Aggregate Notes

___ # Tags #shehackspurple #appsec #devops #unfinished # Helpful Docs - This is based off a book called **Alice and Bob Learn Application Security** but for the content in these notes since it is not entirely free to consume I'll be basing it off the [Youtube channel's playlist](https://www.youtube.com/playlist?list=PLI9RITMnVbygrVQaGvpojIzgHTpkRrIn8) where the author of the book **SheHacksPurple** interviews guests about the chapters within her book and how it relates to the fields they work in # Notes - CIA - Confidentiality, Integrity, Availability - Requirements for applications - Does the system interact with PII, sensitive, or confidential information at any time? - How is data storage handled? - Is the application internal or internet facing? - Does this application perform essential tasks? - Does this application perform any risky activities such as allowing uploads? - What is the level of uptime required? - How does security serve the business? - Validate every input (input validation) - Your application should never enter an unknown state, it should always handle inputs gracefully - You should add vulnerability scanning into the steps of your CI/CD pipeline - CSP, content security policy - When used it forces the developer to list out explicitly all of the resources to be used when their application loads in a web browser - [OWASP CSP Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) - X-Frame-Options - Helps protect against clickjacking, however this is deprecated, you should refer to the CSP - Referrer-Policy - Will show a web server where someone came from but not the potentially sensitive page the user was coming from, only the domain - Ex, coming from `website.com` instead of coming from `website.com/embarrassing-webpage` - Learn more about security headers by checking out security researcher [Scott Helme's website](https://scotthelme.co.uk) - Feature-Policy - A newer security policy that allows granular permission controls based on access-request - Ex, disallowing cameras, microphones, gyroscope, etc - Secure Flag in Cookies - Cookie will only be allowed to send over HTTPS, if the connection is downgraded with this flag it will refuse to send - HttpOnly Flag in Cookies - Cookies cannot be access via JavaScript and only changed server-side, this protects against XSS attacks attempting to access the data within your cookie - Persistent and Session Cookies - Cookies that do not self-destruct at the end of a session are referred to as a persistent/tracking cookie #### Tools for Web Applications - https://securityheaders.com/ - https://www.ssllabs.com/ssltest/