Вы находитесь на странице: 1из 2




Conduct contextual All output functions must contextually encode data before sending CWE-79
The SWAT Checklist provides an easy-to-reference set of best practices that raise output encoding the data to the user. Depending on where the output will end up in
awareness and help development teams create more secure applications. It’s a D ATA P R O T E C T I O N A U T H E N T I C AT I O N the HTML page, the output must be encoded differently. For example,
data placed in the URL context must be encoded differently than data
first step toward building a base of security knowledge around web application B E ST P R AC T I C E D E S C R I PT I O N C W EC W
IDE ID B E ST P R AC T I C E DESCRIPTION CWE ID placed in a JavaScript context within the HTML page.
security. Use this checklist to identify the minimum standard that is required to RESOURCE:
Use HTTPS Ideally, HTTPS should be used for your entire application. If you have to limit CWE-311 Don’t hardcode Never allow credentials to be stored directly within the application code. CWE-798 https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
neutralize vulnerabilities in your critical applications. everywhere where it’s used, then HTTPS must be applied to any authentication pages as CWE-319 credentials While it can be convenient to test application code with hardcoded
well as to all pages after the user is authenticated. If sensitive information credentials during development, this significantly increases risk and should be avoided.
CWE-523 Prefer whitelists For each user input field, there should be validation on the input CWE-159
(e.g., personal information) can be submitted before authentication, those Proper secrets management tools can provide proper encryption and credentials
over blacklists content. Whitelisting input is the preferred approach. Only accept CWE-144
features must also be sent over HTTPS. Always link to the HTTPS version of rotation to provide extra resiliency to attacks.
ERROR HANDLING AND LOGGING URL if available. Relying on redirection from HTTP to HTTPS increases the EXAMPLE: Hardcoded passwords in networking devices
data that meet a certain criteria. For input that needs more flexibility,
blacklisting can also be applied where known bad input patterns or
opportunity for an attacker to insert a man-in-the-middle attack without https://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdf
characters are blocked.
raising the user’s suspicion.
EXAMPLE: sslstrip Develop a strong Password reset systems are often the weakest link in an application. These CWE-640
Display generic Error messages should not reveal details about the internal state of CWE-209 Use parameterized SQL queries should be crafted with user content passed into a bind CWE-89
password reset systems are often based on users answering personal questions to establish
error messages the application. For example, file system path and stack information SQL queries variable. Queries written this way are safe against SQL injection CWE-564
Disable HTTP access For all pages requiring protection by HTTPS, the same URL should not be CWE-319 system their identity and in turn reset the password. The system needs to be based on questions
should not be exposed to the user through error messages. For attacks. SQL queries should not be created dynamically using
for all protected accessible via the insecure HTTP channel. that are both hard to guess and brute force. Additionally, any password reset option
authentication errors, do not indicate that the username exists. string concatenation. Similarly, the SQL query string used in a bound or
resources must not reveal whether or not an account is valid, preventing username harvesting.
parameterized query should never be dynamically built from user input.
EXAMPLE: Sarah Palin password hack http://en.wikipedia.org/wiki/Sarah_Palin_email_hack
No unhandled Given the languages and frameworks in use for web application CWE-391
EXAMPLE: Sony SQL injection hack http://www.infosecurity-magazine.com/view/27930/
exceptions development, never allow an unhandled exception to occur. Error Use strong TLS TLS must be configured to the secure configurations that only support the recent
configurations versions of TLS, prefer the use of the strongest cipher suites and avoid the use of Implement a strong A password policy should be created and implemented so that passwords CWE-521 lulzsec-sony-pictures-hackers-were-school-chums
handlers should be configured to handle unexpected errors and
any weak ciphers. For example, SSL and TLS protocols prior to TLS 1.2 have known password policy meet specific strength criteria.
gracefully return controlled output to the user.
EXAMPLE: https://pages.nist.gov/800-63-3/sp800-63-3.html Prevent insecure Do not accept serialized objects from untrusted sources, define known CWE-502
weaknesses and are not considered secure. Additionally, disable the cipher suites
Suppress framework- Your development framework or platform may generate default deserialization good data types when deserializing data, and implement integrity
CWE-209 using RC4, DES or MD5 and prefer the ciphers that support Perfect Forward Secrecy.
generated errors Implement account Account lockout needs to be implemented to prevent brute-force attacks CWE-307 checks on serialized objects.
error messages. These should be suppressed or replaced with EXAMPLE: Qualys SSL Labs
lockout against against both the authentication and password reset functionality. After
customized error messages, as framework-generated messages
brute-force attacks several tries on a specific user account, the account should be locked for a period Use tokens to In order to prevent Cross-Site Request Forgery attacks, you must CWE-352
may reveal sensitive information to the user. Use the Strict- The Strict-Transport-Security header ensures that the browser does not of time or until it is manually unlocked. Additionally, it is best to continue the same prevent forged embed a random value that is not known to third parties into the
Transport-Security talk to the server over HTTP. This helps reduce the risk of HTTP downgrade failure message indicating that the credentials are incorrect or the account is locked to requests HTML form. This CSRF protection token must be unique to each
Log all Log any authentication and session management activities along with CWE-778 header attacks as implemented by the sslsniff tool. request. This prevents a forged CSRF request from being submitted
prevent an attacker from harvesting usernames.
authentication and all input validation failures. Any security-related events should be
because the attacker does not know the value of the token.
validation activities logged. These may be used to detect past or in-progress attacks. Store user User passwords must be stored using secure hashing techniques with CWE-257 Don’t disclose too Messages for authentication errors must be clear and, at the same time, be written
