Skip to content

[DRAFT] of Security Best Practices for Developers Guide#116

Draft
riverma wants to merge 1 commit intomainfrom
issue-109
Draft

[DRAFT] of Security Best Practices for Developers Guide#116
riverma wants to merge 1 commit intomainfrom
issue-109

Conversation

@riverma
Copy link
Collaborator

@riverma riverma commented Oct 12, 2023
edited
Loading

Purpose

  • A guide for developers to adhere to security best practices for APIs, web-applications, CI/CD systems.
  • Content provided curtesy @anrucker

Proposed Changes

  • [ADD] Guide contents

Issues

Testing

  • Not yet tested

@riverma riverma self-assigned this Oct 12, 2023
@riverma
Copy link
Collaborator Author

riverma commented Oct 12, 2023

CC @anrucker for feedback / adjustments based on provided content at #109

@anrucker
Copy link

anrucker commented Oct 13, 2023

This guide looks great. Thanks so much, Rishi!

jpl-jengelke
jpl-jengelke reviewed Oct 13, 2023
View reviewed changes
docs/guides/software-lifecycle/security/developer-best-practices/README.md
For developers of APIs, Web Applications, and CI/CD pipelines, we recommend ensuring you review the following resources prior to releasing your code.

1. **Review [OWASP Top 10 API Security Risks - 2023](https://owasp.org/API-Security/editions/2023/en/0x11-t10/)**: Understand and mitigate the top API security risks for the current year.

Copy link
Contributor

@jpl-jengelke jpl-jengelke Oct 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would consider adding a link to CISA's Secure-by-Design/Default initiative. They've produced a guide.

IEEE Computer Society also provides a number of recommendations that promote using OWASP.

NIST also published a Secure Software Development Framework (SSDF) standard.

Copy link
Collaborator Author

@riverma riverma Dec 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jpl-jengelke! @anrucker - what are your thoughts on the above recommendations? Should we include or do you feel your original list already covers the above?

Copy link
Contributor

@jpl-jengelke jpl-jengelke May 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be "Review updated security guidance from industry-leading experts, such as ..." and then include additional resources?

@riverma
Copy link
Collaborator Author

riverma commented Oct 13, 2023
edited
Loading

Thinking more about this guide, I'm wondering if we can make the following changes (CC @jpl-jengelke @anrucker):

  • Can we offer any automation to either check for the "top 10" vulnerabilities automatically? Else - recommendations for IDEs or other tools that would help developers avoid the vulnerabilities? The best place to put those recs would be in the Quick Start section (which is empty right now). Going with the philosophy of SLIM - we should lean more towards automation than asking people to read lengthy guides.
  • "Security Best Practices for Developers Guide" is a pretty broad category. Perhaps we should keep the focus for this specific guide on helping developers deal with common vulnerabilities instead? Naming the guide "Common Vulnerabilities For Developers" or something to that effect?

@jpl-jengelke
Copy link
Contributor

jpl-jengelke commented Oct 13, 2023

Thinking more about this guide, I'm wondering if we can make the following changes (CC @jpl-jengelke @anrucker):

  • Can we offer any automation to either check for the "top 10" vulnerabilities automatically? Else - recommendations for IDEs or other tools that would help developers avoid the vulnerabilities? The best place to put those recs would be in the Quick Start section (which is empty right now).
  • "Security Best Practices for Developers Guide" is a pretty broad category. Perhaps we should keep the focus for this specific guide on helping developers deal with common vulnerabilities instead? Naming the guide "Common Vulnerabilities For Developers" or something to that effect?

True regarding the observation of a broad topic but it is an area of cybersecurity focus. Recently, the focus has been on implementing shift-left strategies that more tightly integrate development very early on with DevSecOps.

This was referenced Dec 11, 2023
Closed
Closed
@ingyhere ingyhere changed the title Draft of Security Best Practices for Developers Guide DRAFT of Security Best Practices for Developers Guide Mar 19, 2024
@ingyhere ingyhere changed the title DRAFT of Security Best Practices for Developers Guide [DRAFT] of Security Best Practices for Developers Guide Mar 26, 2024
@riverma riverma mentioned this pull request Mar 28, 2024
Draft
@jpl-jengelke
Copy link
Contributor

jpl-jengelke commented May 9, 2024

  • Can we offer any automation to either check for the "top 10" vulnerabilities automatically?
  • "Security Best Practices for Developers Guide" is a pretty broad category.

I'd endorse option two since I think the project can offer a range of recommendations, and I think this may best serve as implementation guidance. We could also refer users to the #148 product for implementation.

@riverma
Copy link
Collaborator Author

riverma commented May 10, 2024

  • Can we offer any automation to either check for the "top 10" vulnerabilities automatically?
  • "Security Best Practices for Developers Guide" is a pretty broad category.

I'd endorse option two since I think the project can offer a range of recommendations, and I think this may best serve as implementation guidance. We could also refer users to the #148 product for implementation.

I like option 2 as well. Keeps the focus of this guide simple and we can cross link to a separate guide on tools. If there's specific or common CVEs then we could also offer specific invocations to SCRUB or other tools to check for those CVEs.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 28, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@riverma riverma added high complexity Ticket has multiple difficult sub-tasks most requested Highly requested by community members software lifecycle Process improvements involving developing, testing, integrating, deploying software labels Jun 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jpl-jengelke jpl-jengelke jpl-jengelke left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@riverma riverma

Labels

high complexity Ticket has multiple difficult sub-tasks most requested Highly requested by community members software lifecycle Process improvements involving developing, testing, integrating, deploying software

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@riverma @anrucker @jpl-jengelke