Components Security Guides Best Practices - DevClusterAI/DOD-definition GitHub Wiki

Security Best Practices

This guide provides security best practices across various aspects of software development and operations. It offers practical guidance to enhance the security posture of applications and infrastructure.

Purpose

The purpose of this guide is to:

Provide actionable security best practices
Establish a baseline for secure development
Offer guidance beyond minimum requirements
Promote a security-first mindset
Support teams in building secure applications

Authentication Best Practices

Password Security

Use modern password hashing (bcrypt, Argon2) with appropriate work factors
Implement NIST-compliant password policies (no mandatory rotation, allow paste)
Enforce minimum password length (12+ characters) over complexity
Check passwords against breach databases (e.g., "Have I Been Pwned")
Implement secure password reset mechanisms

Multi-Factor Authentication

Offer MFA options (TOTP apps, security keys, push notifications)
Require MFA for administrative accounts and sensitive operations
Implement secure MFA enrollment and recovery
Avoid SMS-based MFA where possible
Use WebAuthn/FIDO2 for phishing-resistant authentication

Session Management

Generate strong, random session identifiers
Store session data securely (encrypted, server-side)
Implement secure cookie attributes (HttpOnly, Secure, SameSite)
Set appropriate session timeouts (balance security vs. usability)
Provide session termination on all pages
Invalidate sessions on security events (password change, suspicious activity)

Authorization Best Practices

Access Control Design

Implement defense in depth with multiple authorization layers
Use the principle of least privilege for all accounts
Design for deny-by-default, explicit grant
Centralize authorization logic
Perform access control checks on the server side
Use role-based or attribute-based access control

API Authorization

Use stateless JWT with appropriate expiration
Include minimal claims in tokens
Implement proper signature validation
Use scoped API tokens for service-to-service calls
Validate all parameters regardless of authorization status
Implement rate limiting and throttling

Secure Administrative Access

Require elevated authentication for administrative functions
Implement just-in-time access for privileged operations
Log all administrative actions
Separate admin interfaces from regular user interfaces
Implement approvals for critical changes

Data Protection Best Practices

Data Classification

Classify data based on sensitivity (public, internal, confidential, restricted)
Apply appropriate controls based on classification
Label data to ensure proper handling
Document data flows across systems
Implement data loss prevention for sensitive classifications

Encryption

Use strong, industry-standard encryption algorithms
Implement TLS 1.2+ for all data in transit
Encrypt sensitive data at rest
Use envelope encryption for keys
Store encryption keys separately from encrypted data
Implement proper key rotation procedures

Data Minimization

Collect only necessary data
Implement appropriate retention policies
Anonymize or pseudonymize where possible
Securely delete data when no longer needed
Minimize exposure of sensitive data in logs and error messages

Secure Coding Best Practices

Input Validation

Validate all input on the server side
Use whitelist validation where possible
Apply context-specific validation (emails, URLs, etc.)
Normalize inputs before validation
Validate content types and file uploads
Reject unexpected or malformed inputs

Output Encoding

Apply context-specific output encoding
Encode HTML, JavaScript, CSS, and URL outputs
Use templating engines with automatic encoding
Implement Content Security Policy (CSP)
Set secure HTTP headers (X-XSS-Protection, X-Content-Type-Options)

SQL Injection Prevention

Use parameterized queries or prepared statements
Apply the principle of least privilege to database accounts
Validate and sanitize all database inputs
Use ORM frameworks correctly
Implement proper error handling to prevent information disclosure

Error Handling

Implement consistent error handling across the application
Return generic error messages to users
Log detailed errors for troubleshooting
Prevent stack traces from being displayed to users
Handle exceptions properly to prevent application crashes

API Security Best Practices

API Design

Use RESTful principles or GraphQL best practices
Implement proper HTTP methods and status codes
Version your APIs
Use standard formats (JSON, XML) with schema validation
Document APIs using OpenAPI/Swagger

API Protection

Implement rate limiting
Use API keys or tokens for authentication
Validate all input parameters
Set appropriate CORS headers
Implement request signing for high-value APIs
Use an API gateway for centralized control

Microservices Security

Implement service-to-service authentication
Use mutual TLS between services
Follow zero-trust networking principles
Isolate services using network policies
Implement proper logging and monitoring

Infrastructure Security Best Practices

Server Hardening

Run services with the least privilege
Disable unnecessary services and ports
Apply security patches promptly
Use SELinux, AppArmor, or similar MAC systems
Implement file integrity monitoring
Remove default accounts and credentials

Container Security

Use minimal base images
Scan containers for vulnerabilities
Run containers as non-root users
Implement read-only file systems where possible
Use network policies to limit container communication
Sign container images

Cloud Security

Follow the shared responsibility model
Use identity and access management (IAM) with least privilege
Enable multi-factor authentication for cloud accounts
Implement infrastructure as code with security guardrails
Monitor cloud resources for misconfigurations
Encrypt data stored in cloud services

Security Monitoring Best Practices

Logging

Log security-relevant events
Include necessary context in logs
Use a consistent logging format
Protect log integrity
Implement centralized log collection
Set appropriate log retention periods

Monitoring and Alerting

Monitor for unusual authentication patterns
Alert on security-relevant events
Implement real-time security alerting
Use anomaly detection where appropriate
Create actionable alerts with clear response procedures

Security Information and Event Management (SIEM)

Aggregate logs from multiple sources
Correlate events across systems
Create dashboards for security visibility
Implement automated response playbooks
Regularly review and tune detection rules

DevSecOps Best Practices

Secure CI/CD Pipeline

Scan code for vulnerabilities in CI/CD pipelines
Verify artifact integrity throughout the pipeline
Implement least privilege for build systems
Scan dependencies for vulnerabilities
Require security gates before deployment

Infrastructure as Code Security

Use security scanning for infrastructure code
Implement policy as code
Store secrets securely, not in code
Apply consistent security configurations
Version control all infrastructure code

Continuous Security Testing

Integrate security testing into the development workflow
Automate security testing where possible
Balance automated and manual security testing
Perform regular penetration testing
Test security controls and monitoring

Mobile Application Security Best Practices

Secure Storage

Minimize storage of sensitive data on device
Use platform-specific secure storage APIs
Encrypt sensitive data before storage
Implement secure backup procedures
Clear sensitive data when no longer needed

Secure Communication

Use certificate pinning for critical endpoints
Implement proper TLS validation
Protect sensitive data over insecure networks
Implement app transport security settings
Verify server certificates

App Permissions

Request minimal permissions
Explain permission requests to users
Gracefully handle permission denial
Request permissions only when needed
Follow platform-specific security guidelines

References

Related Documents