovered vulnerabilities and fixing them).
 
+The overall aim is to create a culture where everyone is responsible for security, reducing the risk of security issues and allowing teams to deliver secure, high-quality software more quickly.
+
 **This is a process change, it's not about a single/specific tool or controls. It's about making all of security more developer-centric.**
 
 ### Sources and links

generic-development/security-basics.md

@@ -1,2 +1,91 @@
+---
+description: Let's start from the beginning...
+---
+
 # Security Basics
 
+## About
+
+This page is meant to be as an starting point for security in development, for developers with little or no experience at all with secure development and good security practices in development.
+
+## Awareness
+
+Every year vulnerabilities tend to grow in numbers ([as you can see in CVE Details](https://www.cvedetails.com/browse-by-date.php)) as well as weakness in code ([view CWE from Mitre](https://cwe.mitre.org/data/index.html)).
+
+Lots of enterprises are more aware about security in their software, ransomware groups and attacks are pretty common every single day, automated scannners for common vulnerabilities run by bad actors...
+
+The are lots of reasons to take security seriously as a developer. Just take a Raspberry Pi (or other similar device) or spin up a VM in a cloud service, and open SSH port on port 22 publicly... You will be shocked with the number of attempts to login to your device...
+
+Then have a look to some of this visualization tools:
+
+* [Cloudflare](https://www.cloudflare.com/) offers ["Cloudflare Radar"](https://radar.cloudflare.com/) where you can see an instant overview of internet insights (some regarding security and attacks).
+* The [NIST (National Instutute of Standards and Technology)](https://www.nist.gov/) provides [multiple visualizations of it's vulnerability database.](https://nvd.nist.gov/general/visualizations)
+* [CheckPoint ](https://www.checkpoint.com/)offers [ThreatMap](https://threatmap.checkpoint.com/) where you can see attacks in real time, as well as attacks on the day of visit (tends to grow to millions a day).
+* [Kaspersky](https://www.kaspersky.com/) offers [Cybermap](https://cybermap.kaspersky.com/), a realtime CyberTheat map.
+* [Radware](https://radware.com) offers [another live threat map](https://livethreatmap.radware.com/) worth to check out.
+* [NetScoute](https://www.netscout.com/) offers [Horizon](https://horizon.netscout.com/), its own cyber threat real-time map.
+* [Imperva](https://www.imperva.com/) also offers [its own cyber threat attack map](https://www.imperva.com/cyber-threat-attack-map/).
+* And lots of other tools:
+  * [Digital Attack Map (DDoS attacks)](https://www.digitalattackmap.com/)
+  * [Akamai Internet Station (Cyber attacks)](https://www.akamai.com/internet-station/cyber-attacks)
+  * [Threatbutt Internet Hacking Attack Attribution Map](https://threatbutt.com/map/)
+  * [Fortiguard (Fortinet) threat map](https://threatmap.fortiguard.com/)
+  * [Bitdefender Cyberthreat real time map](https://threatmap.bitdefender.com/)
+  * [Talos Cyber attack map (Spam & Malware)](https://talosintelligence.com/fullpage\_maps/pulse)
+  * [SonicWall live attack map](https://attackmap.sonicwall.com/live-attack-map/)
+
+Search news for data breaches, security incidents, ransomware attacks.
+
+Are you more concerned now?
+
+Great. Let's improve this situation...
+
+**A good starting point is to look at** [**OWASP Top Ten**](https://owasp.org/www-project-top-ten/)**, these are the main application security risks that are most important nowadays. The goal is to minimise these risks.**
+
+## OWASP Secure Coding Practices Checklist
+
+A very good starting point to ensure whatever you are developing, you meet with [this OWASP checklist](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/stable-en/02-checklist/05-checklist).
+
+[This SecureCoding blog post](https://www.securecoding.com/blog/owasp-secure-coding-checklist/) about it, it's also very useful.
+
+This checklist covers the following points:
+
+* Input Validation
+* Output Encoding
+* Authentication & Password Management
+* Session Management
+* Access Control
+* Cryptographic Practices
+* Error Handling & Logging
+* Data Protection
+* Communication Security
+* System Configuration
+* Database Security
+* File Management
+* Memory Management
+* **General coding practices (this last point is very important)**
+
+From the last bullet point, make sure you are following this coding practices:
+
+* [ ] **Use tested and approved managed code** rather than creating new unmanaged code for common tasks.
+* [ ] Utilize task specific built-in APIs to conduct operating system tasks. **Do not allow the application to issue commands directly to the Operating System, especially through the use of application initiated command shells**.
+* [ ] **Use** [**checksums** ](https://en.wikipedia.org/wiki/Checksum)**or hashes to verify the integrity** of interpreted code, libraries, executables, and configuration files.
+* [ ] Utilize locking to prevent multiple simultaneous requests or use a synchronization mechanism to **prevent race conditions**.
+* [ ] **Protect shared variables and resources** from inappropriate concurrent access.
+* [ ] **Explicitly initialize all your variables and other data stores**, either during declaration or just before the first usage.
+* [ ] In cases where the application must run with elevated privileges, **raise privileges as late as possible, and drop them as soon as possible**.
+* [ ] Avoid calculation errors by **understanding your programming language's underlying representation.**
+* [ ] **Do not pass user supplied data to any dynamic execution function.**
+* [ ] **Restrict users from generating new code or altering existing code.**
+* [ ] **Review all secondary applications, third party code and libraries** to determine business necessity and validate safe functionality.
+* [ ] Implement **safe updating using encrypted channels.**
+
+## Getting some help
+
+You don't have to do all of this without help!
+
+Look for professionals, professional enterprise ready tools and solutions. awesome OSS projects and others in other sections of this page:
+
+* [Broken link](broken-reference "mention")
+* [Broken link](broken-reference "mention")
+

