The Rugged Manifesto

I am rugged and, more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security. I recognize these things - and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.

• Fundamentals
• AWS
• Docker and Kubernetes
• MACs
• Notable Literature
• Programming

• predict prevent detect respond
  • https://www.nist.gov/cyberframework/online-learning/five-functions
  • https://www.gartner.com/doc/3286317/using-predict-prevent-detect-respond
• InfoSec
  • security principles
  • CIA triad
  • security classification
  • access control
• GDPR
• threat modeling
  • OWASP on application threat modeling
  • STRIDE
• Secure Software Development Life Cycle
  • Good Security Design Principles
  • OWASP Application Security Verification Standard
  • OWASP OpenSAMM
  • OWASP Comprehesive, Lightweight Application Security Process
  • The Building Security In Maturity Model
  • Microsoft Security Development Lifecycle Practices

• OWASP
• RFC
• CVE security vulnerability database
• National Vulnerability Database
• minimalistic security checklist for B2B software

• https://wiki.gentoo.org/wiki/Project:Auditing

• https://wiki.gentoo.org/wiki/Project:Integrity

• Security 101 for SaaS startups

• AWS Security Best Practices
• CIS Amazon Web Services Foundations
• Navigating GDPR Compliance on AWS
• Amazon S3 Block Public Access -- Another Layer of Protection for Your Accounts and Buckets
• tools:
  • prowler - AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool
  • ScoutSuite - multi-cloud security-auditing tool
  • aws_public_ips - tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account
  • PMapper - script and library for identifying risks in the configuration of IAM in an AWS account
  • awspx - graph-based tool for visualizing effective access and resource relationships within AWS
  • Cartography - consolidates infrastructure assets and the relationships between them in an intuitive graph view
  • aws-key-disabler - Lambda Function that disables AWS IAM User Access Keys after a set amount of time
  • Policy Sentry - IAM Least Privilege Policy Generator, auditor, and analysis database
  • LambdaGuard - AWS Lambda auditing tool
  • Repokid - remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account
  • CFRipper - Library and CLI tool for analysing CloudFormation templates and check them for security compliance
  • Cloud Custodian - rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
  • Cloud Inquisitor - resource ownership, domain hijacking
  • Asecure - web app for generating security-related configs
  • Terraform-aws-secure-baseline - Terraform module to set up your AWS account with the resonably secure configuration baseline
• (AWS re:Invent 2020) Ten easy and effective ways to secure your AWS environment:
  1. Amazon S3 Block Public Access
  2. Use federation - make all your IAM credentials temporary
  3. Collect AWS CloudTrail for your entire AWS organization
  4. Know how to query a CloudTrail
  5. Tag your subnets for scalable control over connectivity
  6. Centrally manage network security with AWS Firewall Manager
  7. Assert network origin in your AWS IAM policies
  8. Use the network to keep your data where you want
  9. Connect to your Amazon EC2 instances without SSH keys: do this aws ssm start-session --target i-01234567 instead of ssh user@host
  10. Monitor DNS from your VPC with Amazon Route 53 Resolver Query Logging

• OWASP Docker Security Cheat Sheet (they also mention Kubernetes)
• A journey to Kubernetes security
• Set up runtime container security monitoring with Falco and Kubernetes - Falco is a cloud-native runtime security system that works with both containers and raw Linux hosts. Falco works by looking at file changes, network activity, the process table, and other data for suspicious behavior and then sending alerts through a pluggable back end.
• Distroless Docker images

• SELinux
  • https://wiki.gentoo.org/wiki/Project:SELinux
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index
  • https://selinuxproject.org/page/Main_Page
• AppArmor
  • https://debian-handbook.info/browse/stable/sect.apparmor.html
  • https://gitlab.com/apparmor/apparmor/wikis/Documentation

• Secure Programming HOWTO
• The Tangled Web: A Guide to Securing Modern Web Applications
• Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition
• OWASP Application Security Verification Standard

• Secure Programming HOWTO - Creating Secure Software document includes specific guidance for a number of languages, including C, C++, Java, Perl, Python, and Ada95
• SEI CERT Coding Standards coding standards for commonly used programming languages such as C, C++, Java, and Perl, and the Android™ platform
• seccomp
  • https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
• Source Code Analysis Tools