passwords using strong algorithms like PBKDF2, bcrypt, or SHA-512. Simply hashing the much information so that sensitive information about the system is not disclosed. For example, error Prevent Server Side Features that require requests to be sent to web services need to
Log all privilege Any activities or occasions where the user’s privilege level changes CWE-778
Request Forgery (SSRF) carefully restrict URLs by validating input and properly encoding output.
a strong, iterative, password a single time does not sufficiently protect the password. Use in error messages messages that reveal that the user ID is valid but that the corresponsing password
changes should be logged.
salted hash adaptive hashing (a work factor), combined with a randomly generated salt is incorrect confirm to an attacker that the account does exist on the system.
for each user to make the hash strong. Set the encoding For every page in your application, set the encoding using HTTP CWE-172
Log administrative Any administrative activities on the application or any of its CWE-778 for your application headers or meta tags within HTML. This ensures that the encoding of
EXAMPLE: https://haveibeenpwned.com Store database Modern web applications usually consist of multiple layers. The business CWE-257
activities components should be logged. the page is always defined and that the browser will not have to determine
credentials securely logic tier (processing of information) often connects to the data tier
Securely exchange If encryption keys are exchanged or pre-set in your application, then any (database). Connecting to the database, of course, requires authentication. the encoding on its own. Setting a consistent encoding like UTF-8 for your
Log access to Any access to sensitive data should be logged. This is particularly CWE-778
encryption keys key establishment or exchange must be performed over a secure channel. The authentication credentials in the business logic tier must be stored in a application reduces the overall risk of issues like Cross-Site Scripting.
sensitive data important for corporations that have to meet regulatory
centralized location that is locked down. Scattering credentials throughout
requirements like HIPAA, PCI, or SOX. Validate uploaded When accepting file uploads from the user, make sure to validate the CWE-434
Set up secure When keys are stored in your system they must be properly secured and CWE-320 the source code is not acceptable. Some development frameworks provide a
key management only accessible to the appropriate staff on a need-to-know basis. centralized secure location for storing credentials to the backend database. files size of the file, the file type, and the file contents, and ensure that it CWE-616
Do not log While logging errors and auditing access are important, sensitive data CWE-532 is not possible to override the destination path for the file. CWE-22
processes These encrypted stores should be leveraged when possible.
inappropriate data should never be logged in an unencrypted form. For example, under EXAMPLE: AWS Key Management Service (KMS), Azure Key Vault, AWS CloudHSM
HIPAA and PCI, it would be a violation to log sensitive data into the log itself Use the nosniff When hosting user uploaded content that can be viewed by other CWE-430
Use valid HTTPS HTTPS certificates should be signed by a reputable certificate authority. The Applications and If an application becomes compromised it is important that the application CWE-250
unless the log is encrypted on the disk. Additionally, it can create a serious header for uploaded users, use the X-Content-Type-Options: nosniff header so that
certificates from a name on the certificate should match the FQDN of the website. The certificate middleware should itself and any middleware services be configured to run with minimal
exposure point should the web application itself become compromised. content browsers do not try to guess the data type. Sometimes the browser can be
reputable certificate itself should be valid and not expired. run with minimal privileges. For instance, while the application layer or business layer need
privileges the ability to read and write data to the underlying database, administrative tricked into displaying the data type incorrectly (e.g., showing a GIF file as
Store logs securely Logs should be stored and maintained appropriately to avoid CWE-533 authority EXAMPLE: Let’s Encrypt https://letsencrypt.org HTML). Always let the server or application determine the data type.
credentials that grant access to other databases or tables should not be provided.
information loss or tampering by intruders. Log retention should
also follow the retention policy set forth by the organization to meet Disable data Browser data caching should be disabled using the cache control HTTP CWE-524 Prevent tabnabbing Use the “rel” anchor tag attribute with values of “noopener” or CWE-1022
regulatory requirements and provide enough information for forensic caching using cache headers or meta tags within the HTML page. Additionally, sensitive input “noreferrer” to prevent an opened tab from tampering with the calling
and incident response activities. control headers and fields, such as the login form, should have the autocomplete attribute set to SESSION MANAGEMENT tabs location in the browser. In JavaScript this can be prevented by
autocomplete off in the HTML form to instruct the browser not to cache the credentials. setting window.opener to null.
Encrypt sensitive Encrypt sensitive or critical data before storage. CWE-311 Validate the The source of the input must be validated. For example, if input is CWE-20
data at rest Ensure that session Session tokens must be generated by secure random functions and must CWE-6
CWE-312 source of input expected from a POST request, do not accept the input variable from CWE-346
identifiers are be of sufficient length to withstand analysis and prediction.
a GET request.
sufficiently random
Limit the use Conduct an evaluation to ensure that sensitive data elements are
and storage of not being unnecessarily transported or stored. Where possible, use X-Frame-Options or Use the X-Frame-Options header or Content-Security-Policy header CAPEC-103
Regenerate session Session tokens should be regenerated when the user authenticates to CWE-384 CSP headers frame-ancestors directive to prevent content from being loaded by a
sensitive data tokenization to reduce data exposure risks. CWE-693
tokens the application and when the user privilege level changes. Additionally, should foreign site in a frame. This mitigates Clickjacking attacks. For older
the encryption status change, the session token should always be regenerated. browsers that do not support this header, add framebusting Javascript
code to mitigate Clickjacking (although this method is not foolproof
Implement an idle When a user is not active, the application should automatically log the CWE-613
C O N F I G U R AT I O N A N D O P E R AT I O N S session timeout user out. Be aware that Ajax applications may make recurring calls to the
and can be circumvented).

