Merge pull request #74 from security-alliance/develop

Update from develop

src/awareness/README.md

@@ -1,5 +1,5 @@
 # Security Awareness
-tag: [Security Specialist, Operations & Strategy, Community & Marketing]
+tag: [Security Specialist, Operations & Strategy, Community & Marketing, HR]
 
 Security Awareness aims to bring essential information that is relevant to each team. Each team has different needs of security and potential threat actors, and for security awareness to be successful it should be tailored to each team's unique threat landscape.
 

src/awareness/security-training.md

@@ -1,6 +1,6 @@
 # Security Training
 
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, HR]
 
 All team members should receive some type of security training, however how in-depth this training is depends on their specific needs and what type of access they have. It is important to not do this only once, but to keep it as a recurring activity, however a training session does not need to mean sitting down for 60 minutes to look at a power point presentation but rather could be tiny nuggets of relevant information that doesn't take more than a minute to consume each time.
 

src/devsecops/code-signing.md

@@ -1,5 +1,5 @@
 # Code Signing
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Code signing ensures that the code has not been tampered with, and verifies the identity of the developer. Here are some best practices that could be followed:
 

src/devsecops/integrated-development-environments.md

@@ -1,5 +1,5 @@
 # Integrated Development Environments (IDEs)
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Integrated Development Environments (IDEs) are essential tools for developers, but they also need to be secured. Consider implementing the following best practices:
 

src/devsecops/repository-hardening.md

@@ -1,5 +1,5 @@
 # Repository Hardening
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 If a threat actor obtains access to your repository, it could have very severe consequenses. In order to help avoid this, you could consider implementing the following best practises:
 

src/devsecops/security-testing.md

@@ -1,5 +1,5 @@
 # Security Testing
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, SRE]
 
 Security testing is a crucial part of the DevSecOps process, as it helps identify vulnerabilities early on so that they can be taken care of before they become an issue in production.
 

src/encryption/README.md

@@ -1,5 +1,5 @@
 # Encryption
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, Cloud]
 
 Encryption is a fundamental aspect of securing data, ensuring that sensitive information remains confidential and protected from unauthorized access. This section covers various types of encryption and best practices for implementing them effectively.
 

src/encryption/cloud-data-encryption.md

@@ -1,5 +1,5 @@
 # Cloud Data Encryption
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, Cloud]
 
 You should consider using the best practices below, in order to ensure that data stored in the cloud
 is protected from unauthorized access:

src/external-security-reviews/README.md

@@ -1,5 +1,5 @@
 # External Security Reviews
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, Devops]
 
 External security reviews are quite common in web3 when it comes to smart contract audits which are often being done to check if the smart contracts are secure.
 

src/external-security-reviews/preparation.md

@@ -1,6 +1,5 @@
 # Preparation
-
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, Devops]
 
 A common misconception is that when doing a security review, you can just hand off the written code and let reviewers do their work. This could in theory work, however this would mean that time by reviewers is spent doing things that you could have easily done on your side to make the review more cost effective. Some of the steps you could consider taking before initiating a security review are:
 

src/external-security-reviews/security-policies-procedures.md

@@ -1,6 +1,6 @@
 # Security Policies and Procedures
 
-tag: [Security Specialist, Legal & Compliance, Operations & Strategy]
+tag: [Security Specialist, Legal & Compliance, Operations & Strategy, HR]
 As part of the external security review, it could be beneficial to also review the internal security policies and procedures as well.
 Some of the things that could be relevant to review are:
 

src/front-end-web-app/README.md

@@ -1,5 +1,5 @@
 # Front-End Web Application Security Best Practices
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Often an overlooked area, but ensuring the security of your front-end web and potential mobile applications is crucial for protecting your users. If the front-end web application is compromised, it could have severe effects on your users as they for example could start interacting with a malicious contract instead of your offical contract.
 

src/front-end-web-app/common-vulnerabilities.md

@@ -1,5 +1,5 @@
 # Common Vulnerabilities
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Understanding and mitigating common vulnerabilities is crucial for securing your web and mobile applications. Here are some frequently encountered vulnerabilities:
 

src/governance/compliance-regulatory-requirements.md

@@ -1,5 +1,5 @@
 # Compliance with Regulatory Requirements
-tag: [Legal & Compliance, Operations & Strategy]
+tag: [Operations & Strategy, Legal & Compliance, Devops, HR]
 
