restricted, confidential or personal data - which would automatically be uploaded to the cloudPreviously we also had an entry regarding Information disclosure, where we highlighted "The API being tested has sensitive data in the responses - could be restricted, confidential or personal data - which could automatically be uploaded to the cloud or being exposed in pipelines" and the recommendation "Understand the data classification of the information in requests and responses, and if unsure, avoid using Postman for these requests. When conducting automated testing, ensure that tests are executed against a "synthetic" test environment". As stated by Postman themselves, currently the responses are NOT synchronized. However, be aware where the requests are being run from and assert that the responses are handled according to their data classification.
The automatic synchronization to the cloud imposes both security and regulationary concerns. Following the best practices will mitigate some of those concerns.
@@ -2865,7 +2861,7 @@Welcome to Equinor AppSec information pages. This site is primarily written by and for the people working with building/maintaining applications in Equinor, but could also function as a resource for others on the topic of application security.
"},{"location":"#guidelines","title":"Guidelines","text":"AppSec releated guidelines.
"},{"location":"#security-champion","title":"Security Champion","text":"Information about the Security Champion programme in Equinor. This site will contain guidelines and information for Security Champions
"},{"location":"#snyk-guidelines","title":"Snyk Guidelines","text":"The guidelines contain information related to how to set up Snyk for security scanning of repos, and also other guidelines related to licenses and other topics.
"},{"location":"#threat-modeling","title":"Threat Modeling","text":"With Threat Modeling being such an important practice in application security, and being a focus area for us, this topic got it's own tab. Here you can find some information about the subject, as well as information about how to get started and what resources the AppSec-team can provide.
"},{"location":"#resources","title":"Resources","text":"Some useful resources involving application security.
"},{"location":"about/","title":"Objectives and activities","text":""},{"location":"about/#background-why","title":"Background - (Why)","text":"Always safe is one of three pillar in the Equinor strategy. Safety in the digital world includes cyber security. Equinor has many software development teams (internals and partners) and we expect a growth in DevOps teams in the future. Modern software development adopts all aspects of cloud capabilities and thus there is also an increased information security and privacy risk.
The purpose of the AppSec team is to reduce cyber security risk in Equinor's SDLC - Software Development Life Cycle (DevOps teams).
The primary target audience for the team is Equinor's software development community - aka. DevOps teams.
"},{"location":"about/#main-objectives-how","title":"Main objectives - (How)","text":"This site utilizes Application Insights to log information regarding site and page usage. The purpose of the data collection is to assess the impact and reach of the content we create. By using this site, we assume your implicit consent to our privacy policy.
You can analyze the data collected by using your browser's \"developer tools\" and examining POST requests to https://northeurope-2.in.applicationinsights.azure.com/v2/track.
For any concerns, please read our security.md.
"},{"location":"guidelines/","title":"AppSec guidelines","text":""},{"location":"guidelines/#equinor-appsec-guidelines","title":"Equinor AppSec guidelines","text":"This section contains guidelines relevant anyone writing code in Equinor.
Authentication and Authorization are complex topics. Things are often very context specific. Answers are often not straight forward, we often have more than one option. In the sections below we will give advice on protocols, tools and principle we find helpful.
The scope for this guideline is web application and api's.
"},{"location":"guidelines/authn-authz/#best-current-practices-and-guidelines","title":"Best current practices and guidelines","text":"We have a 2 day workshop in Authn & AuthZ, it's open source and available at https://github.com/equinor/appsec-fundamentals-authn-authz-cs
"},{"location":"guidelines/gh-actions-runners/","title":"GitHub Actions and Self-Hosted Runners","text":"The scope of this guideline is to provide generic security advice for GitHub Actions and specific security advice for using self-hosted runners.
(To have a holistic view on security and threats in a system, we recommend that teams have a Threat Model for their Software Development Lifecycle. More informaton on threat modeling can be found here)
"},{"location":"guidelines/gh-actions-runners/#github-actions-in-general","title":"GitHub Actions in General","text":"When using GitHub Actions, it is good practice to:
When using GitHub Actions with self-hosted runners, it is good practice to:
This guideline contains some basic information on configuration of Git and user profiles on github.com. Our perspective would be security and privacy. The guideline is by no means exhaustive, it's more an introduction to basic config and the correlation between Git and github.com
Git vs Github.com
Git is a distributed version control system for tracking changes in source code, while GitHub is a platform that hosts Git repositories online. GitHub builds upon Git, offering a centralized place for developers to share and work on code together.
The SCM Policy
The Equinor Developer Portal contains our Source Code Management System Policy. Please make sure you are familiar with the content.
"},{"location":"guidelines/git-github/#tldr","title":"TLDR;","text":"For this guideline we use Git from the command line. Be aware, there are many tools that hide the internal mechanics of Git within the tool. For these tools most settings are defined within the tool itself.
We assume that git and ssh are installed on your system. We do not cover the installation process besides mentioning the fact that git and ssh like any other piece of software must be kept up-to-date.
The official Git documentation is a good source for authoritative answers and deep dives.
"},{"location":"guidelines/git-github/#how-git-manages-config","title":"How Git manages config","text":"Git is dependent on proper configuration to work. Configuration can be read from the command line (using the -c option), environment variables or files. The official guide provides the details.
We usually store Git config in files. Git will read config from multiple locations depending on their availability. The files are read in the order shown below, the last value read will take precedence over values read earlier.
/etc/gitconfig)$HOME/.gitconfig)$GITDIR/config)The config files can be updated manually with a text editor or by using Git
Git configuration from the command line follow the following structure:
git config options section.key value\nFor the examples below no \"scope\" is provided so Git will expect that you are in a Git directory and then work with a repo config file. A error message will be given if this is not the case. Use the parameter --system, --global or --local to specify scope.
Example; setting the user name:
git config user.name \"Peter Pan\"\nReading the config looks like this:
git config --get user.name\nPeter Pan\nRemoving config looks like this:
git config --unset user.name\nSetting your user name for a global scope would look like this:
git config --global user.name \"Peter Pan\"\nTip
Using the command git config --list --show-origin will expand all git config across the different levels.
This section contains the recommended basic generic configuration for Git.
git config --global user.name \"value\"\ngit config --global user.email \"value\"\nID+USERNAME@users.noreply.github.com (Privacy, Official Github documentation)Additional email privacy
We also recommend that you check the \"Keep my email address private\" and even \"Block command line pushes that expose my email\" in email section of your profile on github.com
"},{"location":"guidelines/git-github/#using-ssh-with-git","title":"Using SSH with git","text":"Git uses HTTP or SSH to communicate with github.com. Both alternatives are viable and provide a good level of security. HTTP(S) assumes the usage of PAT (Personal Access Token) tokens rather than account passwords. A short threat model of the options contains the following sections:
Threat SSH (with password-protected keys) HTTPS (with PATs) Interception Encrypted; MITM attack needed. Passphrases protect keys on disk, but not in transit since keys aren't transmitted. Encrypted; susceptible to MITM, but TLS and certificate validation mitigate risks. PATs are used instead of passwords. Impersonation Theft of private key and passphrase required for impersonation. Relies on secure storage of PATs. Impersonation possible if a PAT is exposed. Eavesdropping Encrypted traffic; passphrase adds security at rest, not in transit. Encrypted traffic; PATs should be securely stored to prevent unauthorized access. Authentication Strong, with added layer of passphrase protection for key files. PATs can be set to expire, enhancing security by limiting the lifespan of access credentials. Configuration Requires management of key pairs and passphrases, slightly more complex. Requires management of PATs, including regular rotation and setting appropriate expiration dates. Availability Direct; less prone to web attacks, but firewalls might block SSH. High through standard web ports; PATs can be revoked or expire, requiring renewal for continued access. Key/Token Expiry SSH keys do not expire by default; requires manual rotation for security. PATs can be configured to expire, forcing regular renewal and review of access permissions. Theft of Credentials Risk mitigated by passphrase encryption of the private key. Physical access or malware required to steal. Risk of PAT exposure, especially if stored insecurely or transmitted over insecure channels. Least privilege SSH keys inherit all permissions of a user. No granularity PAT tokens can be configured for fine grained permissions and then provide access to all or only specific repos. This could strengthen security. Token management will add extra complexity.Use SSH with Git
We recommend using SSH when Git authenticates and communicates with github.com. Private keys should be passphrase protected
"},{"location":"guidelines/git-github/#configuring-git-to-use-ssh","title":"Configuring Git to use SSH","text":"The Connecting to GitHub with SSH in the official Github documentation is a good source for detailed information.
The following sections of the guideline contains the usual steps to get started with SSH.
"},{"location":"guidelines/git-github/#generate-a-new-ssh-key","title":"Generate a new SSH key","text":"ed25519-f). We assume you can have multiple keys and suggest a naming convention like \"service\"-\"identity\"-\"index\". The index could be creation date and then used for automating key rotation.-C) to help identify the key's purpose. This will be added to the public key as generic text but will not have any functional impact. It will not be exposed on github.com. However, the purpose of a public key is to \"share it\", so use with caution (PII).Example; Creating a SSH key for the Github user larskaare
ssh-keygen -t ed25519 -f ~/.ssh/github_larskaare_1 -C \"Github SSH auth key for machine 1\"\nYou will be asked \"Enter passphrase (empty for no passphrase)\", we strongly recommend using a passphrase!. Two files are created, one named github_larskaare_1 and one named github_larskaare_1.pub. The file with the .pub extension contains the public part of the key. The file github_larskaare_1 contains the private part of the key which should be protected and never shared.
Re-using keys?
We advice on creating separate SSH keys for separate machines and devices and not to re-use the same key on them all. This is good security practice in case of compromise - don't have one key to the whole kingdom. A more fine grained approach will also be good when keys are to be revoked or updated. You could also consider using different keys for professional versus personal usage.
Passphrases
Store passphrases in a password manager.
"},{"location":"guidelines/git-github/#configure-ssh-and-adding-the-key-to-the-key-agent","title":"Configure SSH and adding the key to the key-agent","text":"Adding the generated SSH key to the ssh-agent gives you a secure repository for your private keys's passphrases. Adding keys and passphrases to the key agent eliminates the need to repeatedly enter the passphrase.
Follow the official documentation of and add the SSH key to the ssh-agent. Be aware of the operating system selector at the top of the page - it will give you instructions for Mac, Windows and Linux. The sections below covers a minimal set-up of how to add the SSH key to the agent. The official version has more details - you can follow either.
"},{"location":"guidelines/git-github/#adding-ssh-config","title":"Adding SSH config","text":"SSH uses a config file for it's configuration (this file is not used by Git). The user-specific file is usually stored in ~/.ssh/config and should be updated prior to using the SSH key and the ssh-key agent. Consult the documentation of your SSH client for details. (Many use OpenSSH which have good manual pages - OpenSSH Manual Pages)
A SSH config file with minimum set-up usually looks like this:
Host github.com\n AddKeysToAgent yes\n IdentitiesOnly=yes\n IdentityFile ~/.ssh/github_larskaare_1\nWe assume that the ssh-agent is available and running.
The following command will add the private part of the SSH key we generated to the ssh-agent
ssh-add ~/.ssh/github_larskaare_1\nFor MacOS we would typically add the passphrase to the keychain as well
ssh-add --apple-use-keychain ~/.ssh/github_larskaare_1\nWe now have a SSH key that we can use when communicating with github.com. To be able to use this key with Github we need to upload the public part of the key to github.com
cat ~/.ssh/github_larskaare_1.pub\nCopy the public key (algorithm and key) and add it as a new SSH Authentication key to your Github profile at https://github.com/settings/keys
Verify that Github accepts the key, test the connection
(When testing the connection to github.com, ssh will ask if the fingerprint of the SSH key presented by github.com is ok and if you would like to continue. If you are connecting to github.com answer \"yes\". Understanding this trust chain is not for this guide - but if you want to validate the fingerprint that's suggested you can correlate it to the official ssh key fingerprints. The known hosts file that is mentioned is the ~/.ssh/known_hosts file)
ssh -T git@github.com\nThe command should a message similar to this to indicate success:
Hi larskaare! You've successfully authenticated, but GitHub does not provide shell access.\nA this stage we have SSH all configured on both ends. However, how do we tell git to use SSH? You typically would do this when cloning a repo or configuring the remote
git clone git@github.com:equinor/appsec.git tells git to use SSH. The same command for using HTTPS would be git git clone https://github.com/equinor/appsec.git. The giveaway for HTTPS would be the url which starts with https \ud83d\ude05 That is not included when we use SSH - we rather have the git@github.com part of the url.git remote -v\nshould out output remote name and a URI containing the git@github.com
origin git@github.com:equinor/appsec.git (fetch)\norigin git@github.com:equinor/appsec.git (push)\ngit remote set-url <remote name> <new uri>The Equinor organization on github.com is protected behind SSO login. In order for your SSH key to be used with resources in the Github \"Equinor\" or \"Equinor-Playground\" organizations you need to authorize the key for these permissions on your behalf. Github documentation gives you all the details.
Rotate your SSH keys
Your SSH keys, and passphrases, should be rotated at least on a yearly basis. Put an re-occurring appointment in your calender for this. This process could be automated, but doing it once in a while in manual mode may help you not to forget how things work.
"},{"location":"guidelines/git-github/#githubcom","title":"Github.com","text":""},{"location":"guidelines/git-github/#basic-config-for-your-account","title":"Basic config for your account","text":"You will find your Github settings at https://github.com/settings/profile.
We recommend the following settings:
"},{"location":"guidelines/git-github/#public-profile","title":"Public profile","text":"Fine-grained tokens are in beta (March 2024). Don't use beta features for anything production.
"},{"location":"guidelines/git-github/#whats-next","title":"What's next","text":"If you have reached this far - the next natural steps would be to continue the journey with getting your git commits signed
"},{"location":"guidelines/git-github/#external-resources","title":"External resources","text":"The code from our software configuration management system (SCM) is the starting point for a lot of secure coding practices. Signed Git commits are an essential security practice which provides a layer of verification that helps mitigate several threats. Some of these threats are:
Impersonation: Signed commits use keys to sign the work. By doing so, they certify that the commit was made by the claimed individual. This helps prevent an attacker from impersonating a developer and submitting malicious code.
Code tampering: Signing commits ensures the integrity of the code from the time it was committed. If the code is altered in any way after it was signed, the signature will no longer be valid. This helps protect against unauthorized code modifications, which could introduce vulnerabilities or malicious code.
Replay attacks: Signed commits can help mitigate replay attacks where an attacker attempts to re-submit a legitimate commit to a different context, potentially causing unintended consequences. The signature verifies not just the content of the commit but also its context within the repository history.
Long-term repository integrity: By using signed commits, organizations can ensure the long-term integrity of their codebase. This is crucial for auditing and tracking the provenance of code changes, making it easier to trace back and verify the authenticity of commits over time.
Increased trust and compliance: For projects that require strict compliance and governance standards, signed commits provide a mechanism to enforce such policies. They increase trust among contributors and users by ensuring that all changes are authenticated and authorized by the rightful committers.
The official GitHub documentation on signature verification shows that commits can be signed using GPG, SSH or S/MIME. The 3 different methods have their pros and cons.
Feature/Aspect SSH Signing GPG Signing S/MIME Signing Basic Mechanism Uses SSH keys for both authentication and signing. Utilizes a public-private key pair specifically for signing. Uses certificates issued by a Certificate Authority (CA). Identity Verification SSH public keys are used to verify the signature. Verification is based on a web of trust or direct key sharing. Relies on certificates verified and issued by trusted CAs. Infrastructure Requires SSH key setup; already needed for repository access. Requires GPG software and management of key pairs. Requires obtaining and managing a certificate from a CA. Potential complex PKI Ease of Setup Simple for users already using SSH keys for Git operations. Can be complex due to key generation, management, and sharing. Varies; obtaining a certificate can be straightforward or complex depending on the provider. Cross-platform Support Broad support across various platforms and Git tools. Well-supported, with widespread integration in Git tools. Support varies; some tools may not support S/MIME directly. Pros - Simplifies workflow by using the same keys for authentication and signing\u2020. - Integrated into SSH, which is commonly used for secure Git operations. - Decentralized and flexible, with a variety of algorithms and key sizes. - Well-established in the open-source community. - Trust model is straightforward, based on established CAs. - May align with existing certificate-based security practices (e.g., email). Cons - Primarily verifies the commit was pushed by an authenticated user, not necessarily the commit's author. - SSH key management is crucial; compromised keys pose a risk. - Key management and the web of trust model can be complex. - Requires active key maintenance (revocation, expiration). - Dependent on third-party CAs for issuance and trust. - Certificates have expiration dates and may incur costs.\u2020 while reusing the SSH key is a recognized advantage of SSH signing, we recommend against this practice, see below.
Note
We recommend using self-signed SSH keys for signing your git commits (In the future we may switch to a certificate based approach)
"},{"location":"guidelines/git-signed-commits/#configure-your-local-development-environment","title":"Configure your local development environment","text":"For this guideline our reference is using Git from the command line.
We assume that Git and SSH is installed on your system.
We assume that you are using SSH to authenticate Git with github.com. Consult our guideline for more information on this topic.
The GitHub documentation on SSH commit signature verification is a good source for detailed information.
"},{"location":"guidelines/git-signed-commits/#adding-a-ssh-key-for-signing","title":"Adding a SSH key for signing","text":"Note
We recommend using different SSH keys for authentication and signing. This may add some extra complexity and it may provide a more robust set-up with looser coupling of key components of the SDLC.
To create a new SSH key for signing you can use the following command (alter the date manually):
ssh-keygen -t ed25519 -f ~/.ssh/git_ssh_signing_key_1 -C \"Created on <date>, for larskaare on github.com\"\nThis will create a SSH signing key and add a comment on date and purpose. Add a passphrase to the key. Success full key generation will output the key fingerprint and a randomart image (randomart is supposed to be a visualisation making it easier to validate keys - and identify changes)(You can also find more info on SSH keys on our git guideline)
Add the new key to the ssh-agent
ssh-add ~/.ssh/git_ssh_signing_key_1\nWe will configure the git global settings to use the new SSH key for signing commits locally. Examples assume you created the key as defined above.
git config --global gpg.format ssh\ngit config --global user.signingkey ~/.ssh/git_ssh_signing_key_1.pub\ngit config --global commit.gpgsign true\nThese lines will tell git to use SSH for signing commit, tell git where to find the key that should be used and then tell git to always sign commits. If you do not add this last line you will specifically have to add the -S parameter for each commit you can to sign.
To verify that commits are signed locally you can use the following command:
git log --show-signature\nWhen you run this command on a newly configured system you may get an error message like error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification. This error will easily be overlooked in the wall of text from the log. In order for git to verify signatures locally you need to add the public keys that are used to sign to a file that Git will use.
We will create the allowed_signers file. It typically has the format like \"signer email\" \"key-type\" \"key-body\". The key in question is the public key of the SSH key we use to sign our commits.
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers\necho $(git config --get user.email) \\\n $(cat ~/.ssh/git_ssh_signing_key_1.pub) \\\n | awk '{print $1,$2,$3}' >> ~/.ssh/allowed_signers\nWhen this is done you can view the git log and verify the signature.
git log --show-signature\nThe git verify-commit options is also available. To verify the commit on HEAD you can use the following command:
git verify-commit HEAD\nUse the verbose parameter to get more information:
git verify-commit -v HEAD\nTip
You may have noticed that your local git only will show a good signature for your own signed commits. For your local git to show a good signature for other contributing team members you will have to add their public key to your local allowed_signers file. The status on github.com will be correct as it hopefully knows the public keys for the signers.
Tip
We have shown how to sign git commits. You can also sign git tags!
"},{"location":"guidelines/git-signed-commits/#configure-github","title":"Configure Github","text":"At this stage in the guideline we are able to sign and verify the signature of locally committed changes. If you push your changes to github.com they will get the Unverified status. This indicate that Github has found a signature in the commit but it is not able to verify it. You can find more detailed information on the Github docs on About commit signature verification
This makes sense. Github can not verify our signature, it does not have our public key. Telling Github about the public key we used to sign our commit is the next step.
"},{"location":"guidelines/git-signed-commits/#adding-public-keys","title":"Adding public keys","text":"We will add the public part of our SSH key to github.com.
cat ~/.ssh/git_ssh_signing_key_1.pub\nIf you now go back and look at the commits on github.com, those that were signed with the new key should have status Verified
If you select the Verified badge you will get information on the signer and the fingerprint of the public key that was used. You can find the finger print by looking at the key on your Github profile or by running ssh-keygen with the option to generate fingerprint locally:
ssh-keygen -lf ~/.ssh/git_ssh_signing_key_1\nTip
Explore Github's Vigilant Mode It should increase the trust level of signed commits yet another level.
"},{"location":"guidelines/git-signed-commits/#branch-protection","title":"Branch protection","text":"We recommend that you protect important branches with branch protection rules on. This is a feature of Github that requires a Github Team or Github enterprise account.
The official documentation can be found in Managing protected branches
We recommend the following minimum protection for important branches:
Info
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs\u2014faster \ud83d\udd17.
"},{"location":"guidelines/postman/#tldr","title":"TL;DR","text":"\u00b9 For simple usage one can use the Lightweight API Client without any account.
"},{"location":"guidelines/postman/#changes-in-2023","title":"Changes in 2023","text":"During 2023, Postman announced a change \ud83d\udd17 on how the solution works by making it mainly \"cloud only\", meaning they expect any users of the solution to always have an account and being logged in. When utilizing Postman, it's crucial to note that being logged in will automatically sync data to the cloud. As a result, users must exercise caution regarding the nature of data being transmitted. It's especially important to pay attention to the data classification, both within the requests and in the responses.
"},{"location":"guidelines/postman/#benefits-of-being-logged-in-with-an-user-account","title":"Benefits of being logged in with an user account","text":"Logging in with a user account enables most of the features within Postman, including:
However, the automatic synchronization to the cloud imposes both security and regulationary concerns. Here are the results of a simple Threat Model exercise:
Threat Description Mitigation Information disclosure The API being tested has sensitive data in the responses - could berestricted, confidential or personal data - which would automatically be uploaded to the cloud Understand the data classification of the information in requests and responses, and if unsure, avoid using Postman. When conducting automated testing, ensure that tests are executed against a \"synthetic\" test environment Account takeover / session hijacking The account is breached and malicious actors can log in to Postman using your account Only use your Enterprise Account and SSO, as there are protective and preventive measures in place to avoid/detect malicious actors logging in Data breach at Postman servers A malicious actor has obtained data residing on the Postman servers Refrain from storing sensitive data that is synchronized with Postman servers, and implement additional controls such as logging and auditing for API logins and secret rotation Credentials stored unencrypted Storing credentials in (masked) plain-text fields or in local plain-text files can easily be extracted Use proper solutions when handling credentials, like Postman Vault Sensitive data being exported Anyone with access to the Workspace (collections) can export/extract it, including any variables and enviornments within Avoiding storing sensitive data in collections or environments Sensitive data exposed Anyone with access to the Workspace can read environment variables, including masked secrets Avoid storing sensitive data in environments and be aware of who can access the Workspace. Export your collections and see what data is exposed."},{"location":"guidelines/postman/#best-practices","title":"Best practices","text":"The automatic synchronization to the cloud imposes both security and regulationary concerns. Following the best practices will mitigate some of those concerns.
"},{"location":"guidelines/postman/#sso","title":"SSO","text":"Never use a private or non-Equinor account in an Equinor context.
If needing the full feature set of Postman, request access through AccessIT and use SSO for login. Login either directly in the Desktop Client or through the browser \ud83d\udd17.
This ensures
If needing to store credentials or other sensitive data, use Postman Vault \ud83d\udd17. Note, data in the Vault is not being synchronized with Postman and anything in it remains local.
If there is no other way than storing sensitive data in the environment, the least one should do is set the type of the variable to \"secret\". This will mask the input.
Be careful
Even though one uses the \"secret\" type in an Environment, the secret is readable in plain-text by anyone who has access to it. If the access of the Workspace is set to Team, anyone in Equinor with a Postman account will be able to read the secret.
Tip
Storing variable values only in the Current value field, will ensure that the data is never shared with Postman. For more comprehensive explanation between Initial value and Current value see Postman documentation \ud83d\udd17.
Postman Vault \ud83d\udd17 is a way of handling sensitive data in Postman, without it leaving your local environment. Use the link for more deep-dive of the Postman Vault capabilities. Note that Postman Vault is only available when using the Desktop Client and will not function when using the Web Client (using Postman through the browser). If unsure on how to set up and open a Vault, use the link above.
The syntax to use a vault variable is quite similar to how other variables are referenced, but with a prefix of \"vault:\". For example to reference a value called \"MY_SECRET\" stored in the Vault, one would reference it by {{vault:MY_SECRET}}.
Important
Note that you can't set or access vault secrets in scripts \ud83d\udd17.
"},{"location":"guidelines/postman/#do-not-share-collections-uncritically","title":"Do not share collections (uncritically)","text":"If needing to share collections within the team, ensure proper processes are in place to give and revoke access. Note that collaborators might get access and see any sensitive information in the collections, including any sensitive information either in the Workspace variables or the configured environments.
"},{"location":"guidelines/postman/#set-right-access-on-workspace","title":"Set right access on Workspace","text":"The default access is \"Eveyone from team Equinor\", which makes is visible to everyone in Equinor who have an Postman account. This access will thus everyone access to the entire workspace, including the environments and the secrets within, which might not be desirable.
To change the access of a workspace, go to the workspace \"root page\" and click on the \"Workspace Settings\" button. Under the new page set the \"Who can access this workspace?\" to \"Only invited team members\".
Info
Changing to \"Only invited team members\" imposes additional administrative work, as the administrator of the Workspace needs to onboard and offboard Workspace members manually. Users who are being added to a Workspace would first need an Enterprise Account, which must be requested for in AccessIt.
"},{"location":"guidelines/postman/#cicd","title":"CI/CD","text":"It is possible to run Postman collections automatically in a CI/CD pipeline. One way of achieving this is using the Newman CLI \ud83d\udd17, a CLI tool by Postman.
Assuming
collection.json file,POSTMANAPIKEY as a GitHub Action secretcollectionIda GitHub Action workflow could look something like:
name: Running API tests\nrun-name: ${{ github.actor }} is testing the API\non: [pull_request]\njobs:\n api_tests:\n runs-on: ubuntu-latest\n steps:\n - name: Set up Node\n uses: actions/setup-node@v4\n - name: Install Newman\n run: npm install -g newman \n - name: Run API tests\n run: newman run \"https://api.getpostman.com/collections/${{collectionID}}?apikey=${{ secrets.POSTMANAPIKEY }}\" --environment \"https://api.getpostman.com/environments/${{ environmentID }}?apikey=${{ secrets.POSTMANAPIKEY }}\"\n\nSome considerations on this workflow:
POSTMANAPIKEY should be considered as a PAT - it gives the workflow the same access to Postman as your account.It is possible to run Postman without logging in or needing an account (without applying for it in AccessIT), which Postman has coined \"Lightweight API Client\".
The previous lightweight API client, based on \"Scratch Pad\", has been discountinued and there is only a single official API Client that can be downloaded from Postman. After downloading and executing the file, there is a choice of Or continue with the lightweight API client. (as of April 2024, this represents itself as a small text below the login-button on starting the application). Running the application in this mode will ensure that everything stays local - nothing is being synchronized to the cloud. However, it will not be possible to use the full set of features Postman provides and the usage in this mode will be limited to simple manual API testing.
Info
Using the Lightweight client is free and one does not need to apply for access in AccessIT. In many cases this will be sufficient.
"},{"location":"guidelines/postman/#resources-to-read-more-on-postman","title":"Resources to read more on Postman","text":"As developers, we know that secrets like passwords, API keys, and access tokens are critical to our work. But what happens when these secrets accidentally end up in our code, logs or error messages?
This guideline aims to present relevant tools, some good practices for managing this risk, and what to do when we have messed up. The AppSec team provides a 3 hour hands-on workshop on getting started with secret scanning - https://github.com/equinor/appsec-fundamentals-secret-scanning.
Please note that:
(Check out the appsec tools section for more tooling)
"},{"location":"guidelines/secret-scanning/#github-advanced-security-secret-scanning","title":"GitHub Advanced Security: Secret Scanning","text":"GitHub Advanced Security is integrated into GitHub, providing features like the secret scanning module free for public repositories. This module supports these secret types so far.
"},{"location":"guidelines/secret-scanning/#how-to-turn-it-on-for-your-repository","title":"How to turn it on for your repository","text":"GitHub provides a beta feature that will prevent pushes from you that contain supported secrets across all public repositories.
The general idea is to catch secrets in code (and other places) as early as possible. Our recommendation for most teams is:
While your are developing, in your development environment
In your CI pipeline
Other places:
We will mess up sooner or later. So be prepared, both as an individual developer and as teams!
"},{"location":"guidelines/secret-scanning/#steps-to-mitigate-a-leak","title":"Steps to mitigate a leak","text":"THIS IS PRIORITY #1private until the secrets are removedThis part can be very easy to super hard, it all depends on what, where and when.
"},{"location":"guidelines/secret-scanning/#you-are-working-locally-the-secret-is-in-the-last-commit-not-pushed","title":"You are working locally, the secret is in the last commit, not pushed","text":"git reset --hard HEAD~1git add [files]; git commit --amendThen things could get complicated. Git is distributed, you are not on your own. Rewriting the history could lead to all sorts of issues
Explore:
You'll also find some guidelines in the github.com docs
Be aware of:
Context matters, a lot. There are many different ways of handling secrets in development environments. The opportunities will depend on the context. We will always have to find a good balance between security and convenience.
"},{"location":"guidelines/secret-scanning/#a-few-known-ways-of-managing-secrets-is","title":"A few known ways of managing secrets is","text":"Threat modelling your SDLC with your team is even smarter!Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. In short it allows for a self-maintained list of checks to be performed before any commit.
"},{"location":"guidelines/FAQ/pre-commit-faq/#how-do-i-install-pre-commit","title":"How do I install pre-commit?","text":""},{"location":"guidelines/FAQ/pre-commit-faq/#prerequisites","title":"Prerequisites","text":"Pre-commit can be installed in two ways, using Python pip or Homebrew.
"},{"location":"guidelines/FAQ/pre-commit-faq/#python","title":"Python","text":"pip -V.brew -v/bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\"(As usual, verify all install scripts before executing)pip install pre-commit brew install pre-commit Once pre-commit is installed you need to set up the git hook scripts by running pre-commit install. Now pre-commit wil automatically run on git commit!
pre-commit is not available after install, it might be needed to manually add it to PATH.","text":""},{"location":"guidelines/FAQ/pre-commit-faq/#how-do-i-add-pre-commit-to-my-repository","title":"How do I add pre-commit to my repository?","text":".pre-commit-config.yaml filepre-commit sample-configYes.
Each repository that uses pre-commit needs to have the .pre-commit-config.yaml file.
To-Do
We encourage readers of this page to add or edit content.
"},{"location":"resources/#equinor-resources","title":"Equinor Resources","text":"Defining your security requirements will help you out when performing various security related activities. When thinking of what can go wrong and trying to secure your system, having defined what is important to you just makes sense In addition, it helps prioritizing security-work, ex. patching vulnerabilities found in Snyk, prioritizing threats as part of Threat Modelling, or when doing Security Testing.
"},{"location":"resources/security_requirements/#what","title":"What","text":"OWASP Proactive Controls
A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied. Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. Security requirements define new features or additions to existing features to solve a specific security problem or eliminate a potential vulnerability.
"},{"location":"resources/security_requirements/#how","title":"How","text":"The first step would be to have a look at the business objectives and the functional requirements. From here you can derive security requirements by asking \"what CAN'T go wrong\" in order to meet these requirements.
A good place to define these requirements would be in the Requirements Document (having everything in one place and all that ), and gradually work towards having automated test-cases for them.
Tip
TL;DR
Define Security Requirements
What are some of the things I care about?
( * Take into account Confidentiality, integrity, availability.)
Define Compliance Requirements
Are there any special requirements that must be met (Compliance, and/or legal)?
Input:
Output:
Stands for \"Static Application Security Testing\" (tests that are ran towards applications currently not running, i.e code). That means that this activity can take place very early in the SDLC, as it does not require a working application.
SAST is considered a form of White Box Testing
A SAST-tool will report on known vulnerabilities and security misconfigurations in your code. Catching these things early, dramatically decrease the cost of fixing these issues.
There are different ways of implementing SAST-tools into your SDLC: doing periodically full scans of your codebase, and having a linter present in your dev-environment (IDE) to catch issues as you code. You should do both
An example of how to get started:
Scanner: 1. Sign up to Snyk (if you have not already) 2. Import your project, and make sure that \"Snyk Code\" is enabled 3. Review and prioritize the findings
Linter: 1. Download Snyk's IDE plugin for your IDE (usually done from the marketplace) 2. Sign in 3. Review and prioritize the findings as you code
"},{"location":"resources/security_testing/#dast","title":"DAST \u2b1b","text":"Stands for \"Dynamic Application Security Testing\". Emulating a malicious user by attacking and probing, a DAST-tool will test a running web application to detect vulnerabilities.
DAST is considered a form of Black Box Testing
As with SAST, there are a lot of tools out there that perform this type of testing.
One noteworthy that I can recommend is OWASP ZAP.
An example of how to get started:
Download OWASP ZAP and get familiar with the tool.
Browse through your application through the ZAP proxy, run the passive and active crawlers, and see if it finds any vulnerabilities.
Next steps would be to explore the scripting functionality, and look at ZAP Community Scripts repo.
OWASP ZAP is quite versatile, and is well suited for integration with your CI/CD.
"},{"location":"resources/security_testing/#iast","title":"IAST","text":"Stands for \"Interactive Application Security Testing\". IAST is dynamic and gets its feedback from sensor modules that are included with \u2013 and run in context with the application that is subject to the test.
IAST is considered a form of Grey Box Testing
As the application is being externally triggered through automated or manual events, the internal instrumentation or sensor modules evaluate the application and report in real-time \u2013 making this an interactive process.
IAST is performed in production or a production-like environment, and in contrast to SAST will be able to identify vulnerabilities based on the systems behaviour and not only its static codebase. This results in a more holistic approach to evaluating the system. It balances some of the false positives given by other more static approaches, and evaluates the system in a context determined by configuration, control and dataflow and other characteristics given by the environment where the application is running.
Proper utilization of IAST, as being included in the CI/CD pipeline will then be able to \"shift left\" the types of tests that bring information about posible observable runtime vulnerabilities into the development stage.
"},{"location":"resources/security_testing/#rasp","title":"RASP","text":"Stands for \"Runtime application self-protection\". RASP enabled systems have both the capability to identify and monitor, as well as actively stopping an attack.
As opposed to simply protecting the application from an external perspective by securing its interfaces (e.g firewall protection), RASP protects the system by also taking the internal state of the application into evaluation. By establishing protection mechanisms at the application/server layer, RASP-protected systems are less dependent on perimeter based protection.
As for IAST the mechanicm is enabled by instrumentation embedded in the system. However while IAST identifies vulnerabilities as part of the testing phase, RASP protects the application for direct attacks at runtime.
"},{"location":"resources/security_testing/#manual","title":"Manual","text":"Have a look at WSTG
"},{"location":"resources/tools/","title":"Security Tools","text":"This site is intended for AppSec related tools for developers. Most tools here should be possible to use by developers and Security Champions with little or no training. We will however include a few expert level tools for those what want to dive deeper into the topics of security tools.
If you have any tools you would like to include on this list, don't hesitate to add it yourself with a PR, or reach out to us!
"},{"location":"resources/tools/#fundamentals","title":"Fundamentals","text":""},{"location":"resources/tools/#snyk","title":"Snyk","text":"Snyk is a developer centric tool for scanning source code and dependencies for known vulnerabilities. Equinor has license for Snyk for all developers, so it's highly recommended for all teams to use.
Check out our Snyk guidelines for how to get started.
"},{"location":"resources/tools/#browser-developer-tools","title":"Browser developer tools","text":"All major browser today comes with a built in developer tools which can be opened with pressing CTRL+SHIFT+I or F12.
These built in tools are quite extensive, and you can get very far in inspecting a web application and peeking into the security in place just by using the tools in your browser. Check Chrome and Firefox for documentation of how to use these tools.
"},{"location":"resources/tools/#intermediate","title":"Intermediate","text":""},{"location":"resources/tools/#owasp-zap","title":"OWASP ZAP","text":"OWASP ZAP is an open-source web application security scanner. For automation of web scanning ZAP is a powerful tool for finding vulnerabilities. ZAP is free to use, but Equinor has no support on it's usage as of now.
"},{"location":"resources/tools/#burp-suite-community-edition","title":"Burp Suite Community Edition","text":"Burp Suite is a graphical platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
"},{"location":"resources/tools/#pre-commit-framework","title":"Pre-commit framework","text":"Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Check out our FAQ to get started using pre-commit!
"},{"location":"resources/tools/#expert","title":"Expert","text":""},{"location":"resources/tools/#kali-linux","title":"Kali Linux","text":"Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing.
Kali Linux has around 600 penetration-testing tools and is a good starting point for people interested in developing their skills in penetration testing.
Warning
Kali Linux is not officially supported by Equinor, and should not be installed Equinor managed PC's. It should only be installed on self managed devices, and never be connected to the corporate network.
"},{"location":"resources/tools/#links","title":"Links","text":"A good list of open source tools
"},{"location":"resources/stories/meet_the_appsec_team/","title":"Meet the appsec team","text":""},{"location":"resources/stories/meet_the_appsec_team/#meet-the-equinor-appsec-team","title":"Meet the Equinor AppSec Team","text":""},{"location":"resources/stories/meet_the_appsec_team/#championing-application-security","title":"Championing application security","text":"How do we build a stronger culture around application security? And how can your team take part in making us more secure? Meet the AppSec team and find out!
Once upon a time, the almighty firewall served as our castle moat. It protected us from any possible threat to our castle walls, or systems and applications if you will, but those days are behind us. Now, we\u2019re headed away from castles and moats and into the cloud.
This means the way we think about security has evolved and requires us to respond.
\u201cAs we move into the cloud and onto the internet, we become much more exposed, and more of the responsibility to keep us secure falls on our developers. Coupled with >increasingly complex technologies and a heavy cognitive load, we need to build a culture around security to give our teams the tools and mindset they need.\u201d - Lars K\u00e5re Skj\u00f8restadLars K\u00e5re is part of the Application Security (AppSec) team. He explains that while the goal is to have our development teams be cross-functional and long-lived, we\u2019re still not quite there yet. Now, most of our developer teams are smaller units with a few members. It falls to these very members to handle all aspects of development from frontend to backend \u2013 and everything else. As a result, the mindset of \u201csomeone else will probably handle security\u201d can take hold.
To avoid just that and make sure our teams have the help they need, the AppSec team was assembled in 2022.
\u201cFor us, it\u2019s all about enabling our teams to write more secure code and help them build competence in application security. This means we must understand the context of our teams,\u201d Lars K\u00e5re explains.
Currently, the AppSec team totals 6 people split between Bergen and Stavanger.
And for Equinor, the context is an important part to understand. We don\u2019t have thousands of developers working on a couple of applications, we have thousands of developers working on hundreds of applications.
\u201cA one-size solution is just not feasible for a context like ours. To make sure that we\u2019re able to maintain secure applications, we need to understand what our teams need and want. We\u2019re here to serve our community of developers and help them develop more secure applications,\u201d Lars K\u00e5re says.
\u201cBut ultimately, our goal is that our team won\u2019t be around at all in a couple of years \u2013 because security has become such an ingrained part of all our work that we\u2019re no longer needed,\u201d he adds.
So, how do you go about building this culture and making yourself obsolete? Some of the first steps along the way are recruiting security champions, focusing on open source vulnerability management and threat modeling. Let\u2019s find out more!
"},{"location":"resources/stories/meet_the_appsec_team/#benefit-from-a-collective-of-knowledge","title":"Benefit from a collective of knowledge","text":"With so many developers spread across all these teams, you need a direct line to each and every one of them for a culture to truly spread. One way of doing that is by building a network of security champions \u2013 people with a keen interest in learning more and championing security in their team.
\u201cBeing a security champion doesn\u2019t mean you\u2019re \u2018Head of Security\u2019 for your team. It means you\u2019re interested in, want to learn more about security and be someone who champions that work in your team.\u201d - Kristian ReedJust a month into the network\u2019s lifespan they already have more than 140 members, with numbers growing each week. The network officially kicked off with an in-person gathering in Stavanger, where we hosted a Capture the Flag (CTF) competition and community building.
The network also hosts a variety of events; from weekly virtual coffees to monthly seminars on relevant topics. But the heart of everything the network and the AppSec team do is the Slack channel.
\u201cWe wanted to create a place where our champions can benefit from the collective knowledge of the entire network and somewhere people could ask for help when they had any questions. Slack was the natural choice to do so,\u201d Kristian says.
In September 2022, the Security Champion Network kicked off More than 40 Security Champions gathered in Stavanger for the kickoff.Security champion networks are no brand-new concept. NAV, the Norwegian Labor and Welfare Administration, NRK, Telenor, Finn.no and the Norwegian Police all have their own security champions network. There\u2019s also a Norwegian security champions network Slack-community, with participants from a variety of companies, available for anyone who speaks Norwegian.
And all the information on the AppSec GitHub is available to the world \u2013 inspired by NAV\u2019s own approach.
\u201cSharing our knowledge and competence with the world outside of Equinor is just as important as sharing it with our colleagues. If we can help build a community focused around security, we\u2019ll benefit from that in the end,\u201d Kristian says.
The Equinor Security Champion NetworkTogether with Kristian, Ipsita Mishra also runs the security champion network. Her experience was that people were rarely all that interested in security. Many considered it \u2018someone else\u2019s responsibility\u2019, but it was the other way around in Equinor:
\u201cA\u201cAfter we got our first couple of members, the response was overwhelming. We didn\u2019t expect that so many people would be interested in security, nor that they would be so knowledgeable from the start. I think Equinor\u2019s emphasis on safety might have something to do with that.\u201d - Ipsita Mishra\u201cWhat we\u2019ve started with is getting teams to interact, talk about issues, and do it in a constructive way. This hopefully means we can have progress come out of the conversation and put that into action later,\u201d Ipsita explains.
Getting people to come together is no simple task, but it\u2019s one they\u2019ve already made great progress on with the network. The next step is to find out what direction to take it further in - and create a platform where people can learn and get value from together with the rest of the community.
\u201cWe\u2019re still a young team, so we\u2019re focusing on trying to understand how we can help people improve their processes and help teams be in a better place. Either through talking to teams and advising them when needed or through introducing people to the tools and software we use,\" Ipsita explains.
"},{"location":"resources/stories/meet_the_appsec_team/#automate-scanning-your-code","title":"Automate scanning your code","text":"The last years, there\u2019s been a solid increase in malicious attacks through third-party dependencies. Just about all Equinor\u2019s software development projects contain open source components and manually keeping up to date on potential security breaches in all of them would be an impossible task. Luckily, Snyk now automates that job.
\u201cSnyk lets us scan all the dependencies in a project for vulnerabilities or malware. Thanks to this, we have an overview of all the possible vulnerabilities in our projects,\u201d Petter Moe Kvalvaag says.
How each team uses the tool in their daily work is up to them to decide, but the most common approach is to tell the tool where your code and GitHub repo is.
\u201cSnyk will automatically and continuously scan your code and give you a overview of your status; how many vulnerabilities you have, what they are and what you need to do. Snyk can make a developer's life much easier and can even create pull requests automatically for you.\u201d - Petter Moe KvalvaagTogether with Ipsita, Petter has been running onboarding sessions and workshops to help spread the word of Snyk to the developer community. They\u2019 also spent time working on a backend solution to Snyk that will help give us even better reporting capabilities.
\u201cSince Snyk itself has limited reporting capabilities, we\u2019ve had to make our own way around it. We\u2019ve used their API, imported vulnerability data into our own database and created visualizations based on this,\u201d Petter explains.
Petter works with vulnerability management as part of the AppSec-team. Benjamin focuses on threat modelling.But why bother with a workaround to visualize data, you might ask? To be able to take an analytical approach and see a bigger picture \u2013 of course!
\u201cThis could let us see that many different teams are facing the same problem, for example vulnerabilities with Docker Images. We could then help the teams find each other to discuss their problems, but we could also target this issue specifically and provide workshops or training to help solve it. This means we can help the community as a whole,\u201d Petter says.
\u201cGetting to work with taking an analytical and data-driven approach to the work is really interesting \u2013 and very motivating. Not only are we able to find potential problems, but we can also use the data to see if what we did helped or not.\u201d - Petter Moe Kvalvaag\u201cOnce we have identified an issue and launched an initiative to mitigate it, we're able to see in retrospect how effective our initiative was. This helps us find the most effective way to reach out and assist the teams in the future,\u201d Ipsita explains.
"},{"location":"resources/stories/meet_the_appsec_team/#why-you-should-prepare-for-an-attack","title":"Why you should prepare for an attack","text":"Knowing what weaknesses you have is one thing, but you should also plan for someone to exploit them right from the start. Welcome to the world of threat modeling. Simply put, it means identifying and discussing the possible threats and weaknesses to your system.
\u201cThere are many different methods to do threat modeling, but what they all have in common is that you draw up a diagram of your system. Then, you use this to think of ways that someone could attack your system \u2013 and how to prevent or deal with it. You need to think like an attacker to identify your weaknesses. It\u2019s a big clich\u00e9 but it\u2019s incredibly efficient.\u201d - Benjamin L\u00f8kling RandebergThe team even hosted a threat modeling workshop at EDC 2022, which acts as the foundation for future workshops for threat modeling. So far, they\u2019ve introduced several teams to the concept and are hoping to add even more in the future.
\u201cWe\u2019re hosting an in-person workshop, but we\u2019re also following up on the teams in the months after their introduction. This makes sure we can help them with any questions, build upon anything they find and help them become even more secure \u2013 based on their team\u2019s context. We really hope threat modeling is something people will adapt, because it\u2019s such a great tool to have,\u201d Benjamin explains.
What kind of team would the AppSec team be without their own merch? What else is there to do when a colleague has a question than to bust out the good old whiteboard?"},{"location":"resources/stories/meet_the_appsec_team/#learn-and-consider-how-things-work","title":"Learn and consider how things work","text":"We\u2019ve heard about what the team does, but what is it like to work in the AppSec team? Being part of an enabler team, whose aim is to enable others to be better, can feel quite different from a regular development team.
\u201cBeing part of a team that also aims to build a wider culture in the community is new to me, and even though we\u2019re still new it\u2019s really inspiring to see the effect of the work we\u2019re doing,\u201d Petter explains.
Working with security is just like working with technology in general \u2013 to keep up you need an eagerness to learn and keep up with what\u2019s new. You also get to understand and explore the bigger picture:
\u201cWorking in security means not only do you get to learn how everything works, but you also get to think about how someone could exploit things. Together, you get an all-round view of what you can do with different things. It\u2019s not just software either, it\u2019s hardware or gadgets too. This combination is what makes it so incredibly interesting. You get to do new things every day and learn new things every day.\u201d - Ipsita MishraYou\u2019ll get to learn a lot, but you\u2019ll also get to be a teacher in order to spread the good word of application security \u2013 for example at internal conferences and workshops. But the gospel of AppSec stretches outside of Equinor as well: Lars K\u00e5re even held a presentation at Defcon in Las Vegas of 2022.
\u201cBeing part of a team with people who are all so dedicated to and interested in the world of AppSec is really exciting. I get to do what I\u2019m interested in, I get to learn \u2013 both on my own and through the team \u2013 and the purpose is to make all our teams\u2019 security better,\u201d Benjamin smiles.
As a newly started team, they\u2019re still charting the course for the future.
\u201cWe have a lot of freedom to shape the future ourselves and decide the tasks we want to take on. That played a big part in my motivation to join, and still does,\u201d Kristian says.
\u201cAnd we\u2019re always open to suggestions and are looking to expand the team, so keep an eye out in the future if you would like to join us. Or get in touch directly,\u201d Kristian smiles.
Only time will show if the AppSec team are successful in building a culture around security in our developer community. We\u2019ll be sure to get back to them in a while to get an update on they\u2019re doing.
"},{"location":"resources/stories/meet_the_appsec_team/#people","title":"People","text":"Lars K\u00e5re Skj\u00f8restad Kristian Reed Benjamin L\u00f8kling Randeberg Ipsita Mishra Petter Moe Kvalvaag Andrea BrambillaStory, text and photographs: Torstein Lund Eik. Published January 2023
"},{"location":"security-champion/","title":"What is a Security Champion","text":"You are probably wondering what a Security Champion is in Equinor context and what you can expect if you join? Well then you are on the right track.
A Security Champion in our context is a person who has a interest in security and want to expand on this interest. The Security Champions Network (SCN) is a network where people and security is in the center.
Info
You do not need to have any security knowledge to join, but the eagerness to learn and share
"},{"location":"security-champion/#what-do-we-expect-from-you","title":"What do we expect from you?","text":"Info
A Security Champion is the voice of security, and security is a team effort.
You as a champion are the heart of this network. We know time might be tight, but we greatly appreciate all participation.
"},{"location":"security-champion/#what-can-you-expect","title":"What can you expect?","text":"Becoming a Security Champion is as easy as filling out this form.
"},{"location":"security-champion/#questions","title":"Questions?","text":"Try checking out our FAQ.
"},{"location":"security-champion/1-new_security_champion/","title":"I've joined, now what?","text":""},{"location":"security-champion/1-new_security_champion/#welcome-young-padawan","title":"Welcome young padawan","text":"This is where the fun begins.
Here's a puzzle for you :
Get your gift by decoding this challenge - https://forms.microsoft.com/r/cLRPzRtPGQ
"},{"location":"security-champion/1-new_security_champion/#add-security-champion-events-to-your-calendar","title":"Add Security Champion events to your calendar","text":"To check all events, and add them to your own calendar, go to your outlook calendar and select the Security Champion Calendar from group calendars:
Note: This option might not be available on Mac, if that is your case, another option is to use outlook through connectit to add the events.
You can also find a calendar of events on SharePoint
"},{"location":"security-champion/1-new_security_champion/#relevant-slack-channels","title":"Relevant Slack channels","text":"Info
#AppSec Most general information should be posted here so everyone in Equinor has access to it and can participate! Dropping a @appsecteam in this channel will get our attention immediately.
Say hello in the Security Champion channel \ud83d\udc4b Always fun to meet new champions.
"},{"location":"security-champion/2-security_champion_activities/#ensure-that-all-your-code-is-being-scanned-by-sast","title":"Ensure that all your code is being scanned by SAST","text":"Ensure all your projects code is scanned by Snyk, and that you have Snyk Code enabled for your projects. Using a linter is always good when you develop!
"},{"location":"security-champion/2-security_champion_activities/#define-security-requirements","title":"Define security requirements","text":"Have a look at our security requirements page and define some for your project.
"},{"location":"security-champion/2-security_champion_activities/#check-out-our-guidelines","title":"Check out our guidelines","text":"We have created a few guidelines. Please check them out and consider implementing them in your projects where it makes sense.
Info
Feedback is good, so if you have any, feel free to contact us, or even create a PR on our github repo!
"},{"location":"security-champion/2-security_champion_activities/#threat-modelling-activities","title":"Threat Modelling activities","text":"We can organize introductory sessions to threat modelling, simply reach out to the @appsecteam on our Slack channel #appsec.
As of now, a lot of the content on this site is written by the AppSec-team. This site is meant to be a resource for the Security Champion community, and thus contribution from the community is crucial for making this site useful.
If you have anything to share that you think will be useful for others, don't hesitate. Same goes for editing the content that already exists.
Just go to our github-repo and make a PR. Pro tip: You can use Visual Studio Code directly from your browser by pressing \".\" when you are on a page. Contributing has never been easier!
"},{"location":"security-champion/2-security_champion_activities/#have-the-team-work-through-the-owasp-juice-shop","title":"Have the team work through the OWASP Juice Shop","text":"OWASP JuiceShop is a great resource for security training and getting familiar with OWASP Top Ten. There are many ways to utilize this project for training, with some of them being:
OWASP ASVS is a collection of web application technical security controls and requirements. Have a look and see if this makes sense to use for your project :)
"},{"location":"security-champion/2-security_champion_activities/#manually-security-test-your-application","title":"Manually security test your application","text":"Have a look at WSTG.
"},{"location":"security-champion/3-faq/","title":"Frequently Asked Questions \u2753","text":""},{"location":"security-champion/3-faq/#do-i-have-to-be-a-security-expert-to-be-a-security-champion","title":"Do I have to be a security expert to be a Security Champion?","text":"Absolutely not! This is a initiative for people to learn more about security and generate a network for people to share experiences and competence.
"},{"location":"security-champion/3-faq/#who-can-become-a-security-champion","title":"Who can become a Security Champion?","text":"Everyone who considers themselves part of a development team can become a Security Champion. If you are a developer, ux-designer, tester, citizen developer or anything in-between, you are welcome to join. There is no requirement to be an Equinor employee to join, we invite consultants as well!
"},{"location":"security-champion/3-faq/#does-being-a-security-champion-result-in-a-lot-of-extra-work","title":"Does being a Security Champion result in a lot of extra work?","text":"It depends on what you want to do. It can be everything from just informing the team about security related issues/questions you hear about in the network, to facilitating regular threat modelling sessions, or implementing Snyk in your pipelines, and a ton of other activities one can do. There are events organized by the network one can attend; e.g. weekly \"morning coffee\" and monthly seminars (both can be joined digitally).
"},{"location":"security-champion/3-faq/#am-i-required-to-contributehave-talks-in-the-network","title":"Am I required to contribute/have talks in the network?","text":"No, but we highly recommend everyone on sharing. It might also be that you hear about a problem or solution from a team member or co-worker that can be shared. Asking questions is also contributing!
"},{"location":"security-champion/3-faq/#i-dont-know-anything-thats-worth-sharing","title":"I don't know anything that's worth sharing","text":"Are you sure? Everyone knows something, and how you apply certain tools or how you've implemented security testing could be very interesting! The Impostor syndrome is real, and we need to combat it.
"},{"location":"security-champion/3-faq/#i-have-a-story-i-want-to-share","title":"I have a story I want to share","text":"Awesome! We want to hear about what you did. Reach out to the AppSec team on Slack after reading the stories page. Maybe we will award this with unique merch as well?
Even if it was something \"bad\" you discovered in your project, why not share? It's important to highlight the issues we have as well as the good, as everything can be used to learn from.
"},{"location":"security-champion/3-faq/#so-i-joined-what-now","title":"So I joined, what now?","text":"Check out what you can do in the activities section.
"},{"location":"security-champion/3-faq/#i-want-to-attend-one-of-the-security-champion-events-meetups-do-you-provide-a-wbs-for-hours-and-travel-expenses","title":"I want to attend one of the Security Champion events / meetups. Do you provide a WBS for hours and travel expenses?","text":"The Security Champion initiative is a network we invite IT professionals to join and share experiences. Members need to ask their project managers or line leaders for approval to travel and spend time on the network.
"},{"location":"security-champion/3-faq/#i-dont-have-enough-time-to-spend-on-security-related-work","title":"I don't have enough time to spend on security related work","text":"If you feel like the team do not get the needed time to work on security, please reach out to the AppSec team on Slack. We can help convey the importance and help highlight risk in your team.
"},{"location":"security-champion/3-faq/#can-we-have-more-security-champions-in-our-team","title":"Can we have more Security Champions in our team?","text":"Ideally, each development team should have one or more team-members who takes on the role of Security Champion. If you are unsure if you have too many, don't hesitate in reaching out to ask.
Remember that it is the entire team that is responsible for the security of applications in the team's portfolio. The Security champions will support the team, but not bear any extended responsibility.
"},{"location":"security-champion/3-faq/#how-can-sign-up-to-become-a-security-champion","title":"How can sign up to become a Security Champion?","text":"Use this form to sign up!
"},{"location":"security-champion/3-faq/#any-more-questions","title":"Any more questions?","text":"Please reach out to us on Slack, #appsec / #security-champion or email at appsec[at]equinor.com.
We are testing out a secure coding learning platform. You as a champion are a perfect match, and that is why you get special merch by learning!
"},{"location":"security-champion/4-learning-platform/#what-can-you-expect","title":"What can you expect?","text":"Info
You can gain unique merch based on your belt level!
There is a wide arrangement of subjects, and you can do them all if you wish! So there are tracks for:
Use this form to sign up for it! Happy learning!
"},{"location":"security-champion/4-learning-platform/#belt-system","title":"Belt system","text":"We are launching a new belt system with this learning platform. There are 5 belts you can achieve, where White, Yellow, and Green belt are achievable from only learning through the platform. More on the merch you can get from the different belts here. The brown and black belts are something special. They require you to complete activities that give back to the Security Champion network.
The brown and black belts are special and require you to complete activities normally in the Security Champion network.
white, yellow, and green).brown belt, you need to complete 3 activities from the list below. To achieve the black belt, you need to complete 6 new activities, for a total of 9.You report this by using the \"Champion passport\", add your activity, select 1 in hour slot, and comment on what you did, and when you did it. We will then go through and double-check the activity, and if everything is A-OK, you get the activity successfully registered!
Please help contribute with useful activities that make sense in Equinor context for Equinor Security Champions. The list below might change based on your feedback.
white beltsyellow beltsgreen beltsNote
The list of activities might change based on your feedback.
"},{"location":"security-champion/5-merch/","title":"Merchandise","text":"Merch is an important tool in building a security culture. We need to be visible, both the AppSec team and our champions to raise awareness to security. We also want to make being a Security Champion something to be proud of, and we are leveraging merch as one of the tools in order to manage this.
As SCN age, we will have different merch come and go. Below we have a record of some of the selections we have given out. Some of them are out of stock, some are in stock, you never know! Should we get keep inventory? Probably...
Stickers: A large assortment of stickers to help show that you are the voice of security! With the number of stickers we have, you will get a proper workout while carrying your laptopBlack Hoodie: Display your black belt to everyone in the vicinity. You are a true championSocks: Socks decorated with The Security Champion shields! Would they have protected Achilles? Maybe not. Will they protect you from cyber criminals? Who knows! But you will certainly look stylish while being hacked!Book (Alice and Bob Learn Application Security): Complete the challenge at this formAbbSack: You have to see it to believe it! Keep your items secure while travelingBallSec: Those pesky attackers are giving you a lot of stress? Relieve it with your branded stress ball!Lanyard: Start your belt journey to black belt here with a stylish card holderPins: Decorate your lanyard to display your belt level to the worldChristmas ornament: No Christmas tree is secure without your own Security Champion Christmas tree ornament. Is it because the christmas tree is offline? Most likelyS.W.A.T. (Small Work Addictive Thing): the latest and freshest within fidget toy technology. Meetings will never be the same! This exists in multiple colors. Gotta cath'em all!Since we are launching a new belt system connected to the secure coding platform, we need fresh merch! Below is a list of what you can get at the different belt systems. The items will be shipped via mail unless you can pick it up in the building (Forus \u00d8st).
White belt:Yellow belt:Green belt:Brown belt:Black belt:Note
Merch will \"build up\" and be shipped in bulk, normally every 2/3 belt levels in order to avoid too much shipping work.
"},{"location":"security-champion/6-offboarding/","title":"Offboarding for Security Champions","text":""},{"location":"security-champion/6-offboarding/#sad-to-see-you-go","title":"Sad to see you go","text":"We are all busy people in a busy time. If you feel the need to leave the Security Champion Network, then it's all good. Circumstances change, and you are free to use this offboarding form to automagically leave.
If you have someone that is interested in taking over the role for you, please point them to the champions onboarding section.
Though you may leave the network, we hope the learnings from the network stay with you forever. You are always welcome back at a later time!
