Skip to content

Proposed structure

Jump to bottom
Jon Gadsden edited this page Apr 4, 2023 · 13 revisions

This is the proposed structure of the new Developer Guide (Chapter Headings/Outline -> Shruti) :

  • Audience
  • Background
  • Abstract
  • Introduction
  • SSDLC:
  • Security requirements
    • Threat modeling (hive off to threat modeling material on OWASP)
    • Regulatory / statutory requirements
  • Secure design
    • Secure coding guidelines
      • Authentication
        • User
        • Server
        • Password policy
      • Authorisation
        • Access control
        • Session management
        • JWT
        • SAML
      • Input data validation
      • Output data encoding
      • Connection with backend
      • Canonicalisation
      • Insecure direct object references
      • Unvalidated redirects
      • JSON
      • Usage of DOM and functions
    • Cryptographic practices
      • Data protection
      • Communication security
      • TLS certificate management
      • Database security
      • Hashes
      • File hashes, password hashes, salting
      • Verification of hashes for integrity and signature
      • Secrets handling
      • Keys (generation, lifecycle management), secrets, API keys
    • Application spoofing, domain squatting, typo squatting
    • Content Security policy
    • Exception / error handling
      • Fail secure
      • Logging
    • File management
    • Memory management
  • Image and container security
  • Open source software security and licensing
  • Secure environment
    • System hardening
    • File systems and downloads
  • Security testing / validation
  • Security test cases (hive off to OWASP ASVS and OWASP WSTG)
    • SAST
    • DAST
    • SCA (hive off to OWASP’s Dependency Tracker)
Clone this wiki locally