Safe Development Strategies
🛡️

Safe Development Strategies

Created
Jul 12, 2021 11:26 AM
Language
Português
Summary
Notes on safe development following CWI’s course and other studies regarding secure development.
Attention Status

Questions

É seguro enviar e-mail e senha em seus valores crus em uma chamada de autenticação? Se não for, como aumentar a segurança em um login?
Se for em HTTPS é seguro.

Areas of Attention

Armazenamento de dados sensíveis e pessoais
Sessão de usuário
Logs de Aplicação
Armazenamento de Arquivos
Senhas
Variáveis de ambiente

Strategies & Processes

  • Defense in Depth. Apply security at all layers of the IT services. Goes through physical infrastructure, public and private network, development machines, application flows, and data. It also includes company policies, procedures, and security culture.
  • STRIDE. A process to determine what can go wrong, what you are currently doing about it, and whether your current practices are good enough.
    • Spoofing: when a user pretends to be someone else.
    • Tampering: removing traces left from an attack so you are not detected.
    • Repudiation: have no proof of the validity of some transaction.
    • Information disclosure: data can only be viewed by authorized users.
    • Denial of service: the server gets too many requests, leading it to an overload and becoming unavailable.
    • Elevation of privilege: user only has access to read a resource, but mistakenly gets the ability to write on that resource.
  • Secure Development Processes. There are a lot of processes in the industry that can lead to more secure software.
    • MS SDL (by Microsoft).
    • Software Assurance Maturity Model (by OWASP).
    • Touchpoints for software security (by Gary McGraw).