Bring App Security Class content into this repo

[coreyshuman]

Add documentation and resources from the application security class.

Topics:

• Introduction to Secure Software Development Cycle
• SQL Injection
• MongoDb Query Injection
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Session hijacking / session replay
• User Data Sanitization
• Cross-Origin Resource Sharing (CORS)
• Content Security Policy (CSP)
• Passwords and Validation
• Authorization (tokens, cookies, etc)
• Authentication (User roles and permissions)
• Cryptography (Encryption, Hashing, etc)
• Error Handling
• Auditing and Logging
• Setting up SSL
• Handling Sensitive Data

Tools:

• Kali Linux
  • WPScan
  • nmap
• Wireshark
• Postman
• Postico

[coreyshuman]

@ryekerjh | @vperezma | @mwallert
Most of these topics are difficult to split into client-side and server-side (the way the current folder structure is setup). Would you guys be interested in creating a top-level security folder to add these topics into?

[vperezma]

I like that idea.
Something like this?
Security
|--- client-side
|      |---- security topics
|
|--- server-side
      | ---- security topics

[zbyte64]

Most of the topics look to be considerations done on the server-side. Client security concerns are much simpler: am I talking to the right server and am I using SSL, rarely would we even consider locally encrypting data.

I would be interested in grouping them by theme: Sanitization vs escaping in regards to query injection, XSS and form validation; Browser security settings; Penetration testing with the tools listed; Keeping (and passing) secrets with encryption and tokens; And a large overarching theme: DON'T TRUST THE CLIENT

[michaelachrisco]

Is this still being worked on?

[michaelachrisco]

@coreyshuman and/or @jecallaway What information should we add to bring security into the S&P repo. I would love your input on the matter!

[michaelachrisco]

I went ahead and had a discussion with @jecallaway today. Some of the highlights:

1. We need more docs on the client/server side of the S&P.
2. @jecallaway pointed me at a really excellent website: https://owasp.org/www-project-top-ten/# that contains some of the above topics.
3. Developers should be aware of Shift3 Cybersecurity [email protected] maillist and be able to request a security audit. We discussed what that would entail. Namely at least a sandbox site of sorts and some specific topic they wish the security team to take a look at. Probably a good idea to have further discussion at some point.
4. It sounds like QA should be involved.

Im thinking to kick this off, we should at least have the https://owasp.org/ pages referenced in the Serverside security page.

[michaelachrisco]

@jecallaway Do you know if we have any SOWs/recommended tutorials on Kali Linux and the assorted tools?