[New Best Practice Guide]: Security Reference Architecture

[anrucker]

Checked for duplicates

Yes - I've already checked

Describe the needs

I mentioned these security best practices to Rishi Verma and he suggested that I open a ticket to get the conversation started. (This has also been described as a To-Do's for Developers.)

https://owasp.org/API-Security/editions/2023/en/0x11-t10/

https://owasp.org/www-project-top-ten/

https://owasp.org/www-project-top-10-ci-cd-security-risks/

https://owasp.org/www-project-application-security-verification-standard/

This is the vulnerability scanning tool that I used many years ago (I used the free version): https://portswigger.net/burp

[riverma]

Thanks for sharing this @anrucker! I see how the first three items you listed can be interpreted as a list of top security gotchas developers should consider for developing APIs, web applications, and CI/CD pipelines respectively. What is the last link (https://owasp.org/www-project-application-security-verification-standard/) about exactly?

I feel like a best practice guide that cites these first three websites’ security gotchas to consider could be a very advisable step for developers to check against during development. Do you want to work together to get this into a guide? I feel like we could get something simple written up and merged into SLIM during Q1 this year. Thoughts?

Thanks!

[anrucker]

Good morning,
I have reviewed and agreed that these resources are good to add to our list of Security Best Practices and Guidelines:

https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf

https://www.computer.org/publications/tech-news/trends/secure-app-development-best-practices

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-218.pdf
Take care,
Anh

[riverma]

Thank you @anrucker - we'll work on integrating the above into #116 . Thanks!