diff --git a/src/awareness/README.md b/src/awareness/README.md index 74fbf43..ac4d278 100644 --- a/src/awareness/README.md +++ b/src/awareness/README.md @@ -1,5 +1,5 @@ # Security Awareness -tag: [Security Specialist, Operations & Strategy, Community & Marketing] +tag: [Security Specialist, Operations & Strategy, Community & Marketing, HR] Security Awareness aims to bring essential information that is relevant to each team. Each team has different needs of security and potential threat actors, and for security awareness to be successful it should be tailored to each team's unique threat landscape. diff --git a/src/awareness/security-training.md b/src/awareness/security-training.md index ebfff59..27989d9 100644 --- a/src/awareness/security-training.md +++ b/src/awareness/security-training.md @@ -1,6 +1,6 @@ # Security Training -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, HR] All team members should receive some type of security training, however how in-depth this training is depends on their specific needs and what type of access they have. It is important to not do this only once, but to keep it as a recurring activity, however a training session does not need to mean sitting down for 60 minutes to look at a power point presentation but rather could be tiny nuggets of relevant information that doesn't take more than a minute to consume each time. diff --git a/src/devsecops/code-signing.md b/src/devsecops/code-signing.md index 8d01396..3a1c500 100644 --- a/src/devsecops/code-signing.md +++ b/src/devsecops/code-signing.md @@ -1,5 +1,5 @@ # Code Signing -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Code signing ensures that the code has not been tampered with, and verifies the identity of the developer. Here are some best practices that could be followed: diff --git a/src/devsecops/integrated-development-environments.md b/src/devsecops/integrated-development-environments.md index 1098da0..f9451fe 100644 --- a/src/devsecops/integrated-development-environments.md +++ b/src/devsecops/integrated-development-environments.md @@ -1,5 +1,5 @@ # Integrated Development Environments (IDEs) -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Integrated Development Environments (IDEs) are essential tools for developers, but they also need to be secured. Consider implementing the following best practices: diff --git a/src/devsecops/repository-hardening.md b/src/devsecops/repository-hardening.md index 33161e8..8053ca6 100644 --- a/src/devsecops/repository-hardening.md +++ b/src/devsecops/repository-hardening.md @@ -1,5 +1,5 @@ # Repository Hardening -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] If a threat actor obtains access to your repository, it could have very severe consequenses. In order to help avoid this, you could consider implementing the following best practises: diff --git a/src/devsecops/security-testing.md b/src/devsecops/security-testing.md index 1470efc..7911c90 100644 --- a/src/devsecops/security-testing.md +++ b/src/devsecops/security-testing.md @@ -1,5 +1,5 @@ # Security Testing -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, SRE] Security testing is a crucial part of the DevSecOps process, as it helps identify vulnerabilities early on so that they can be taken care of before they become an issue in production. diff --git a/src/encryption/README.md b/src/encryption/README.md index 504be77..247ef50 100644 --- a/src/encryption/README.md +++ b/src/encryption/README.md @@ -1,5 +1,5 @@ # Encryption -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, Cloud] Encryption is a fundamental aspect of securing data, ensuring that sensitive information remains confidential and protected from unauthorized access. This section covers various types of encryption and best practices for implementing them effectively. diff --git a/src/encryption/cloud-data-encryption.md b/src/encryption/cloud-data-encryption.md index 1f5103b..3d476ab 100644 --- a/src/encryption/cloud-data-encryption.md +++ b/src/encryption/cloud-data-encryption.md @@ -1,5 +1,5 @@ # Cloud Data Encryption -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, Cloud] You should consider using the best practices below, in order to ensure that data stored in the cloud is protected from unauthorized access: diff --git a/src/external-security-reviews/README.md b/src/external-security-reviews/README.md index ae3a28b..9e5efe5 100644 --- a/src/external-security-reviews/README.md +++ b/src/external-security-reviews/README.md @@ -1,5 +1,5 @@ # External Security Reviews -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, Devops] External security reviews are quite common in web3 when it comes to smart contract audits which are often being done to check if the smart contracts are secure. diff --git a/src/external-security-reviews/preparation.md b/src/external-security-reviews/preparation.md index 0c1e4a8..007762c 100644 --- a/src/external-security-reviews/preparation.md +++ b/src/external-security-reviews/preparation.md @@ -1,6 +1,5 @@ # Preparation - -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, Devops] A common misconception is that when doing a security review, you can just hand off the written code and let reviewers do their work. This could in theory work, however this would mean that time by reviewers is spent doing things that you could have easily done on your side to make the review more cost effective. Some of the steps you could consider taking before initiating a security review are: diff --git a/src/external-security-reviews/security-policies-procedures.md b/src/external-security-reviews/security-policies-procedures.md index d61375a..bf7bacf 100644 --- a/src/external-security-reviews/security-policies-procedures.md +++ b/src/external-security-reviews/security-policies-procedures.md @@ -1,6 +1,6 @@ # Security Policies and Procedures -tag: [Security Specialist, Legal & Compliance, Operations & Strategy] +tag: [Security Specialist, Legal & Compliance, Operations & Strategy, HR] As part of the external security review, it could be beneficial to also review the internal security policies and procedures as well. Some of the things that could be relevant to review are: diff --git a/src/front-end-web-app/README.md b/src/front-end-web-app/README.md index 339ec95..f248c1a 100644 --- a/src/front-end-web-app/README.md +++ b/src/front-end-web-app/README.md @@ -1,5 +1,5 @@ # Front-End Web Application Security Best Practices -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Often an overlooked area, but ensuring the security of your front-end web and potential mobile applications is crucial for protecting your users. If the front-end web application is compromised, it could have severe effects on your users as they for example could start interacting with a malicious contract instead of your offical contract. diff --git a/src/front-end-web-app/common-vulnerabilities.md b/src/front-end-web-app/common-vulnerabilities.md index dcc1249..26f50d6 100644 --- a/src/front-end-web-app/common-vulnerabilities.md +++ b/src/front-end-web-app/common-vulnerabilities.md @@ -1,5 +1,5 @@ # Common Vulnerabilities -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Understanding and mitigating common vulnerabilities is crucial for securing your web and mobile applications. Here are some frequently encountered vulnerabilities: diff --git a/src/governance/compliance-regulatory-requirements.md b/src/governance/compliance-regulatory-requirements.md index c02d1e1..8fe534e 100644 --- a/src/governance/compliance-regulatory-requirements.md +++ b/src/governance/compliance-regulatory-requirements.md @@ -1,5 +1,5 @@ # Compliance with Regulatory Requirements -tag: [Legal & Compliance, Operations & Strategy] +tag: [Operations & Strategy, Legal & Compliance, Devops, HR] Compliance with regulatory requirements may be essential for your project. Understanding the needs and ensuring the necessary compliance helps protect your project from potential legal penalties. diff --git a/src/iam/access-management-best-practises.md b/src/iam/access-management-best-practises.md index 3e90d5c..efc1330 100644 --- a/src/iam/access-management-best-practises.md +++ b/src/iam/access-management-best-practises.md @@ -1,5 +1,5 @@ # Access Management Best Practices -tag: [Engineer/Developer, Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR] Effective access management involves ensuring that users have the right access, at the right time, and that access is promptly revoked when no longer needed. Implementing access management practices helps prevent unauthorized access, and reduces the risk of insider threats. diff --git a/src/iam/role-based-access-control.md b/src/iam/role-based-access-control.md index ab51327..a414d96 100644 --- a/src/iam/role-based-access-control.md +++ b/src/iam/role-based-access-control.md @@ -1,5 +1,5 @@ # Role-Based Access Control (RBAC) -tag: [Engineer/Developer, Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR] Role-Based Access Control (RBAC) is a method of regulating access to systems and data based on the roles assigned to individual users within an project. RBAC ensures that users have the minimum access necessary to perform their job functions, reducing the risk of unauthorized access. diff --git a/src/iam/secure-authentication.md b/src/iam/secure-authentication.md index 8d0af5e..f225bca 100644 --- a/src/iam/secure-authentication.md +++ b/src/iam/secure-authentication.md @@ -1,5 +1,5 @@ # Secure Authentication -tag: [Engineer/Developer, Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR] Secure authentication is essential for verifying the identity of team members and ensuring that only authorized individuals have access. By implementing strong authentication mechanisms you can protect your project against unauthorized access and lower the risk for potential security breaches. diff --git a/src/incident-management/README.md b/src/incident-management/README.md index 391918a..f4a3129 100644 --- a/src/incident-management/README.md +++ b/src/incident-management/README.md @@ -1,5 +1,6 @@ # Incident Management -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, Devops, SRE] + Incident management involves preparing for, detecting, responding to, and recovering from security incidents. By thinking about incident management prior to actually experiencing an incident, you can help increase the likelihood of a timely recovery. ## Contents diff --git a/src/incident-management/lessons-learned.md b/src/incident-management/lessons-learned.md index 8a10112..396cf69 100644 --- a/src/incident-management/lessons-learned.md +++ b/src/incident-management/lessons-learned.md @@ -1,5 +1,5 @@ # Lessons Learned -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, Devops, SRE] Conducting a post-incident review and identifying lessons learned will improve your project's incident response capabilities. By analyzing what went well and what could be improved, you can enhance your readiness for future incidents. diff --git a/src/infrastructure/asset-inventory.md b/src/infrastructure/asset-inventory.md index 085828c..d60af25 100644 --- a/src/infrastructure/asset-inventory.md +++ b/src/infrastructure/asset-inventory.md @@ -1,5 +1,5 @@ # Asset Inventory -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, SRE] An asset inventory means having information about everything related to your project, meaning for example contracts, hardware, software, cloud