 Compliance with regulatory requirements may be essential for your project. Understanding the needs and ensuring the necessary compliance helps protect your project from potential legal penalties.
 

src/iam/access-management-best-practises.md

@@ -1,5 +1,5 @@
 # Access Management Best Practices
-tag: [Engineer/Developer, Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]
 
 Effective access management involves ensuring that users have the right access, at the right time, and that access is promptly revoked when no longer needed. Implementing access management practices helps prevent unauthorized access, and reduces the risk of insider threats.
 

src/iam/role-based-access-control.md

@@ -1,5 +1,5 @@
 # Role-Based Access Control (RBAC)
-tag: [Engineer/Developer, Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]
 
 Role-Based Access Control (RBAC) is a method of regulating access to systems and data based on the roles assigned to individual users within an project. RBAC ensures that users have the minimum access necessary to perform their job functions, reducing the risk of unauthorized access.
 

src/iam/secure-authentication.md

@@ -1,5 +1,5 @@
 # Secure Authentication
-tag: [Engineer/Developer, Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]
 
 Secure authentication is essential for verifying the identity of team members and ensuring that only authorized individuals have access. By implementing strong authentication mechanisms you can protect your project against unauthorized access and lower the risk for potential security breaches.
 

src/incident-management/README.md

@@ -1,5 +1,6 @@
 # Incident Management
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, Devops, SRE]
+
 Incident management involves preparing for, detecting, responding to, and recovering from security incidents. By thinking about incident management prior to actually experiencing an incident, you can help increase the likelihood of a timely recovery.
 
 ## Contents

src/incident-management/lessons-learned.md

@@ -1,5 +1,5 @@
 # Lessons Learned
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, Devops, SRE]
 
 Conducting a post-incident review and identifying lessons learned will improve your project's incident response capabilities. By analyzing what went well and what could be improved, you can enhance your readiness for future incidents.
 

src/infrastructure/asset-inventory.md

@@ -1,5 +1,5 @@
 # Asset Inventory
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, SRE]
 
 An asset inventory means having information about everything related to your project, meaning for example contracts, hardware, software, cloud providers, dependencies and network components. This is important, as if you don't have awareness of your assets then how are you going to be able to protect them? 
 

src/infrastructure/ddos-protection.md

@@ -1,5 +1,5 @@
 # DDoS Protection
-tag: [Engineer/Developer, Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE]
 
 Distributed Denial of Service (DDoS) attacks are a pervasive threat that can disrupt your services by overwhelming them with excessive traffic.
 

src/infrastructure/network-security.md

@@ -1,5 +1,5 @@
 # Network Security
-tag: [Engineer/Developer, Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE]
 
 Network security is a very wide subject, and the steps you take are significantly dependent on if you're managing your own network, if you're utilizing a cloud provider, or if you're using a service provider. With that said, there are some general best practices to consider:
 

src/infrastructure/operating-system-security.md

@@ -1,5 +1,5 @@
 # Operating System Security
-tag: [Engineer/Developer, Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, SRE]
 
 This document outlines some general best practises one should follow with regards to operating system security, however if you're interested in a much more comprehensive guide you could look at [NIST 800-123](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf).
 

src/operational-security/README.md

@@ -1,5 +1,5 @@
 # Operational Security
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, Devops, SRE]
 
 Operational security, often abbreviated as **OpSec** provides a range of practices and measures designed to safeguard an organization's sensitive information, assets, and operations from unauthorized access, espionage, disruption, or compromise.
 

src/operational-security/g-suite-security.md

@@ -1,5 +1,5 @@
 # Google Workspace Security
-tag: [Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]
 
 Google Workspace (formerly G Suite) is a powerful suite of productivity and collaboration tools widely used by projects. A lot of things may depend on Google Workspace, in which case it is important to consider the security of it.
 

src/operational-security/standard-operating-environment.md

@@ -1,5 +1,5 @@
 # Standard Operating Environment
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, SRE]
 
 A Standard Operating Environment (SOE) refers to a standardized and controlled computing environment used across a project. It ensures that all devices and systems adhere to the same security policies, configurations, and software versions, thereby reducing vulnerabilities and simplifying management.
 

