From 2ed3c4aed3bb17cb082699c78a134d5454337740 Mon Sep 17 00:00:00 2001 From: Thuan Ha Date: Thu, 14 Dec 2017 23:17:54 +0700 Subject: [PATCH] Add Ecommerce Security CheckList section https://github.com/IamHDT/Ecommerce-Website-Security-CheckList List of considerations for commerce site auditing and security teams. This is summary of action points and areas that need to be built into the Techinical Specific Document, or will be checked in the Security testing phases. --- README.md | 119 +++++++++++++++++++++++++++--------------------------- 1 file changed, 60 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index 9b1496a..81b69a0 100644 --- a/README.md +++ b/README.md @@ -13,66 +13,67 @@ Our detailed explanations should help the first type while we hope our checklist ### Contents 1. [The Security Checklist](security-checklist.md) -2. [What can go wrong?](what-can-go-wrong.md) -3. [Securely transporting stuff: HTTPS explained](https.md) -4. Authentication: I am who I say I am -4.1 Form based authentication -4.2 Basic authentication -4.3 One is not enough, 2 factor, 3 factor, .... -4.4 Why use insecure text messages? Introducing HOTP & TOTP -4.5 Handling password resets -5. Authorization: What am I allowed to do? -5.1 Token based Authorization -5.2 OAuth & OAuth2 -5.3 JWT -6. Data Validation and Sanitation: Never trust user input -6.1 Validating and Sanitizing Inputs -6.2 Sanitizing Outputs -6.3 Cross Site Scripting -6.4 Injection Attacks -6.5 User uploads -6.6 Tamper-proof user inputs -7. Plaintext != Encoding != Encryption != Hashing -7.1 Common encoding schemes -7.2 Encryption +1. [Ecommerce Security CheckList](https://github.com/IamHDT/Ecommerce-Website-Security-CheckList) +3. [What can go wrong?](what-can-go-wrong.md) +4. [Securely transporting stuff: HTTPS explained](https.md) +5. Authentication: I am who I say I am +5.1 Form based authentication +5.2 Basic authentication +5.3 One is not enough, 2 factor, 3 factor, .... +5.4 Why use insecure text messages? Introducing HOTP & TOTP +5.5 Handling password resets +6. Authorization: What am I allowed to do? +6.1 Token based Authorization +6.2 OAuth & OAuth2 +6.3 JWT +7. Data Validation and Sanitation: Never trust user input +7.1 Validating and Sanitizing Inputs +7.2 Sanitizing Outputs +7.3 Cross Site Scripting +7.4 Injection Attacks +7.5 User uploads +7.6 Tamper-proof user inputs +8. Plaintext != Encoding != Encryption != Hashing +8.1 Common encoding schemes +8.2 Encryption 7.3 Hashing & One way functions -7.4 Hashing speeds cheatsheet -8. Passwords: dadada, 123456 and cute@123 -8.1 Password policies -8.2 Storing passwords -8.3 Life without passwords -9. Public Key Cryptography -10. Sessions: Remember me, please -10.1 Where to save state? -10.2 Invalidating sessions -10.3 Cookie monster & you -11. Fixing security, one header at a time -11.1 Secure web headers -11.2 Data integrity check for 3rd party code -11.3 Certificate Pinning -12. Configuration mistakes -12.1 Provisioning in cloud: Ports, Shodan & AWS -12.2 Honey, you left the debug mode on -12.3 Logging (or not logging) -12.4 Monitoring -12.5 Principle of least privilege -12.6 Rate limiting & Captchas -12.7 Storing project secrets and passwords in a file -12.8 DNS: Of subdomains and forgotten pet-projects -12.9 Patching & Updates -13. Attacks: When the bad guys arrive -13.1 Clickjacking -13.2 Cross Site Request Forgery -13.3 Denial of Service -13.4 Server Side Request Forgery -14. [Stats about vulnerabilities discovered in Internet Companies](vulnerabilities-stats.md) -15. On reinventing the wheel, and making it square -15.1 Security libraries and packages for Python -15.2 Security libraries and packages for Node/JS -15.3 Learning resources -16. Maintaining a good security hygiene -17. Security Vs Usability -18. Back to Square 1: The Security Checklist explained +8.4 Hashing speeds cheatsheet +9. Passwords: dadada, 123456 and cute@123 +9.1 Password policies +9.2 Storing passwords +9.3 Life without passwords +10. Public Key Cryptography +11. Sessions: Remember me, please +11.1 Where to save state? +11.2 Invalidating sessions +11.3 Cookie monster & you +12. Fixing security, one header at a time +12.1 Secure web headers +12.2 Data integrity check for 3rd party code +12.3 Certificate Pinning +13. Configuration mistakes +13.1 Provisioning in cloud: Ports, Shodan & AWS +13.2 Honey, you left the debug mode on +13.3 Logging (or not logging) +13.4 Monitoring +13.5 Principle of least privilege +13.6 Rate limiting & Captchas +13.7 Storing project secrets and passwords in a file +13.8 DNS: Of subdomains and forgotten pet-projects +13.9 Patching & Updates +14. Attacks: When the bad guys arrive +14.1 Clickjacking +14.2 Cross Site Request Forgery +14.3 Denial of Service +14.4 Server Side Request Forgery +15. [Stats about vulnerabilities discovered in Internet Companies](vulnerabilities-stats.md) +16. On reinventing the wheel, and making it square +16.1 Security libraries and packages for Python +16.2 Security libraries and packages for Node/JS +16.3 Learning resources +17. Maintaining a good security hygiene +18. Security Vs Usability +19. Back to Square 1: The Security Checklist explained