providers, dependencies and network components. This is important, as if you don't have awareness of your assets then how are you going to be able to protect them? diff --git a/src/infrastructure/ddos-protection.md b/src/infrastructure/ddos-protection.md index 6d60828..667d688 100644 --- a/src/infrastructure/ddos-protection.md +++ b/src/infrastructure/ddos-protection.md @@ -1,5 +1,5 @@ # DDoS Protection -tag: [Engineer/Developer, Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE] Distributed Denial of Service (DDoS) attacks are a pervasive threat that can disrupt your services by overwhelming them with excessive traffic. diff --git a/src/infrastructure/network-security.md b/src/infrastructure/network-security.md index 0811d8e..b1ada32 100644 --- a/src/infrastructure/network-security.md +++ b/src/infrastructure/network-security.md @@ -1,5 +1,5 @@ # Network Security -tag: [Engineer/Developer, Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE] Network security is a very wide subject, and the steps you take are significantly dependent on if you're managing your own network, if you're utilizing a cloud provider, or if you're using a service provider. With that said, there are some general best practices to consider: diff --git a/src/infrastructure/operating-system-security.md b/src/infrastructure/operating-system-security.md index 46a575f..3698007 100644 --- a/src/infrastructure/operating-system-security.md +++ b/src/infrastructure/operating-system-security.md @@ -1,5 +1,5 @@ # Operating System Security -tag: [Engineer/Developer, Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, SRE] This document outlines some general best practises one should follow with regards to operating system security, however if you're interested in a much more comprehensive guide you could look at [NIST 800-123](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf). diff --git a/src/operational-security/README.md b/src/operational-security/README.md index 908e5f2..a3998f8 100644 --- a/src/operational-security/README.md +++ b/src/operational-security/README.md @@ -1,5 +1,5 @@ # Operational Security -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, Devops, SRE] Operational security, often abbreviated as **OpSec** provides a range of practices and measures designed to safeguard an organization's sensitive information, assets, and operations from unauthorized access, espionage, disruption, or compromise. diff --git a/src/operational-security/g-suite-security.md b/src/operational-security/g-suite-security.md index e1b46d9..e5d9bdb 100644 --- a/src/operational-security/g-suite-security.md +++ b/src/operational-security/g-suite-security.md @@ -1,5 +1,5 @@ # Google Workspace Security -tag: [Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR] Google Workspace (formerly G Suite) is a powerful suite of productivity and collaboration tools widely used by projects. A lot of things may depend on Google Workspace, in which case it is important to consider the security of it. diff --git a/src/operational-security/standard-operating-environment.md b/src/operational-security/standard-operating-environment.md index 3624760..b22c7d5 100644 --- a/src/operational-security/standard-operating-environment.md +++ b/src/operational-security/standard-operating-environment.md @@ -1,5 +1,5 @@ # Standard Operating Environment -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, SRE] A Standard Operating Environment (SOE) refers to a standardized and controlled computing environment used across a project. It ensures that all devices and systems adhere to the same security policies, configurations, and software versions, thereby reducing vulnerabilities and simplifying management. diff --git a/src/privacy/README.md b/src/privacy/README.md index d6a8fca..bb1e323 100644 --- a/src/privacy/README.md +++ b/src/privacy/README.md @@ -1,4 +1,4 @@ # Privacy -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Privacy is a fundamental aspect of security. Protecting your personal and team's information from unauthorized access and exposure is crucial. This section provides guidelines and resources for maintaining privacy, managing your digital footprint, and utilizing privacy-focused tools and services. diff --git a/src/secure-software-development/README.md b/src/secure-software-development/README.md index 278fcd3..3d13d9b 100644 --- a/src/secure-software-development/README.md +++ b/src/secure-software-development/README.md @@ -1,4 +1,4 @@ # Secure Software Development -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Secure software development is the practice of integrating security measures throughout the entire software development lifecycle (SDLC). This approach ensures that software is designed, developed, and maintained with security in mind, protecting against vulnerabilities and threats. This section provides guidelines and best practices for secure software development, including code reviews, secure coding standards, version control, and threat modeling. diff --git a/src/secure-software-development/secure-code-repositories-version-control.md b/src/secure-software-development/secure-code-repositories-version-control.md index 061b3c0..f730fc7 100644 --- a/src/secure-software-development/secure-code-repositories-version-control.md +++ b/src/secure-software-development/secure-code-repositories-version-control.md @@ -1,5 +1,5 @@ # Secure Code Repositories and Version Control -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Managing secure code repositories and having version control practices helps protect your project from unauthorized access and ensuring the integrity of your project. diff --git a/src/security-automation/compliance-checks.md b/src/security-automation/compliance-checks.md index 5dfb7f1..50b7760 100644 --- a/src/security-automation/compliance-checks.md +++ b/src/security-automation/compliance-checks.md @@ -1,5 +1,5 @@ # Compliance Checks -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE] Automating compliance checks helps projects ensure that they adhere to security policies, standards, and potential regulatory requirements consistently. Automated compliance tools can continuously monitor, assess, and report on the compliance status of systems and applications. diff --git a/src/security-automation/infrastructure-as-code.md b/src/security-automation/infrastructure-as-code.md index 5dc3ffb..5322fea 100644 --- a/src/security-automation/infrastructure-as-code.md +++ b/src/security-automation/infrastructure-as-code.md @@ -1,5 +1,5 @@ # Infrastructure as Code -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE] Infrastructure as Code (IaC) is the managing and provisioning computing infrastructure through machine-readable definition files, rather than manual configuration or interactive configuration tools. Automating security within IaC helps ensure that infrastructure is configured securely and consistently. diff --git a/src/security-automation/threat-detection-response.md b/src/security-automation/threat-detection-response.md index b9d97cb..202571d 100644 --- a/src/security-automation/threat-detection-response.md +++ b/src/security-automation/threat-detection-response.md @@ -1,5 +1,5 @@ # Threat Detection and Response -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops, SRE] Threat detection and response is a critical aspect of maintaining the security of your project. It involves identifying potential threats, monitoring for signs of malicious activity, and responding effectively to mitigate any identified risks. By implementing robust threat detection and response strategies, you can protect your project from security breaches and minimize the impact of any incidents that do occur. diff --git a/src/security-testing/README.md b/src/security-testing/README.md index 3e7ff84..9c95593 100644 --- a/src/security-testing/README.md +++ b/src/security-testing/README.md @@ -1,4 +1,4 @@ # Security Testing -tag: [Engineer/Developer, Security Specialist, Operations & Strategy] +tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, SRE] The objective of Security testing, while most likely impossible, is to ensure that applications and systems are resilient to attacks and free from vulnerabilities. This section covers various security testing methodologies, including dynamic and static application security testing, fuzz testing, and security regression testing. diff --git a/src/supply-chain/README.md b/src/supply-chain/README.md index 2e3f32c..04cad12 100644 --- a/src/supply-chain/README.md +++ b/src/supply-chain/README.md @@ -1,4 +1,4 @@ # Supply Chain Security -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Supply chain security involves managing and securing all the components, dependencies, and processes involved in the development, deployment, and maintenance of software. In the context of blockchain and web3 projects, supply chain security could for example be parts of the web application stack, or external libraries used by the smart contract. diff --git a/src/threat-modeling/identity-mitigate-threats.md b/src/threat-modeling/identity-mitigate-threats.md index 8bcfe5c..fc35ed6 100644 --- a/src/threat-modeling/identity-mitigate-threats.md +++ b/src/threat-modeling/identity-mitigate-threats.md @@ -1,5 +1,5 @@ # Standard Operating Environment -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Identifying and mitigating threats is a crucial part of the threat modeling process. By understanding potential threats and developing strategies to address them, projects can help protect their systems and data from security incidents. diff --git a/src/user-team-security/security-aware-culture.md b/src/user-team-security/security-aware-culture.md index 5e712ef..d8c5f06 100644 --- a/src/user-team-security/security-aware-culture.md +++ b/src/user-team-security/security-aware-culture.md @@ -1,5 +1,5 @@ # Security-Aware Culture -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, HR] Fostering a security-aware culture within your project aims to help mitigating security risks and help team members understand the importance of security. diff --git a/src/user-team-security/security-training.md b/src/user-team-security/security-training.md index 3ed197f..cca9244 100644 --- a/src/user-team-security/security-training.md +++ b/src/user-team-security/security-training.md @@ -1,5 +1,5 @@ # Security Training -tag: [Security Specialist, Operations & Strategy] +tag: [Security Specialist, Operations & Strategy, HR] Regular security training helps keep security top-of-mind and reinforces the importance. It will help create the skills necessary to recognize and mitigate security threats to your project. diff --git a/src/vulnerability-disclosure/README.md b/src/vulnerability-disclosure/README.md index cf082a3..65f9bf3 100644 --- a/src/vulnerability-disclosure/README.md +++ b/src/vulnerability-disclosure/README.md @@ -1,4 +1,4 @@ # Vulnerability Disclosure -tag: [Engineer/Developer, Security Specialist] +tag: [Engineer/Developer, Security Specialist, Devops] Vulnerability disclosure is the task that is done after a vulnerability has been identified and fixed, and means to make the vulnerability known to the larger public. Often, a vulnerability disclosure will come after a bug bounty report has been filed and the vulnerability has been corrected, or from a team member that noticed a vulnerability which was then fixed.