Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions ATTACK-VECTORS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Analysis of Vector Analysis and Mitigation
This document highlights attack vectors with mitigations.

## 1. SQL Injection
- A web security vulnerability that lets an attacker to change database of an organisation with malicious SQL queries injection.
- Using prepared statements and parameterized queries, can help in preventing SQL injection attacks.
- Using ORM(Object-Relational Mapping) Frameworks like Hibernate or Entity Framework can help in reducing SQL inject by default.

## 2. Cross-Site Request Forgery(CSRF)
- The attacker exploits the trust of a web application with a authenticated user.
- The identity of the victim is used to perform some actions.
**Prevention**:
- Use an anti-CSRF token or synchronizer token.
- Add a CAPTCHA to validate that the use is human.

## 3. Insecure API Access
- The application can run into broken authentication when APIs are not validated.
- When APIs get too nmany requests from user, resource limit problems can occur. Fake requests can be sent by attackers to the servers.

**Prevention**
- Strong passwords implementation policy with two-step login can be implemented.
- Security standards can be applied to endpoints, like input validation, authentication, and authorization.

## 4. Insider Threat
- Threats originating within an organisation.
- These threats can increase property thefts, data breach and disturbing operations.
**Prevention**
- Training to detect and stop insider threats.
- Regularly implementating montitorization and access reviews.

## 5. Cross-Site Scripting(XSS)
- Malicious scripts are injected into trusted websites.
- Browser side script can be corrupted and send to different user.
**Prevention**
- Use approppriate headers, use Content-Type and X-Content-Type-Options, headers for interpretation of responses by the browsers.
- Use Content Security Policy(CSP) to prevent servere XSS vulnerabilities.

## 6. Misconfiguration
- When security settings are not defined in the configuration, security Misconfiguration occurs.
- Directory Listing should not be enabled with not showing error messages which is sensitive information.
**Prevention**
- Regularly perform scans and identify security misconfigurations.
- Encryption of data at rest to prevent exploittaion of data.
21 changes: 21 additions & 0 deletions AUDIT_CHECKLIST.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#Security Audit Checklist

## Monthly Internal Review
- [] Implementation of strong passwords policies
- [] Rotation of Secrets
- [] Retaintion of logs and their collections
- [] Enabling of MFA of authorized users with privilege access
- [] Third party dependencies are scanned to check vulnerabilities
- [] Validation of acces controls and firewall

## Quarterly External Audit
- [] Review user access
- [] Scann all endpoints to check vulnerabilites
- [] Review compilance with GDPR/HIPAA
- [] Conduct Penetration Tests

## Audit Logs
- Access Control Audits
- Incident Response Capability Assesment
- Resource Access
- Admin Operations
50 changes: 50 additions & 0 deletions INCIDENT_RESPONSE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
This documentation helps in detecting incident response procedures, provides insights for security monitoring and security updates process

## 1. Detection
- Alerts for traffic patterns
- Look for inappropriate user behavior or requests

## 2. Containment
- Isolation od affected systems and revoke access tokens and secrets
- Disable accounts affected

## 3. Eradication
- Detect for malicious code and patch the exploited vulnerability with clearing of logs

## 4. Recovery
- Keep backup for recovery

## 5. Post-Incident Review
- Documentation of incident and prevention
- Notfication to regulatory bodies during a security breach

# Guidelines for Security Monitoring

## Metrices to watch
- Look for unauthorised access endpoints
- Increase in user requests
- Failure in Login continuously

## Log Retention Policies
- Regularly check for logs and monitor them

## Tools and Frameworks
- Use tools like Datadog, Splunk, and ELK stack

## Montoring Targets
- Look for admin activities
- Health of system and access to database and authentications details

# Procedures for Security Updates

## Regular Updates
- Patching of OS and Apps regularly
- Merge dependencies with low risks

## Post-Update Verification
- Monitor for anamolies everyday
- Validation of Configuration

## Communication
- Notification of critical updates to security teams

24 changes: 24 additions & 0 deletions SECURITY_BEST_PRACTICES.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Recommendations of Security and Best Practices

## Code Practices
- Use OWASP Application Security Verification Standard(ASVS) for the verification of security controls
- Implement servers and frameworks are running on latest versions.
- Encrypt highly sensitive information(authentication verification data)

## Infrastucture
- Monitor networks and update software and hardware regularly
- Use Web Application Firewall(WAF) that monitors HTTP traffic across Internet and blocks vulnerabilities.

