-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Chloe edited this page May 9, 2024
·
3 revisions
This part is important to consider to mitigate any problems that might rise due to our own or user's errors, and to avoid difficult patches or heavy costs, therefore it should be regularly kept up.
Don't just blindly copy code from the internet, LLM's, or use the default configurations, e.g. open source libraries, Docker images, Google services, etc., for obvious reasons such as malicious software. Security over simplicity.
-
Ideally, implement security in the entire development lifecycle:
- What are the security considerations?
- Threat Model (and not just once at the beginning)
- Implement tests that evaluate the build process and check the security
Some examples:
- Enable services like Dependabot to enable alerts for dependices for your project
- Fuzzing can help us find bugs, both security related and other ones
- Keep software up-to-date
- Use a password manager and don't reuse passwords
- Use 2FA
- Remove unnecessary programs from your computer to reduce attack surface
- Encrypt your drives, especially external
Sensitive data includes things like passwords, usernames, server names, keys, etc
- Do not ever put sensitive data in files that are pushed to GitHub or made public in any other way
- Some types of data may even only exist in certain folders or on certain machines:
secrets keys and configs files, PII, logs, etc- Do not duplicate this kind of data, not even internally. Also avoid putting this type of data in Dropbox, Google Drive or in similar storages.
- If any of this data gets exposed by mistake, you
need to change it- It is not enough to remove or just reverse the commit or submit a new commit with the data taken out. - Code should use placeholders that point to:
- Local read-protected files, possibly located outside of the Git repository file structure to avoid accidental inclusion as part of the repository,
- Environment variables, or
- Some sort of secured (possibly remote) storage.
- Follow the README to properly set up these variables/files.
- Insecure API Usage: The students might accidentally expose sensitive information through improperly secured APIs. E.g., failing to implement proper authentication or inadvertently logging sensitive data.
- Dependency Issues: They might use outdated or vulnerable libraries and frameworks can introduce security risks. Beginners often lack awareness about the security implications of the dependencies they include in their projects.
- Configuration Errors: Misconfiguration of application settings, such as incorrect security settings in MongoDB, which could lead to unauthorized data exposure. E.g., failing to properly configure database access controls or accidentally leaving development configurations in production code.
- Insecure Data Storage: Storing sensitive information insecurely in the application's filesystem or in MongoDB without proper encryption or access controls. This includes storing sensitive tokens, passwords, or API keys directly in the application's source code or configuration files.
-
Educational Resources: We need to provide security resources for students early in their development lifecycle. Include basic secure coding practices tailored to their level of expertise.
- Documentation and Guides: Offer a link to a comprehensive documentation and guidelines on secure coding practices, dependency management, and configuration best practices.
- Dependency Management:
- Safe Dependency Practices: Educate on the importance of vetting new libraries and using dependencies from trusted sources only.
- Dependency Checks: Tools like OWASP Dependency-Check to ensure dependencies are secure before use.
-
Security Checks in CI/CD Pipelines:
- Static Code Analysis: Automatically scan the code for security vulnerabilities and bad practices.
- Configuration Audits: Automatically review configuration files for common security misconfigurations, especially those related to database access and API endpoints.
-
Continuous Integration Security Practices:
-
Security Gates:
- Ensure that no code can be deployed without passing through security gates that validate the code's security, adherence to coding guidelines, and correct configuration settings.
-
Security Gates:
-
Sentitive Data Handling:
- Best Practices for Data Protection: Educate beginner web developers to avoid storing sensitive information directly within application code. Advocate for the use of environment variables and secure storage solutions for handling sensitive data.
- Action Plan for Data Leaks: Instruct on on what steps to take if sensitive data is compromised, including credential rotation and thorough security audits to prevent recurrence.
- Integrate Automated Reviews: Look into using tools such as CodeClimate or SonarQube.
- Keep Dependencies Updated: Turn on Dependabot to automate updates and minimize vulnerabilities.
-
Safe Dependency Practices:
- Evaluate new libraries within the team for their security before inclusion.
- Use dependencies
onlyfrom trusted and verifiable sources.
-
Security Gates: Make the CI/CD pipeline enforce checks like:
- Dependency vulnerability checks
- Coding guideline and security policy adherence
- Real-Time Monitoring: Implement monitoring tools to detect unusual activities indicating potential security issues
- Incident Response Plan: Have an incident response plan to address and mitigate security breaches swiftly
- Risks Documentation: Maintain a document detailing common security risks and best practices to mitigate them within our environment and regularly update it. (link to it once we have it)
The general resources you can look up for security to educate yourself on this topic: