• Terms

  • Common Vulnerability Scoring System (CVSS)

  • Forum of Incident Response and Security Teams (FIRST)

  • OWASP

  • OSSTMM

  • Single Sign On (SSO)

  • ISO 27001

  • ISO/IEC 27001:2013 or ISO/IEC 27001:2022 certification

  • Service Organization Control 2 (SOC 2) Type II reports such as SSAE 16 Type II or ISAE 3402 Type II or NIST Cybersecurity Framework

  • Cloud Security Alliance (CSA) Official CCM or CAIQ Security Self-Assessment

  • NIST Artificial Intelligence Risk Management Framework

• OWASP Top Ten

• The Trail of Bits Blog
  • https://github.com/trailofbits/publications

• The Hacker News - Find current threats

• Authz

• SQL Injections

• 2FA

  • https://2fa.directory/us/

• Ockam

  • https://docs.ockam.io/

  • https://github.com/build-trust/ockam

• Create a secure volume

  • Myron → Local → Keys Image - 1pwd

  • ~/Downloads/Personal/sec1.dmg

• https://delve.co/ - compliance standards

• https://www.doppler.com/

• Password Policy

• Classification Policy

• Security Testing Workflow

• https://dexidp.io/ — like keycloak

• https://www.zaproxy.org/

• Articles

  • Scalable Access Control

  • 11 ways to not get hacked

  • Build an intrusion detector

  • pen testing
    • with Metasploit

• Commercial Products

  • Fortify
    • Fortify is a Static Application Security Testing (SAST) tool

  • SonarQube

  • Snyk Code Check

  • DNS cloudflare or Quad9

• https://github.com/goauthentik/authentik

  • https://goauthentik.io/

• Stop deploying WAF

• Password Gen

  openssl rand -base64 2048 > password.file
  # to gen lower-case uuid
  uuidgen |tr '[A-Z]' '[a-z]' |pbcopy

• Secrets Management

  • https://www.doppler.com/

• File encryption

  • https://github.com/mozilla/sops - parts of file

  • https://github.com/FiloSottile/age - file

• Check the email blacklist on the Internet

• Review the apache logs...

  • https://about.censys.io/

  • https://github.com/bi-zone/masscan-ng

  • /.env

  • phpmyadmin

• Security Review

  • burp suite

  • metasploit

  • fail to ban?

• Automated setup

  • https://github.com/notthebee - https://github.com/notthebee/nix-config

• 1password

  • Support

  • hot-keys

• Browser

  • Disable google local network check
    • chrome://flags/ - Local Network Access Checks

• Fail2ban

  • https://github.com/fail2ban/fail2ban/wiki

Documents

• Public Key Infrastructure (PKI)

• AWS Cyber Security Matrix

• PHP_Configuration_Cheat_Sheet

Libraries

• User Auth in Node with Passport

• https://github.com/github/codeql - code scanning

• DeepSource - automated code reviewers

• https://github.com/SonarSource/sonarqube - continuous inspection

• https://github.com/semgrep/semgrep - find bugs

• https://github.com/Bearer/bearer - scanning tool

• Image Scanners

  • https://geekflare.com/container-security-scanners/

• BurpSuite

  • https://portswigger.net/burp/documentation/desktop/penetration-testing

• metasploit

• PKI - Public Key Infrastructure

• arch: Security Form

  • Need to post critical update policy

  • spf and dmark tool

  • monitor admin activity AWS, Google, other

• Commit Hooks to prevent secrets in GIT

  • https://github.com/Yelp/detect-secrets

• Links

  • OWASP

    • OWASP Cheat Sheet Series

    • OWASP

  • DHS

    • https://us-cert.cisa.gov/

    • Reporting

  • FBI Cyber

    • https://www.ic3.gov/

  • NIST

    • Publications

  • FPDI

    • https://www.dhs.gov/publication/st-fpdi-fact-sheet

    • https://foodprotection.umn.edu/

• Contacts

  • https://www.huntress.com/

  • https://www.crowdstrike.com/

  • https://www.trustwave.com/en-us/

  • https://www.fireeye.com/mandiant.html

• Interesting

  • https://blog.assetnote.io/2020/09/15/hacking-on-bug-bounties-for-four-years/

• KeyCloak

  • https://www.keycloak.org/

• SOPS config encryption tool

  • https://github.com/mozilla/sops

  • https://github.com/signageos/vscode-sops

  • https://github.com/ibotta/sopstool

  • Create KMS keys in all accounts and east/west

  • Use release page to install on linux

  • https://github.com/mozilla/sops

  • https://github.com/ibotta/sopstool

• Age Encryption

  • https://github.com/FiloSottile/age

  • Use release page to install on linux

  • https://words.filippo.io/dispatches/age-authentication/

• Open Policy Agent

  • The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack

  • https://github.com/open-policy-agent/opa

• OpenID

  • OpenID Connect

• Oauth

  # gen new key?
  php bin/console --env=dev key:generate:okp --use=sig --alg=EdDSA Ed25519

JWT