src/privacy/README.md

@@ -1,4 +1,4 @@
 # Privacy
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Privacy is a fundamental aspect of security. Protecting your personal and team's information from unauthorized access and exposure is crucial. This section provides guidelines and resources for maintaining privacy, managing your digital footprint, and utilizing privacy-focused tools and services.

src/secure-software-development/README.md

@@ -1,4 +1,4 @@
 # Secure Software Development
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Secure software development is the practice of integrating security measures throughout the entire software development lifecycle (SDLC). This approach ensures that software is designed, developed, and maintained with security in mind, protecting against vulnerabilities and threats. This section provides guidelines and best practices for secure software development, including code reviews, secure coding standards, version control, and threat modeling.

src/secure-software-development/secure-code-repositories-version-control.md

@@ -1,5 +1,5 @@
 # Secure Code Repositories and Version Control
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Managing secure code repositories and having version control practices helps protect your project from unauthorized access and ensuring the integrity of your project.
 

src/security-automation/compliance-checks.md

@@ -1,5 +1,5 @@
 # Compliance Checks
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE]
 
 Automating compliance checks helps projects ensure that they adhere to security policies, standards, and potential regulatory requirements consistently. Automated compliance tools can continuously monitor, assess, and report on the compliance status of systems and applications.
 

src/security-automation/infrastructure-as-code.md

@@ -1,5 +1,5 @@
 # Infrastructure as Code
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, Cloud, SRE]
 
 Infrastructure as Code (IaC) is the managing and provisioning computing infrastructure through machine-readable definition files, rather than manual  configuration or interactive configuration tools. Automating security within IaC helps ensure that infrastructure is configured securely and consistently.
 

src/security-automation/threat-detection-response.md

@@ -1,5 +1,5 @@
 # Threat Detection and Response
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops, SRE]
 
 Threat detection and response is a critical aspect of maintaining the security of your project. It involves identifying potential threats, monitoring for signs of malicious activity, and responding effectively to mitigate any identified risks. By implementing robust threat detection and response strategies, you can protect your project from security breaches and minimize the impact of any incidents that do occur.
 

src/security-testing/README.md

@@ -1,4 +1,4 @@
 # Security Testing
-tag: [Engineer/Developer, Security Specialist, Operations & Strategy]
+tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, SRE]
 
 The objective of Security testing, while most likely impossible, is to ensure that applications and systems are resilient to attacks and free from vulnerabilities. This section covers various security testing methodologies, including dynamic and static application security testing, fuzz testing, and security regression testing.

src/supply-chain/README.md

@@ -1,4 +1,4 @@
 # Supply Chain Security
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Supply chain security involves managing and securing all the components, dependencies, and processes involved in the development, deployment, and maintenance of software. In the context of blockchain and web3 projects, supply chain security could for example be parts of the web application stack, or external libraries used by the smart contract.

src/threat-modeling/identity-mitigate-threats.md

@@ -1,5 +1,5 @@
 # Standard Operating Environment
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Identifying and mitigating threats is a crucial part of the threat modeling process. By understanding potential threats and developing strategies to address them, projects can help protect their systems and data from security incidents.
 

src/user-team-security/security-aware-culture.md

@@ -1,5 +1,5 @@
 # Security-Aware Culture
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, HR]
 
 Fostering a security-aware culture within your project aims to help mitigating security risks and help team members understand the importance of security.
 

src/user-team-security/security-training.md

@@ -1,5 +1,5 @@
 # Security Training
-tag: [Security Specialist, Operations & Strategy]
+tag: [Security Specialist, Operations & Strategy, HR]
 
 Regular security training helps keep security top-of-mind and reinforces the importance. It will help create the skills necessary to recognize and mitigate security threats to your project.
 

src/vulnerability-disclosure/README.md

@@ -1,4 +1,4 @@
 # Vulnerability Disclosure
-tag: [Engineer/Developer, Security Specialist]
+tag: [Engineer/Developer, Security Specialist, Devops]
 
 Vulnerability disclosure is the task that is done after a vulnerability has been identified and fixed, and means to make the vulnerability known to the larger public. Often, a vulnerability disclosure will come after a bug bounty report has been filed and the vulnerability has been corrected, or from a team member that noticed a vulnerability which was then fixed.