PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Security Principles:
  • Secure Design Principles
  • Securing Workflow:
  • Building Securely:
  • General Principles:
  • Security Tools:
  • Secret Management:
  • Dependency Security:
  • Secure Deployment:
  • Making Security Observable:
  1. DevSecOps

Secure Coding

Security Principles:

  • Do Not Mix Code and Data: Prevent injection attacks.

  • SD3: Secure by Design, Default, Deployment.

  • Minimize Attack Surface: Limit ports, services, privileges, and dynamic content.

  • Employ Secure Defaults: Use safe settings as defaults.

  • Least Privilege and Separation of Privilege: Ensure minimal access rights and separation of roles.

  • Plan for Failure: Design systems to handle failures securely.

  • Fix Security Issues Correctly: Address root causes, not just symptoms.

  • Learn from Mistakes: Continuously improve security practices.

Secure Design Principles

  • Economy of mechanism:

    • Keep the design as simple and small as possible to reduce the chance of errors and vulnerabilities.

  • Fail-safe defaults:

    • Base access decisions on permission rather than exclusion to ensure security by default.

  • Complete mediation:

    • Every access to every object must be checked for authority at the time of access to prevent unauthorized actions.

  • Open design:

    • The design and code should not be secret. The secrecy should be in the data, like passwords or cryptographic keys, to ensure transparency and trust.

  • Separation of privilege:

    • Require multiple conditions to grant access, ensuring it’s safer if two parties need to agree on a decision rather than one alone.

  • Least privilege:

    • Operate with the minimal set of powers necessary to complete a task, reducing potential damage from exploits.

  • Least common mechanism:

    • Minimize the subsystems shared between or relied upon by mutually distrusting users to reduce security risks.

  • Psychological acceptability:

    • Design security systems to be user-friendly to ensure they are used correctly and consistently.

  • Work factor:

    • Compare the cost of circumventing the security mechanism with the resources of a potential attacker to ensure security measures are effective and efficient.

  • Compromise recording:

    • Record that a compromise of information has occurred to detect breaches and respond appropriately.

Securing Workflow:

Principles:

  • Least Privilege: Grant only necessary permissions to users and processes.

  • Defense in Depth: Employ multiple layers of security controls.

  • Background Checks: Verify personnel handling sensitive data.

  • Physical Security: Secure hardware and physical access to systems.

Building Securely:

General Principles:

  • Build engineering as part of software development.

  • Builds are iterative; the first build often fails.

  • Projects should align with established build processes.

Security Tools:

  • SAST (Static Application Security Testing): Analyze source code for vulnerabilities.

  • DAST (Dynamic Application Security Testing): Analyze running applications for vulnerabilities.

  • SCA (Software Composition Analysis): Analyze open-source components for security and license compliance.

Secret Management:

  • Avoid storing secrets in version control.

  • Ensure secure handling of secrets in build logs.

  • Use OAuth, Personal Access Tokens, or Certificates for third-party tool authentication.

  • SSO (Single Sign-On): Uses SAML for secure, attribute-based authentication.

Dependency Security:

  • Regularly scan and update dependencies to mitigate vulnerabilities.

Secure Deployment:

  • Immutable Server: Servers that cannot be changed post-deployment.

  • Containerization:

    • Use containers for isolated, consistent environments.

    • Containers share the host OS kernel; hybrid modes (e.g., Hyper-V Isolation) add security layers.

  • Deployment Tools:

    • Octopus Deploy: Automates and secures deployment processes.

Making Security Observable:

  • Insecurity through Obscurity: Avoid hiding security issues; face and fix them.

  • Logging and Monitoring: Use tools like ELK (Elastic Search, LogStash, Kibana) or Splunk for comprehensive logging and analysis.

Common Insecure Coding Practices:

  • Copy-Paste Code: Avoid reusing insecure code.

  • Hardcoding Credentials: Avoid storing sensitive information like passwords, API keys, database connection strings directly in code.

  • Trusting User Input: Failing to validate or sanitize user input can lead to injection attacks.

  • Inadequate Authentication and Authorization: Weak implementation of auth mechanisms.

  • Insecure Use of Cryptographic Functions: Using outdated or weak cryptographic algorithms or improperly implementing cryptographic functions

  • Insecure Error Handling: Revealing sensitive information in error messages or logs.

  • Insecure Session Management: Using predictable session tokens, not invalidating sessions on logout, or not implementing session timeout mechanisms.

  • Misconfiguration of Security Headers

  • Insecure Deserialization

  • Failing to Apply Patches and Updates

  • Trusting Insecure SSL Certificates: Verify domain match, validity, and trustworthiness of certificates.

PreviousThreat ModelingNextCode Review Examples

Last updated 9 months ago