application, effectively resetting the timeout counter automatically. Use secure HTTP The Content Security Policy, X-XSS-Protection, and Public-Key-Pins CWE-79
response headers headers help defend against Cross-Site Scripting (XSS) and CWE-692
Automate Automating the deployment of your application, using Continuous Integration Implement an Users should be logged out after an extensive amount of time (e.g., 4-8 CWE-613 Man-in-the-Middle (MitM) attacks.
application and Continuous Deployment, helps to ensure that changes are made in a absolute session hours) has passed since they logged in. This helps mitigate the risk of an EXAMPLE: OWASP Secure Headers Project
deployment consistent, repeatable manner in all environments. timeout attacker using a hijacked session. https://www.owasp.org/index.php/OWASP_Secure_Headers_Project

Cloud Security
Establish a rigorous A rigorous change management process must be maintained during CWE-439 Destroy sessions Unless the application requires multiple simultaneous sessions for a single user,
change management operations. For example, new releases should only be deployed after proper at any sign of implement features to detect session cloning attempts. Should any sign of session cloning
process testing and associated documentation has been completed. tampering be detected, the session should be destroyed, forcing the real user to reauthenticate.
EXAMPLE: DevOps Audit Defense Toolkit

and DevSecOps
https://itrevolution.com/devops-audit-defense-toolkit Invalidate the When the user logs out of the application, the session and corresponding CWE-613
session after logout data on the server must be destroyed. This ensures that the session cannot Apply access control Always apply the principle of complete mediation, forcing all requests CWE-284
Define security Engage the business owner to define security requirements for the be accidentially revived. checks consistently through a common security “gate keeper.” This ensures that access
requirements application. This includes items that range from the whitelist validation rules control checks are triggered whether or not the user is authenticated.
all the way to nonfunctional requirements like the performance of the login Place a logout button The logout button or logout link should be easily accessible to users on

