Please enable JavaScript.

Coggle requires JavaScript to display documents.

InfoSec (App Sec (SDLC (CICD (Pipeline Security Controls (Harden pipeline…

- - - - Components
        
        Code Repository
        (Source Code)
        
        Gitlab
        
        role-based acls
        
        web-based git repositories
        
        Git (code) repository
        
        issue tracking and project management
        
        central place where developers store, share, test and collaborate on web projects.
        
        BitBucket
        
        version control repository hosting service
        
        CI Server
        
        Jenkins
        
        is an open-source continuous integration software tool written in the Java programming language for testing and reporting on isolated changes in a larger code base in real time.
        
        Artifact Repository
        (Binaries)
        
        Image Repo
        
        a source for artifacts needed for a build, and a target to deploy artifacts generated in the build process.
        
        Application Packages
        OS Components
        Open Source Libraries
        Docket Containers
        
        Source Control Management
        (Version Control)
        
        Debug Tracking
        
        Jira
      - Continuous Integration
        
        Pre-commit / Code
        
        IDE security reviews
        
        Real-Time SAST
        
        Commit / Push Code
        
        Code Repo
        
        Incremental SAST
        
        1 more item...
      - Continuous Delivery
        
        Test
        
        Dynamic code analysis
        
        test exploitability
        
        penetration testing
        
        Deploy / Release
        
        Stage
        
        Passive Pen Test
        
        Infrastructure Scan
        
        1 more item...
      - Secure Programming Training/Awareness
      - continuous delivery vs continuous deployment
      - Pipeline Security Controls
        
        Harden pipeline (Repositories, configuration mng, Build servers)
        
        Monitor
        
        Keys/Secrets protected & audited
        
        Access control across tools
        
        Logging
        
        Audit Access
      - Threats
        
        image repositories, build servers, containers, third-party tools
        
        exploit the trust relationship between code repositories and servers to make changes
    - - Culture
      - Development + Operations teams
      - infrastructure as code
      - autonomy
    - - iterative approach that focuses on collaboration, customer feedback and small rapid releases
    - - Encryption
        
        Authentication
        
        Logging
        
        Asset Management
        
        Zoning & Containment
    - - Automate security testing and monitoring tools into relevant stages of the software production pipeline
      - Teams must have autonomy to quickly move these steps forward or loop backward.
      - Build robust infrastructure-as-code and security-as-code orchestration.
      - Reduce false positives; otherwise, the results of tests will be ignored
      - Metrics to measure efficacy
      - only approved(secured) code is used to build images
  - - - visibility into their open source inventory
      - Third Party Dependencies
      - Open Source Vulnerabilities (OSS)
    - - balance between SAST false positives and developer goodwill
      - Eliminate vulnerabilities early
        integrates into your company’s existing development environments
    - - quality assurance phase
    - - runtime application self-protection (RASP) - legacy
        
        Legacy Apps
  - - - Bots
        
        GET
  - - - Credential Handling
      - Upload/download timeouts
    - - SOAP
      - Rest
        
        Client-server
        
        stateless
        
        cachable
        
        HTTP Methods
        
        better performance
    - - Whitelist specific HTTP methods
      - object level authorization checks
      - use ID stored as session object, not from client
        
        use random & unpredictable values
      - Limit error responses
      - validate against specific rules
- - - - Identify
        
        Asset visibility (systems, Data, processes)Organization exposureRisks
      - Protect
        
        Implementing Controls (contain or limit)awareness education and trainingbaselines configuration
      - Detect
        
        identifyevents & incidentscontinuousmonitoringthreathunting
      - Respond
        
        contain & eradicateresponse planCommunicationcollect and analyze information lessons learned
      - Recover
        
        restore capabilities recovery planexternal parties lessons learnedprioritize action
  - - - BIA
      - Critical Assets, Departments, Tiers
    - - Solutions in place
      - Threats
      - Gaps
    - - Assessments
        
        Attestation / Reports
- - - - Download source code and compile locally
  - - - PsExec
        
        remote command execution
    - - Running processes & servicesstartup listremote commands
- - - - tool to tunnel traffic through DNS servers
- - - - ARM
      - Azure AD IDaaS
    - - AWS Sec Map
      - AWS SA Map
  - - - Deployment
        
        API
        
        Client/Agent
        
        Forward Proxy
        
        Reverse Rpoxy
        
        GRE/IPsec
        
        Log Parsing
      - Pillars
        
        Data Security
        
        Threat Protection
        
        Compliance
        
        Vsibility
- - - - Rule-based/Regex
        
        Conceptual/lexicon
        
        Statistical Analysis
        
        Pre-built categories
        
        database fingerprinting
        
        exact file matching
        
        Partial document matching
    - - Endpoint
      - Storage
      - Network
- - - - Flow Link
  - - - Flow Link
- - - - Alerts & Events
- - - - Traffic metadata
        
        senders’ / receivers’ IP addresses, the ports they communicated on, the length of the conversation and the amount of data transferred.
    - - full traffic
- - - - Harden
        
        contain the bare minimum amount of code necessary
  - - - Amazon ECS
      - Docker Swarm
      - Kubernetes