"},{"location":"security-champion/7-about/","title":"About the network","text":"The Security Champion Network is intended to be a community for Security Champions in Equinor. Software development over the last years has rapidly evolved from big development teams consisting of dozens of developers to smaller autonomous teams where we are today. With greater responsibility of the whole lifecycle of applications, modern DevOps teams are also expected to handle security.
This network was born to facilitate security awareness and competence building in DevOps teams. These are necessary ingredients for successfully shifting security left. It is a place where teams can safely exchange experiences - both good and bad, and hopefully learn from each others. The end goal is for the Security Champion Network to become Equinor's powerhouse for application security.
"},{"location":"security-champion/7-about/#desired-outcome","title":"Desired outcome","text":"Create a lively community for people working with Application Security in Equinor. Knowledge is shared across teams, and we are then able to scale security in a more impactful way.
"},{"location":"security-champion/7-about/#activities","title":"Activities","text":"Please check our event site for info about upcoming and past Security Champion network events.
The main communication channel for the community is Slack. This is where people can post questions exchange experiences when it comes to different tools and technologies etc.
"},{"location":"security-champion/7-about/#role-of-the-appsec-team","title":"Role of the AppSec team","text":"The Security Champions Network is run by the AppSec team, but we aim to empower our champions to contribute in any way they can.
Do you have a guideline you want to create? Do you want to hold a seminar talk? Would you want to organize an event? Whatever the idea is, let's have a chat! \ud83e\udd1f
Reach out to us on Slack or e-mail at appsec[at]equinor.com
If you are reading this from across the web and want to reach out about the program and how we do things, please do so by sending an e-mail to appsec[at]equinor.com or reach us through the Security Champions Norge Slack.
These are some relevant resources for security champions
Informal chat around application security topics, it's a great place to ask questions and start discussions. It happens every Wednesday from 10:00 to 10:30. You can also propose topics in advace in the #security-champion channel on Slack.
"},{"location":"security-champion/events/#security-champion-seminar","title":"Security Champion Seminar","text":"On the last Thursday of every month, from 12.00 to 13.00, we host the Security Champion Seminar. The seminar typically includes talks from members of the Security Champion network and/or the Application Security team. The agenda of all the past seminars can be found on the internal Security Champion page.
"},{"location":"security-champion/events/#presenting-at-the-seminar","title":"Presenting at the seminar","text":"Do you have any topics you are interested in sharing? Great!\ud83d\ude0d Please submit your interest using this form, or get in touch with the @appsecteam on Slack. If you do, not only will you be rewarded with positive feedback, but you will get unique merch!
To check all events, and add them to your own calendar, go to your outlook calendar and select the Security Champion Calendar from group calendars:
Note: This option might not be available on Mac, if that is your case, another option is to use outlook through connectit to add the events.
You can also find a calendar of events on SharePoint.
"},{"location":"security-champion/events/2022/1-sc-info-meeting/","title":"Security Champion info meeting","text":"We are excited to announce that we will launch a Security Champion network among the broader developer community in Equinor! Everyone who considers themselves part of a development team can become a Security Champion. If you are a developer, UX-designer, tester, citizen developer or anything in-between, you are welcome to join \ud83e\udd73
Signup Information
Use this form for signing up to the security champion's network.
"},{"location":"security-champion/events/2022/1-sc-info-meeting/#puzzle","title":"Puzzle","text":"Puzzle
Try the puzzle HERE
Among everyone that manages to solve all 3 challenges, we will draw a winner that will receive a price that is yet to be announced!
"},{"location":"security-champion/events/2022/sc-kickoff-agenda/","title":"Security Champions Kickoff \ud83d\ude80","text":""},{"location":"security-champion/events/2022/sc-kickoff-agenda/#welcome-champions","title":"Welcome Champions","text":"To initiate the security champions network, we invite you to the kickoff!
The Security Champions network is a crucial part to create a strong security culture at Equinor. So get ready to join a bunch of security minded people in a journey to develop a unique perspective, engage in some cool security activities, learn niche new things and have a great time together.
Like it is often said, security champions make everything better!
"},{"location":"security-champion/events/2022/sc-kickoff-agenda/#agenda","title":"Agenda","text":"When What 08.30 - 09:00 Morning Coffee 09:00 - 09:30 Safety moment and introduction 09:30 - 11:00 Capture the Flag 11:00 - 12:00 Lunch 12:00 - 12:45 Building a security culture by Niall Merrigan 12:45 - 13:00 Break 13:00 - 13:30 About the network 13:30 - 14:00 ISC introduction 14:00 - 14:15 Break 14:15 - 16:00 Workshop 16:00 - 18:00 Tapas & Mingling"},{"location":"security-champion/events/2023/1-sc-meetup-2/","title":"Security Champions Meetup #2","text":"We are excited to invite you to our upcoming network meetup on all things security! This is where we all come together to share our experiences, learn from each other, and discuss the latest on security.
The meetup will be held on 7th June 2023. So, mark your calendars and join us for a day of insightful discussions and valuable connections. More details in the invite.
We look forward to seeing you there!
"},{"location":"security-champion/events/2023/1-sc-meetup-2/#agenda","title":"Agenda","text":""},{"location":"security-champion/events/2023/1-sc-meetup-2/#6th-june-2023","title":"6th June 2023","text":"When What 18.00 - 20:00 CTF teams solving challenges together !"},{"location":"security-champion/events/2023/1-sc-meetup-2/#7th-june-2023","title":"7th June 2023","text":"When What 08.00 - 08:30 Morning Coffee 08.30 - 08:45 Safety Moment 08.45 - 09:00 Introduction and Agenda 09:00 - 11:00 CTF time! 11:00 - 12:00 Winner announcement followed by Lunch 12:00 - 12:30 Snyk Statistics after a Year of Operation 12:30 - 12:45 Quiz time! 12:45 - 13:15 Learning from the Community 13:15 - 13:25 Break 13:25 - 14:10 Threat Modelling PechaKucha 14:10 - 14:55 OT Hacking Demonstration 14:55 - 15:00 Break 15:00 - 15:45 World's Largest Cyber Defense Exercise 15:45 - 16:00 Conclusion"},{"location":"security-champion/events/2024/1-sc-meetup-3/","title":"Security Champions Meetup 3","text":"We are excited to announce our upcoming security champion's meetup!
This will be our network's third meetup and we have put together a fantastic agenda filled with social acitivities, presentations and challenges.
We will have cool merch and prizes to hand out. You will not want to miss it.
"},{"location":"security-champion/events/2024/1-sc-meetup-3/#agenda","title":"Agenda","text":""},{"location":"security-champion/events/2024/1-sc-meetup-3/#7th-march-2024","title":"7th March 2024","text":"When What 8:00 - 8:30 Morning Coffee & Mingling 8:30 - 9:00 Safety Moment, Introduction & Team Building 9:00 - 9:45 LLM Hacking 9:45 - 10:00 Break 10:00 - 11:00 GitHub Copilot introduction 11:00 - 12:00 Lunch 12:00 - 12:20 How to set up your home office securely 12:20 - 12:30 Ctrl+Alt+Deceit: The Game Jam Scam 12:30 - 13:00 How to communicate security to your team 13:00 - 13:15 Break 13:15 - 13:45 Lifting the lid on last summer's QR code phishing attacks 13:45 - 14:15 Mad Rabbit & Hacking Workshop 14:15 - 14:35 Break 14:35 - 15:05 Hacking Workshop Cont. 15:05 - 15:50 Red & Blue teams threat modeling 15:50 - 16:00 Conclusion 16:00 - 18:00 Pizza After Party"},{"location":"security-champion/stories/","title":"Stories \ud83c\udfc6","text":"We want to highlight stories from our teams, to promote both learning and sharing culture, in the context of security.
"},{"location":"security-champion/stories/#what-is-a-story","title":"What is a story?","text":"A few examples:
If you have something in mind, consider writing a story. It's even an activity to reach the brown/black belt!
Info
Please use the below template and send it to the AppSec team on Slack or e-mail at appsec[at]equinor.com
Feel free to include pictures to illustrate, and provide sources where applicable.
The title: Every story needs a snappy title.
The team: This is normally you and your team.
Initial situation: This is the initial situation of why you are telling the story. Did some security control go wrong? Did a new feature get in the backlog?
The mission: What activities was made to improve or remediate the initial situation? What challenges occurred along the way? Usually the part where readers can learn something to take home, or get new ideas.
Outcome: What was the outcome? Did it improve the initial situation and give some new learning to the team?
Tips
Try to add technical and quantifiable information to the story to better showcase the value.
"},{"location":"snyk/","title":"Getting started","text":"Snyk is available to all teams who code in Equinor.
After your first time sign in, you will be able to list organizations available at the Equinor Group overview (top level). If you see a relevant org to join, request one of the listed org admins to add you to the org.
"},{"location":"snyk/#crash-course-common-snyk-situations","title":"Crash Course: Common Snyk Situations","text":"We have built a short curriculum, to help you learn the basics of Snyk. Take a look here.
The curriculum is tailored to using Snyk in Equinor.
"},{"location":"snyk/#privacy","title":"Privacy","text":"Concerns about which data snyk collects are addressed on Snyk's privacy policy page
"},{"location":"snyk/2-about-snyk/","title":"About Snyk","text":""},{"location":"snyk/2-about-snyk/#what-is-it","title":"What is it","text":"Snyk is a bundle of tools which helps managing vulnerabilities throughout the software development lifecycle. Currently Equinor has licenses for Snyk Open Source and Snyk Container which helps manage vulnerabilities related to third party software either as dependencies or as part of the base docker images your app depends on.
"},{"location":"snyk/2-about-snyk/#third-party-dependencies","title":"Third party dependencies","text":"All modern IT projects today pull in volumes of code from open source projects. It is not possible to read and understand this code, and as such this becomes a legitimate application security risk. An example is the recent supply chain attack through colors.js, where the maintainer simply added an infinite loop in the code resulting in a Denial of Service to any Node.js server using it.
This is a strong argument for pinning packages to exact versions as provisioned in e.g. npm lock files, but the counter side of that is that you need to explicitly upgrade to get the latest security patches. Given the complexity of this landscape, using automated tools quickly becomes a requirement to keep software patched and secure.