Best Practices
function. Defining these requirements up front ensures that security is baked on every page every page after they have authenticated. Apply the principle Use a Mandatory Access Control system. All access decisions will be CWE-272
into the system. of least privilege based on the principle of least privilege. If not explicitly allowed, then CWE-250
Use secure cookie The session cookie should have the HttpOnly, Secure, and SameSite flags CWE-79 access should be denied. Additionally, after an account is created,
Conduct a Integrating security into the design phase saves money and time. Conduct CWE-701 rights must be specifically added to that account to grant access to resources.
attributes set. This ensures that the session ID will not be accessible to client-side CWE-614
design review a risk review with security professionals and threat model the application CWE-656 scripts, will only be transmitted over HTTPS, and will only be sent with
AND to identify key risks. This helps you integrate appropriate countermeasures
requests from the same site (mitigates CSRF).
Don’t use direct Do not allow direct references to files or parameters that can be CWE-284
into the design and architecture of the application. object references for manipulated to grant excessive access. Access control decisions must

Securing Web
access control checks be based on the authenticated user identity and trusted server-side information.
Set the cookie The cookie domain and path scope should be set to the most restrictive
Perform code Security-focused code reviews can be one of the most effective ways to find CWE-702
domain and path settings for your application. Any wildcard domain scoped cookie must have a
reviews security bugs. Regularly review your code looking for common issues like SQL Don’t use An unvalidated forward or resource use can allow an attacker to access CWE-601
correctly good justification for its existence.
unvalidated private content without authentication. Unvalidated redirects allow an
Injection and Cross-Site Scripting. Leverage automated tools to maximize

breadth of coverage and consistency. resources attacker to lure victims into visiting malicious sites. Similarly, unvalidated usage of
Use non-persistent If a cookie has the “Max-Age” or “Expires” attributes, the browser treats it as a URLs can lead to issues such as Server Side Request Forgery (SSRF). Prevent this
cookies persistent cookie and stores it to disk until the expiration time. Do not do this from occurring by conducting the appropriate access control checks before sending
Perform security Conduct security testing both during and after development to ensure that
for session cookies. the user to the given location or accessing resource locations provided by the user.
testing the application meets security standards. Testing should also be conducted

after major releases to ensure that vulnerabilities did not get introduced
during the update process. Leverage automation by including security tests APPLICATION SECURITY DEVSECOPS AND CLOUD TESTING
into the CI/CD pipeline.

Harden the All components of infrastructure that support the application should be CWE-15 DEV522 SEC540 SEC542
(SWAT ) C H E C K L I ST infrastructure configured according to security best practices and hardening guidelines.
In a typical web application this can include routers, firewalls, network
CWE-656 Defending Web Applications
Security Essentials
Cloud Security and DevOps
Web App Penetration Testing
and Ethical Hacking
Version 1.7 switches, operating systems, web servers, application servers, databases,
and application frameworks.

Define an incident An incident handling plan should be drafted and tested on a regular basis. The
handling plan contact list of people to involve in a security incident related to the application
Application Security Awareness Cloud Security Architecture Advanced Web App Penetration
Ingraining security into the mind of every developer. should be well defined and kept up to date.
Modules and Operations Testing, Ethical Hacking, and
Educate the team Training helps define a common language that the team can use to improve the Exploitation Techniques
on security security of the application. Education should not be confined solely to software
Website Twitter Blog SEC534
AppSec CyberTalent
software-security.sans.org developers, testers, and architects. Anyone associated with the development
process, such as business analysts and project managers, should have periodic software-security.sans.org @SANSDevSecOps software-security.sans.org/blog Assessment Secure DevOps:
software security awareness training. Free resources, white papers, Latest news, promos, sans.org/appsec-assessment A Practical Introduction
webcasts, and more and other information