resources/articles.md

@@ -9,6 +9,7 @@ Here are some articles worth to read.
 ### DevSecOps
 
 * [DevSecOps: Secure code quickly and easily | Red Hat Developer](https://developers.redhat.com/articles/2022/01/27/devsecops-why-you-should-care-and-how-get-started)
+* [DevSecOps: Making Security Central To Your DevOps Pipeline](https://spacelift.io/blog/what-is-devsecops)
 * [Challenges and solutions when adopting DevSecOps: A … - ScienceDirect](https://www.sciencedirect.com/science/article/pii/S0950584921001543)
 * [Best practices for successful DevSecOps | Red Hat Developer](https://developers.redhat.com/articles/2022/06/15/best-practices-successful-devsecops)
 * [How DevSecOps brings security into the development process](https://developers.redhat.com/articles/2021/12/01/how-devsecops-brings-security-development-process)

resources/communities.md

@@ -5,3 +5,5 @@ description: Communities you may be interested in
 # Communities
 
 * [DevSecCon: The global DevSecOps community](https://www.devseccon.com/)
+* [Veracode Community](https://community.veracode.com/s/)
+* [SecureCoding](https://www.securecoding.com/)

resources/institutions.md

@@ -13,3 +13,14 @@ description: CyberSecurity related institutions
 [NIST (National Institute of Standards and Technology)](https://www.nist.gov/)
 
 * [GitHub](https://github.com/usnistgov)
+
+[CIS (Center for Internet Security)](https://www.cisecurity.org/)
+
+* [GitHub](https://github.com/CISecurity)
+
+## Spain:
+
+[INCIBE (National Institute of Cybersecurity (Spain))](https://www.incibe.es/en/incibe)
+
+* [INCIBE-CERT](https://www.incibe.es/en/incibe-cert): the security incident response center of reference for citizens and private law entities in Spain operated by the National Institute of Cybersecurity (INCIBE).
+  * [GitHub](https://github.com/INCIBE-CERT)

resources/other.md

@@ -20,6 +20,11 @@ Outdated resources are marked with the symbol: ⚠️
   * [GitHub](https://github.com/cisagov)
 * [NIST (National Institute of Standards and Technology)](https://www.nist.gov/)
   * [GitHub](https://github.com/usnistgov)
+* [CIS (Center for Internet Security)](https://www.cisecurity.org/)
+  * [GitHub](https://github.com/CISecurity)
+* [INCIBE (National Institute of Cybersecurity (Spain))](https://www.incibe.es/en/incibe)
+  * [INCIBE-CERT](https://www.incibe.es/en/incibe-cert): the security incident response center of reference for citizens and private law entities in Spain operated by the National Institute of Cybersecurity (INCIBE).
+    * [GitHub](https://github.com/INCIBE-CERT)
 
 ## Organizations / Foundations
 
@@ -118,6 +123,8 @@ Outdated resources are marked with the symbol: ⚠️
 * [CyberArk](https://www.cyberark.com/): offers the most complete and extensible Identity Security Platform, protecting identities and critical assets by enabling Zero Trust and enforcing least privilege.
 * [Puma Security](https://pumasecurity.io/): to help organizations build, develop, and support systems to deliver secure products and services.
 * [ReportURI](https://report-uri.com/): browser security technologies, enabling you to detect and mitigate attacks, fast.
+* [INE](https://ine.com/): challenge your team, regardless of level, to a training platform that puts real world infrastructure first. Learn from expert instructors and prove your knowledge in Networking, Cyber Security, Cloud and Data Science.
+* [debricked](https://debricked.com/): take full control of security, compliance and health with a toolkit that will revolutionize the way you use open source.
 