## Updates
- Perform regular updates for libraries
- Use auto-scanning tools like Synk

## Access Control
- Principle of Least Priviledge(PoLP) ensures authorized users can execute jobs within the system.
- Roles based access towards some operations.

## Authentication
- Implementing strong password policies with rotation
- Implementing Multi-Factor Authentication(MFA)
- User tokens implemented during login form

52 changes: 52 additions & 0 deletions SECURITY_CONSIDERATIONS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#Security Considerations

This document highlights the important security concerns and protection strategies for the system.

## 1. Data Classification and it's Sensitivity
Implementing a data classification property
There are different types of data categories:
- Financial Data
- Intellectual Data
- Confidential Business Data
- Personal Identifiable Information
- Proprietary Data
- Health Information

Data classification based on sensitivity
- Public- Data can be accesed by public and free to access.
- Confidential - Data can accesed by authorized individuals, and highly protected data.
- Highly Confidential- Data is highly rescricted to acces and utmost confidentiality
- Internal: Data that can be shared only within an organization, which is private

## 2. Implementation of Encrytion

- Only authorized individuals can access data which is sensitive.
- Implementation of role-based access controls(RBAC) for permitting privileges based on roles and responsibilites.
- Implementating a multi-factor authentication(MFA) for adding extra layer of security for access control.
- For encrypting data during transmission, encryption mechanisms such as Secure Socket Layer(SSL) or Transport Layer Security(TLS) protocols can be added.

## 3. Data Encryption
- Transit Data Encrytion: Data moving from one point to another, with internet or VPN.

- Data Encryption at Rest: More secure and less data breach, less randsomeware attacks.

- Key Management Policy protects the sensitive data with processing cryptographic keys, with key generation and storage of keys.

## 4. Data Encrytion Algorithms
- The Advanced Encryption Standard(AES) is a symmetric-key algorithm. This employs block cipher methods.

- The latest version of the TLS protocol is TLS 1.3. Modern version of SSL, utilized by HTTPS and other protocols for encryption.

- Key rotation and retiring old keys with regularly updation of keys.

## 5. Security practices for third party dependencies
- Implementating tools like Synk or OWASP Dependency-Check with regularly scanning dependencies.

- Minimize risk posed by dependencies with isolation menthods: containerization, microservices architecture, and restricted permissions.

- Keeping updated libraries for security. Manual reviews are important for compatibility.

## 6. Regulatory Compilance
- HIPAA: Health Insurance Portability and Accountability Act maintains standards to protect sensitive health information from disclosure without patient's consent.

- GDPR: General Data Protection Regulation permits individuals the right to ask organisations to delete their personal data.
18 changes: 18 additions & 0 deletions SECURITY_TESTING_GUIDE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Security Test Guide

## 1. Dependency Scanning
- Regularly check for source-code files with changes
- Check for compatibility and resolve performance issues

## 2. Penetration Testing
- Use Kali Linux and Burp Suite to identify vulnerabilities
- Use Wireshark to check network traffic

## 3. Dynamic Application Security Testing(DASP)
- DASP tools are used for identifying security misconfiguration, broken authentication and input/output validation
- ZED Attack Proxy is an open source tool for security testing provided by OWASP

## 4. Static Application Security Testing(SAST)
- Tools help in detecting SQL injections,and other vulnerabilities
- SonarQube, Fortify are commonly used tools
- Integrate with IDEs and CI/CD pipelines
Loading