1 Insecure Use of Developer Credentials
Developer credentials allow your team and
4 Broken Access Control
Principles of least privilege should be followed
7 Lack of Inventory Management
API-based access solves a lot of inventory AND DEVSECOPS Pre-Commit
Security activities before code is checked into version control

integrations access to your account. They should when architecting access to cloud services. management problems. Consider strategies to enrich
be stored and used securely to ensure that Consider the granularity of access to services, your environment with additional information around
only authorized individuals and use-cases have systems, and the network. Regularly or ownership, use-case, and sensitivity. Threat Modeling/Attack Security & Privacy Stories: Pre-Commit Security Hooks: IDE Security Plugins:
access. When possible, consider tracking and automatically review this access to ensure that
Mapping: OWASP ASVS detect-secrets DevSkim
auto-expiring credentials after a set period of least privilege is being followed. 8 Domain Hijacking
time or inactivity. Attacker personas SAFECode Security Stories git-hound FindSecurityBugs

2 Publicly Accessible Storage

5 Misconfigured Network Constructs
Transitive-trust often exists between cloud services
and DNS entries. Regularly review your DNS and Learn to build, deliver, and deploy modern Evil user stories
Manual and Peer Reviews:
git-secrets Puma Scan
Raindance OWASP SEDATED SonarLint
applications using DevSecOps and cloud
Most cloud providers have sophisticated cloud configurations to prevent take-over situations.
Cloud providers have several different methods methods to control network access beyond CODEOWNERS
Mozilla Rapid Risk Assessment pre-commit
of storing objects and data. Regularly review simple IP address-based rules. Consider using 9 Lack of a Disaster Recovery Plan Code Review Description Secure Coding Standards:
principles, practices, and tools.
OWASP ThreatDragon Repo-supervisor
your configurations to ensure that only the these constructs for controlling access at Templates CERT Secure Coding Standards
intended components are publicly accessible. a granular level, and using cloud-provider- Cloud environments do not automatically solve SAFECode Tactical Threat ThoughtWorks Talisman
disaster recovery (DR) concerns. Consider what Gerrit OWASP Proactive Controls
based network components to segment traffic Modeling
level of investment is appropriate for catastrophic GitHub pull request SAFECode Fundamental
3 thoughtfully. Slack goSDL
Improper Use of Default Configurations
Cloud providers pre-configure common access
events within your cloud environment. Design a
DR program to recover from outside accounts,
SEC540: Cloud Security and DevOps Automation ThreatPlaybook
GitLab merge request Practices for Secure Software
control policies. These can be convenient, but
6 Inadequate Monitoring and Logging providers, or locales. Review Board Development
often introduce risk as a provider’s service Turn on and regularly monitor API access sans.org/SEC540
offerings change. Pre-configured rules often logging. Consider a risk-based logging strategy 10 Manual Account Configuration
change to introduce access to new services for services that are not logged by way of these
Doing things by hand limits your ability to scale and
Commit (Continuous Integration)
outside the context of what is actually needed core logging services.
or being used. leverage cloud-native security tools and controls.
Consider “security-as-code” and automation as your
Fast, automated security checks during the build and continuous integration steps
best friends within cloud environments.
Static Analysis: Infrastructure as Code Dependency Management: Container Security:
Brakeman Analysis: Bundler-Audit Actuary
ESLint ansible-lint Github security alerts Anchore


Node Security Platform
PHP Security Checker
Phan flint Retire.JS dive
1 Public-Facing API or etcd Instances 5 Unrestricted and Unaudited Users 9 Resource Exhaustion Foodcritic OWASP Dependency Check Docker Bench
Kubernetes Security: puppet-lint Falco
Do not host administrative endpoints on the RBAC permissions can be difficult to test, so Workloads should have their expected
Security Unit Tests: trivy
public Internet and secure networks as one Kubernetes provides a SubjectAccessReview to (“requests”) and maximum (“limits”) memory
would do with other virtualized or bare metal validate RBAC decisions. Utilize this in a non- and compute values set in their deployment kube-bench JUnit
infrastructure. If creating your own cluster, production environment to instill confidence configuration. This information assists the kube-hunter Container Hardening: Mocha
ensure etcd is deployed separately from the that changes to RBAC roles and bindings do not scheduler in placing workloads, and also kubeiscan Bane xUnit
Master nodes and firewalled from the rest of have accidental wider-reaching implications prevents monolithic JVM apps from exhausting
the cluster. to cluster security. Federate identity to third- resources during JIT bytecode compilation kube-score CIS Benchmarks
parties with 2FA enabled. Enable audit logs, startup. These values can be controlled kubesec.io grsecurity
2 Cluster Recency and Certificate consolidate log data, proactively monitor events, by admission controllers LimitRange and
and generate alerts. ResourceQuota.
Authority Expiration
Provision Kubernetes clusters with new key 6 Configuration Drift 10 Application and Infrastructure Acceptance (Continuous Delivery)
material or expiration checks on reused
certificates and authorities. Replace clusters To ensure consistent cluster state, leverage Supply Chain Automated security acceptance, functional testing, and deep out-of-band scanning during
regularly to keep keys and control plane GitOps principles with an in-cluster operator Create reference application development
versions updated. Develop a rigorous update such as Weave Flux that continually re-asserts pipelines for your teams that leverage continuous delivery
procedure using Blue/Green or Canary clusters the state of a cluster or namespace, ensuring deployment tooling from a trusted source
to automate deployments. This is necessary that cluster configurations match the state of a and incorporates static code analysis,
Infrastructure as Code: Security Testing: Security Acceptance Infrastructure Compliance
because Kubernetes has a major release Git repository holding YAML configuration files. container image vulnerability scanning, and Ansible Arachni | sqlmap | ZAP Testing: Checks:
every three months with minor releases being dynamic security tooling. Potentially create Chef Cloud Container Attack Tool BDD-Security conftest
maintained for nine months. 7 Cloud Metadata APIs a cryptographic chain of custody between
Puppet ssh_scan | sslyze Gauntlt HubbleStack
components with Notary, in-toto, and Git commit
Cloud instance identity is a point of escalation SaltStack Mittn InSpec
3 Insecure Workload Configuration from Server Side Request Forgeries. In
signing. Run a container-based IDS solution that
Cloud Configuration
detects unusual behavior or network activity Terraform Open Policy Agent
Running privileged containers as the root user Kubernetes many pods are running on a single Management:
node, and if they are able to make calls to the
exhibited by a running container. Vagrant Infrastructure Tests:
or without security contexts increases the risk
to that workload and the rest of the cluster. Use cloud provider’s metadata API then they can AWS CloudFormation CIS Vulnerability
Kubernetes Security Policies to enforce Network assume the identity of the underlying host. To 11 Application Developers Writing Azure Resource Manager Serverspec Management:
Policy, Pod Security Policy (or better still OPA) remedy this, use workload identity (exchanging Security Functionality Google Cloud Deployment Terratest Archerysec
and utilize SecurityContexts on all workloads. the pod’s ServiceAccount for a narrowly Within a multi-tenanted cluster, mandating Manager
scoped cloud provider API token) or metadata Test Kitchen DefectDojo
These features reduce the likelihood of pivots Encryption in Transit, Authentication and
across the network, enforce the use of security concealment (blocking the metadata API from Authorization between Pods is necessary. JackHammer
profiles, and prevent the use of the privileged the CNI network). For clusters without the However, do not have development teams
flag, containers running as the root user, and required cloud provider support, projects such create this functionality on their own. Instead
the sharing of host network, process, or IPC
as Kiam provide an alternative mechanism for
workload identity.
use a service mesh, which is a web of encrypted
persistent connections made between high-
Production (Continuous Deployment)
performance “sidecar” proxy servers like Envoy Security checks before, during, and after code is deployed to production
4 Improper Namespace Use Externalized Certificate Authorities and Linkerd that adds traffic management,
monitoring, and policy – all without
Namespaces are a logical grouping for Kubernetes operates a zero-trust mutual TLS
microservice changes.
Security Smoke Tests: Configuration Safety Secrets Management: Server Hardening:
API server entities and should be used to authentication flow across most components
ZAP Baseline Scan Checks: Ansible Vault CIS
coordinate security and availability features. and supports many certificate authorities (CA)
Many security features are namespace- that don’t have to share the same root of trust. 12 Complexity nmap AWS Config Blackbox dev-sec.io
bound (PodSecurityPolicies, NetworkPolicy) It supports TLS node bootstrapping and key Maintaining and deploying multi-tenanted ssllabs-scan AWS Trusted Advisor Chef Vault SIMP
as are denial of service prevention features rotation, in addition to projects like Istio adding Kubernetes clusters can be particularly Google Cloud Asset Inventory CyberArk Conjur
(LimitRanges, ResourceQuota). Use namespaces their own PKI for applications. An enterprise complex, as within these clusters there are Cloud Secrets Host Intrusion Detection
may decide to create CAs from the organization’s Microsoft Azure Advisor Docker Secrets
first for security and availability features and potentially hundreds of YAML configuration files Management:
root of trust, which means there are at least two OSQuery Hashicorp Vault System:
second for grouping of logical components. to write and maintain. Create YAML templates
places that the cluster’s network security can AWS KMS fail2ban
with tools such as Kustomize and Helm v3 to Pinterest Knox
be compromised. Instead, self-sign a CA and simplify configuration management, reduce AWS Secrets Manager Cloud Security Testing: OSSEC
maintain key material on the cluster to ensure
that the only compromise of the key material
maintenance burden, and mitigate the risk of Azure Key Vault CloudSploit Serverless Protection: Samhain
unique implementations by giving developers
must happen after the masters have been Google Cloud KMS Nimbostratus FunctionShield Wazuh
and administrators a secure template.
compromised, at which point the key material is
already useless.
Operations Poster contributors:
Ben Allen
Building a DevSecOps Program (CALMS) Shift Security Left Continuous security monitoring, testing, audit, and compliance checks Will Bengston