 ## Lists
 
@@ -192,6 +199,7 @@ Outdated resources are marked with the symbol: ⚠️
 * [HolyTips](https://github.com/HolyBugx/HolyTips): a Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.
 * [CyberSecurityRSS ](https://github.com/zer0yu/CyberSecurityRSS)(English/Chinese): a collection of cybersecurity RSS.
 * [AI for security learning](https://github.com/404notf0und/AI-for-Security-Learning) (Chinese)
+* [Veracode Resources](https://www.veracode.com/resources): lots of resources in several formats from Veracode.
 
 ## Security Development
 
@@ -235,12 +243,16 @@ Outdated resources are marked with the symbol: ⚠️
 ## Advisories databases
 
 * [OSV](https://osv.dev/): a distributed vulnerability database for Open Source.
-  * [OSV.dev mantained converters](https://github.com/google/osv.dev#current-data-sources): 
+  * [OSV.dev mantained converters](https://github.com/google/osv.dev#current-data-sources)
 * [GitHub Advisory Database](https://github.com/github/advisory-database) ([web](https://github.com/advisories)): security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
   * [Security advisories reported on GitHub](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)
 * [National Vulnerability Database](https://nvd.nist.gov/)
 * [Global Security Database](https://github.com/cloudsecurityalliance/gsd-databasehttps://github.com/cloudsecurityalliance/gsd-database) ([web](https://gsd.id/))
+* [debricked Vulnerability Database](https://debricked.com/vulnerability-database)
+* [Socket.dev package search](https://socket.dev/)
+* [Open Source Insights - devs.dev](https://deps.dev/): Open Source Insights is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
 * [npm Security Advisories Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm)
+* [Veracode Vulnerability Database](https://sca.analysiscenter.veracode.com/vulnerability-database/search)
 * [FriendsOfPHP Database](https://github.com/FriendsOfPHP/security-advisories)
 * [Go Vulnerability Database](https://vuln.go.dev/)
 * [Python Packaging Advisory Database](https://github.com/pypa/advisory-database) (PyPI)
@@ -263,9 +275,11 @@ Outdated resources are marked with the symbol: ⚠️
 * [OWASP Vulnerable Web Applications Directory (VWAD)](https://owasp.org/www-project-vulnerable-web-applications-directory/): a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available.
 * [OWASP Juice Shop](https://github.com/juice-shop/juice-shop) ([web](https://owasp.org/www-project-juice-shop/)): Probably the most modern and sophisticated insecure web application.
 * [OWASP NodeGoat](https://github.com/OWASP/NodeGoat) ([web](https://wiki.owasp.org/index.php/Projects/OWASP\_Node\_js\_Goat\_Project)): provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
+* [OWASP DVSA](https://github.com/OWASP/DVSA) ([web](https://owasp.org/www-project-dvsa/)): Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.
 * Checkmarx [capital](https://github.com/Checkmarx/capital): a built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF.
 * [Badssl.com](https://github.com/chromium/badssl.com) ([web](https://badssl.com/)): memorable site for testing clients against bad SSL configs.
 * [CI/CD GOAT](https://github.com/cider-security-research/cicd-goat): a deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
+* INE [Azure Goat](https://github.com/ine-labs/AzureGoat): a Damn Vulnerable Azure Infrastructure.
 * Bridgecrew [TerraGoat](https://github.com/bridgecrewio/terragoat): "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
 * Bridgecrew [Cfngoat](https://github.com/bridgecrewio/cfngoat): Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments (Cloudformation).
 * [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat) ([web](https://madhuakula.com/kubernetes-goat)): a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground.

tools/dependency-management.md

@@ -4,6 +4,12 @@ description: Ensuring the dependencies of your codebase are secure
 
 # Dependency Management
 
+## About
+
+Dependency management security is a crucial aspect of software development that focuses on mitigating risks associated with the use of third-party libraries or components, often referred to as dependencies. In modern software development, it's common to use a variety of these dependencies to avoid "reinventing the wheel" for common or complex tasks. However, these dependencies can have vulnerabilities that, if left unmanaged, can expose the software, and potentially the wider system, to security risks.
+
+## Popular products and solutions
+
 From the [Static Analysis section](static-analysis.md), these tools covers "Dependency management":
 
 * **GitHub:**
@@ -27,6 +33,9 @@ From the [Static Analysis section](static-analysis.md), these tools covers "Depe
 
 * [npm audit](https://docs.npmjs.com/cli/audit): vulnerable package auditing for packages built into the npm CLI.
 * [Bundlephobia](https://bundlephobia.com/): find the cost of adding a npm package to your bundle.
+* [Socket](https://socket.dev/): fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript and Python dependencies.
+* [Open Source Insights - deps.dev](https://deps.dev/): Open Source Insights is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
+* [Overlay](https://github.com/os-scar/overlay): a browser extension helping developers evaluate open source packages before picking them.
 * [is website vulnerable](https://github.com/lirantal/is-website-vulnerable): finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
 * [retire.js](https://github.com/RetireJS/retire.js) ([web](https://retirejs.github.io/retire.js/)): scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.