Comments (7)
@ryekerjh | @vperezma | @mwallert
Most of these topics are difficult to split into client-side and server-side (the way the current folder structure is setup). Would you guys be interested in creating a top-level security folder to add these topics into?
from standards-and-practices.
I like that idea.
Something like this?
Security
|--- client-side
| |---- security topics
|
|--- server-side
| ---- security topics
from standards-and-practices.
Most of the topics look to be considerations done on the server-side. Client security concerns are much simpler: am I talking to the right server and am I using SSL, rarely would we even consider locally encrypting data.
I would be interested in grouping them by theme: Sanitization vs escaping in regards to query injection, XSS and form validation; Browser security settings; Penetration testing with the tools listed; Keeping (and passing) secrets with encryption and tokens; And a large overarching theme: DON'T TRUST THE CLIENT
from standards-and-practices.
Is this still being worked on?
from standards-and-practices.
@coreyshuman and/or @jecallaway What information should we add to bring security into the S&P repo. I would love your input on the matter!
from standards-and-practices.
I went ahead and had a discussion with @jecallaway today. Some of the highlights:
- We need more docs on the client/server side of the S&P.
- @jecallaway pointed me at a really excellent website: https://owasp.org/www-project-top-ten/# that contains some of the above topics.
- Developers should be aware of Shift3 Cybersecurity [email protected] maillist and be able to request a security audit. We discussed what that would entail. Namely at least a sandbox site of sorts and some specific topic they wish the security team to take a look at. Probably a good idea to have further discussion at some point.
- It sounds like QA should be involved.
Im thinking to kick this off, we should at least have the https://owasp.org/ pages referenced in the Serverside security page.
from standards-and-practices.
@jecallaway Do you know if we have any SOWs/recommended tutorials on Kali Linux and the assorted tools?
from standards-and-practices.
Related Issues (20)
- QA Sprint #1 Acceptance Test
- [Feat]: Terraform and CircleCI to setup QA environments for each feature branch HOT 1
- [bug]: Typos in developer-accountability.md
- [bug]: Content Structure Needed for: /standards/bug-reporting.md
- [Suggestion] Problem solving for developers
- [bug]: Titles should start with an uppercase
- [bug]: Spacing & Punctuation
- [bug]: react links are 404-ing
- [Refactor] move the problem solving subsection into different github page.
- [bug]: Nativescript + Angular urls no longer exist HOT 1
- [bug]: Fix the View On GitHub button location on the gh-pages site
- [Feat]: Contributing outside our organization
- [Feat]: Update QA Sprint Process
- [bug]: Accessibility README typos
- [Feat]: Add links to resources section of code review standards
- [bug]: Links in standards are https and not relative
- [bug]: https://images.nativescript.rocks/ no longer works
- [Docs]:
- Consistent spelling of GitHub HOT 2
- [Feat]: Explore auto-assigning PR-Team to reviews HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from standards-and-practices.