Culture Start security testing as early in development as possible CURRICULUM Fault Injection: Penetration Testing: Continuous Monitoring:
Jim Bird
David Deatherage
Break down barriers between Development, Security, and Chaos Monkey Attack-driven defense alerta Mark Geeslin
Add self-service security testing into all stages of the pipeline
Operations through education and outreach Infection Monkey Bug Bounties ElastAlert Ben Hagen
Don’t slow delivery down: Focus on fast, simple, and clear feedback APPLICATION SECURITY DEVSECOPS AND CLOUD TESTING Mark Hillick
kube-monkey Red team exercises grafana/graphite
Automation Negotiate windows with DevOps teams for security testing and remediation
Eric Johnson
DEV522 SEC540 SEC542 pumba
Threat Intelligence:
Frank Kim
Embed self-service automated security scanning and testing in • Maximum duration of security testing feedback delays prometheus
Defending Web Applications Cloud Security and DevOps Web App Penetration Testing Jason Lam
continuous delivery • Maximum lag in fixing vulnerabilities Cyber Simulations: Diamond Model
Security Essentials Automation and Ethical Hacking sof-elk Gregory Leonard
Make vulnerability test and fix metrics transparent Game day exercises Kill Chain
Lean GWEB GCSA GWAPT statsd Andrew Martin
Tabletop scenarios STIX Dr. Johannes Ullrich
Value stream analysis of security and compliance processes to 411
optimize flow First Steps in Automation SSA.DEVELOPER SEC545 SEC642 Blameless Postmortems:
Continuous Scanning:
Thomas Vachon
Steve Woodrow
Build a security smoke test (e.g., ZAP Baseline Scan) Application Security Awareness Cloud Security Architecture Advanced Web App Penetration Etsy Morgue Cloud Compliance:
Measurement Modules and Operations Testing, Ethical Hacking, and Cloud Custodian
CIS AWS Benchmark
Use metrics to shape design and drive decisions Conduct negative unit testing to get off of the happy path Exploitation Techniques Cloud Monitoring: CloudMapper
CIS Azure Benchmark
Attack your system before somebody else does (e.g., Gauntlt) AWS Security Hub Netflix Aardvark
Sharing AppSec CyberTalent SEC534 software-security.sans.org Forseti Security
Azure Security Center Prowler
Share threats, risks, and vulnerabilities by adding them to Add hardening steps into configuration recipes (e.g., dev-sec.io) Assessment Secure DevOps: @SANSDevSecOps Netflix Repokid
Google Cloud Security ScoutSuite
engineering backlogs sans.org/appsec-assessment A Practical Introduction OpenSCAP
Harden and test your CI/CD pipelines and do not rely on software-security.sans.org/blog Command Center vuls
developer-friendly defaults