miércoles, 15 de mayo de 2013

Cheat Sheet cultura seguridad

Cheat sheet siempre me suena a eat shit, pero bueno, es un problema que tengo.

Las instrucciones para construir la demo están en [1].

Estamos viendo de hacer pronto la segunda parte, permanecé en sintonía.

Comparto con los asistentes al meetup[2] y cualquier otro interesado, la hojita que mostré con las listas de conceptos que me parece útil tener en cuenta.

Está en beta, hay cosas que faltan, vale volver en unos pocos días. La pongo en inglés por que es como me manejo habitualmente, pero si alguien necesita que la traduzca, me lo pide e irá al backlog.

[1] http://seguridad-agile.blogspot.com/2012/09/cafein.html
[2] http://www.meetup.com/agiles-bsas/events/118145402/

Information Security Principles

  • Confidentiality
  • Integrity
  • Availabiliy

Information Access Properties

  • Authentication
  • Authorization
  • No repudiation

Design Principles (Saltzer, Schroeder)

  • Economy of mechanism
  • Fail-safe defaults
  • Complete mediation
  • Open design
  • Separation of privilege
  • Least privilege
  • Least common mechanism
  • Psychological acceptability

Other concepts

       

    Threat modelling

    OWASP Application Threat Modelling

     

    STRIDE

    • Spoofing identity
    • Tampering with data
    • Repudiation
    • Information disclosure
    • Denial of service
    • Elevation of privilege

    DREAD

    • Damage
    • Reproducibility
    • Exploitability
    • Affected users
    • Discoverability

    Taxonomies

    Seven Kingdoms

    1. Input validation and representation
    2. API abuse
    3. Security features
    4. Time and state
    5. Errors
    6. Code quality
    7. Encapsulation
    8. Environment

    Checklists

    OWASP Top Ten 2013

    1. Injection
    2. Broken authentication and session management
    3. Cross-site scripting (XSS)
    4. Insecure direct object reference
    5. Security misconfiguration
    6. Sensitive data exposure
    7. Missing function level access control
    8. Cross-site request forgery (CSRF)
    9. Using components with known vulnerabilities
    10. Unvalidated redirects and forwards

    SANS top 25 software errors

    1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    2. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    5. Missing Authentication for Critical Function
    6. Missing Authorization
    7. Use of Hard-coded Credentials
    8. Missing Encryption of Sensitive Data
    9. Unrestricted Upload of File with Dangerous Type
    10. Reliance on Untrusted Inputs in a Security Decision
    11. Execution with Unnecessary Privileges
    12. Cross-Site Request Forgery (CSRF)
    13. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    14. Download of Code Without Integrity Check
    15. Incorrect Authorization
    16. Inclusion of Functionality from Untrusted Control Sphere
    17. Incorrect Permission Assignment for Critical Resource
    18. Use of Potentially Dangerous Function
    19. Use of a Broken or Risky Cryptographic Algorithm
    20. Incorrect Calculation of Buffer Size
    21. Improper Restriction of Excessive Authentication Attempts
    22. URL Redirection to Untrusted Site ('Open Redirect')
    23. Uncontrolled Format String
    24. Integer Overflow or Wraparound
    25. Use of a One-Way Hash without a Salt

    No hay comentarios:

    Publicar un comentario