So what can we do to mitigate this risk? The current strategy in Equinor is to automatically scan the projects using tools like Snyk. These tools can scan code repositories continuously and on every pull request. They will find your Dockerfiles, npm package-locks, pip requirements and many other packaging formats and check if you are currently installing a dependency with an associated known vulnerability. They will also assist you in assessing the severity and suggesting mitigating actions.
To learn more, check out how to get started
"},{"location":"snyk/3-snyk_support/","title":"Getting Snyk Support","text":"This short guideline give some advice on how and where to get Snyk support. The AppSec team will provide help, but most of the Snyk support in Equinor should be community driven. We have a direct connection to Snyk's Customer Success staff which also will help out (the Slack channel #snyk-equinor-bridge)
Consult the documentation part. If you cannot find your solution, considering raising a Snyk Support Ticket.
"},{"location":"snyk/3-snyk_support/#documentation-and-relevant-community-resources","title":"Documentation and relevant community resources","text":"We encourage raising Support tickets with Snyk. To enable some follow-up and transparency into the Equinor Community on questions/challenges, please use the following procedure:
When Snyk has identified vulnerabilities in source code, it's time to decide what to do with them. This section will provide some expectations for how to resolve vulnerabilities in Equinor.
"},{"location":"snyk/4-vulnerabilities/#remediation","title":"Remediation","text":"Ultimately it is up to each devOps team to decide how to remediate their vulnerabilities. However, for Equinor to have a total overview of the total security posture of the entire portfolio, we have expectations to how vulnerabilities should be evaluated once they are identified.
Snyk uses four severity levels: low, medium, high and critical to evaluate the risk of a particular vulnerability. The expected action depends on the severity of a given vulnerability.
Level Description Critical This may allow attackers to access sensitive data and run code on your application High This may allow attackers to access sensitive data in your application Medium Under some conditions, this may allow attackers to access sensitive data on your application Low Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application"},{"location":"snyk/4-vulnerabilities/#critical","title":"Critical","text":"Vulnerabilities should be evaluated and remediated as soon as possible. If a vulnerability is critical, there should be a plan for either fixing or removing the vulnerability within 24 hours.
"},{"location":"snyk/4-vulnerabilities/#high","title":"High","text":"High vulnerabilities should be evaluated and remediated as soon as possible. If a vulnerability is high, there should be a plan for either fixing or removing the vulnerability within 7 days.
"},{"location":"snyk/4-vulnerabilities/#medium","title":"Medium","text":"Medium vulnerabilities should be evaluated and remediated. If a vulnerability is medium, there should be a plan for either fixing or removing the vulnerability within 30 days.
"},{"location":"snyk/4-vulnerabilities/#low","title":"Low","text":"If a vulnerability is low, it should be evaluated to see if a fix is available.
"},{"location":"snyk/4-vulnerabilities/#priority-score","title":"Priority score","text":"Snyk also provides a priority score from 0-1000 for each vulnerability. This score is based on the CVSS severity score, rechability of the vulnerability and the maturity of the exploit. The priority score is used to prioritize the work of the devOps teams. Note that the priority score may vary from project to project based on wether a fix is available or not.
"},{"location":"snyk/4-vulnerabilities/#ignoring-vulnerabilities","title":"Ignoring vulnerabilities","text":"If the detected vulnerability is not applicable to your project, it can be ignored with a comment explaining why it should be ignored.
If the vulnerability is in a project not in production it can be tagged with the lifecycle tag \"sandbox\" to exclude it from the aggregated dashboard.
"},{"location":"snyk/4-vulnerabilities/#who-to-contact","title":"Who to contact","text":"Please reach out to the AppSec team on Slack or email at appsec[at]equinor.com if you have any questions regarding evaluating vulnerabilities.
When you sign up for Snyk, you get access to the following products:
.. and a ton of integrations!
"},{"location":"snyk/curriculum/2-integrations/","title":"Integrations","text":"Integrations are merely ways to connect and interact with Snyk. You can find all the supported integrations here.
"},{"location":"snyk/curriculum/2-integrations/#recommended-integrations","title":"Recommended Integrations","text":""},{"location":"snyk/curriculum/2-integrations/#1-github-integration","title":"1. Github Integration","text":"We recommend starting with adding your github repositories. The easiest way to do this is by adding the Github integration. Doing this will create one snyk project for each source file it understands, e.g. requirements.txt or package-lock.json.
Configuration settings for this integration can be found here.
Please ensure the following:
It is recommended to use Snyk IDE plugins while developing applications. This is in addition to the Github integration.
The results of a vulnerability scan show issues with context, impact, and fix guidance in your IDE, where the fix for the vulnerability can be done right in the IDE itself.
Read more here.
"},{"location":"snyk/curriculum/3-projects/","title":"Projects","text":""},{"location":"snyk/curriculum/3-projects/#import-a-project","title":"Import a Project","text":"Snyk Projects are items that Snyk scans for issues, for example, a manifest file listing your open-source dependencies. When you import a Project, Snyk scans that imported Project, and displays the results for you to review.
Check how to import a project here.
"},{"location":"snyk/curriculum/3-projects/#tagging-snyk-projects-in-equinor","title":"Tagging Snyk Projects in Equinor","text":"We use tagging of Snyk projects to assist us in getting useful metrics. Please make sure that your projects are tagged correctly!
"},{"location":"snyk/curriculum/3-projects/#tldr","title":"TL;DR","text":"Extracts from Snyk projects are imported into an external dashboard. We use information from this Dashboard to help us increase the security posture of our code products and projects. Quite often teams will scan/import projects that should not be part of the official results. This could be scenarios such as testing Snyk, scanning the same code base from multiple angles (CLI, SCM, Container, ++). For each code-base there should be one \"official scanning\". For most teams this will quite often be the SCM (Github integration).
The default is that \"all\" projects will be included in the aggregated Dashboard. To omit a project from the aggregated Dashboard change the \"Life Cycle\" tag for your project as follow:
The role Org Admin is required to make a change to the \"Life cycle\" tag.
"},{"location":"snyk/curriculum/3-projects/#toggling-the-rule-set-for-equinors-opensource-distributed-projects","title":"Toggling the rule-set for Equinor's OpenSource distributed projects","text":"We have configured Snyk to no longer by default alert of potential license issues for projects. If your project is distributed (ex. exposed on the internet, source-code is OpenSource), you should use the tag \"Distributed\" in the Environment section. This will enable the correct rule-set for your project.
If you cant see 'Distributed' in the list, try searching for it!
"},{"location":"snyk/curriculum/4-scan_results/","title":"Scan Results","text":""},{"location":"snyk/curriculum/4-scan_results/#view-snyk-scan-results","title":"View Snyk Scan Results","text":"Once you have imported a project, it will be scanned. Learn how to view the scan results here.
"},{"location":"snyk/curriculum/4-scan_results/#interpreting-and-prioritizing-snyk-findings","title":"Interpreting and Prioritizing Snyk Findings","text":"The Snyk Priority Score is a good reference when prioritizing Snyk findings, and should be taken into consideration. Be mindful that Snyk reports on potential vulnerabilities, so you will still need to investigate if the reported issue is a true positive or not.
For issues with a fix available, you can trigger Snyk to create a pull-request which addresses the issue. The fix usually involves upgrading the dependency to a vulnerability free version or with a patch. This upgrade might break the code and Snyk will indicate this in the pull-request created. The reviewer is responsible to ensure that the changes in the PR won't cause issues with the project.
In most languages, a minor (1.1.x \u2192 1.2.x) or patch (1.1.1 \u2192 1.1.2) release is considered \u201cnon-breaking\u201d. Whilst a major version (1.x.x \u2192 2.x.x) contains breaking changes.
For issues with no fix available it is up to the developers to evaluate how to handle this - whether it be explicitly ignoring the issue until a fix is available, replacing the dependency, or removing the dependency all together as you discover it is not really needed.
On a side-note: It is a good practice to define Security Requirements for your applications. In the context of adopting Snyk, it makes a lot of sense to add a requirement covering the how long exposure window is tolerated for your application.
Ex.
The remediation time of newly discovered vulnerabilities for our application will take no longer than: Critical: < 7 days High: < 30 days Medium-Low: Resolve based on availability
For more information, see Snyk's documentation
"},{"location":"snyk/curriculum/4-scan_results/#interpreting-issues-regarding-licenses","title":"Interpreting Issues regarding Licenses","text":""},{"location":"snyk/curriculum/4-scan_results/#intro","title":"Intro","text":"Disabled by default
To enable the rule-set that alerts on potential issues, add the \"Distributed\" environment-tag in your projects. If you cant see 'Distributed' in the list, try searching for it
Open source software you use in your projects (eg. libraries) are licensed by the author(s) to ensure that it is used the way the author attended. There are many different licenses out there. Some of them are created to ensure the freedom of use without asking anything in return. Others may require that projects using the licensed software adopt the same license and make their software open and free.
Information on why/how Snyk reports on License-issues
The subject of license-issues is most relevant for Equinor's Open Source Software projects, as obligations to comply is usually triggered by distribution.
From the OSLC-handbook:
Distribution is defined as: providing software to another entity, i.e., an individual or organization outside your company or organization.
Determining the requirements that need to be met to comply with open source licenses involves the following:
We recommend that all teams, regardless of whether they are distributing their solutions or not, acquire a working knowledge of the subject of Open Source Licenses.
You should act when Snyk report on license issues. This will involve investigating the terms of the license in question, and to do the necessary steps to comply.
Sometimes in order to stay compliant, one might have to adopt a new license for your software, replace the open source software, or in some cases ignore it because you find out you are not under obligation to comply.
Example
This Equinor team maintains an application used by Equinor employees. The source-code is not made available, and the application is only reachable from the internal network.
Snyk report the following issue:
Investigating the AGPL-3.0 license, looking into the resources linked to at the bottom of this guide, the investigator finds the following useful information:
As any distribution of software that is linked to or incorporates AGPL components triggers copyleft, either the entire product must be made available under the AGPL or the product must only be used strictly internally.
Since this is the case for their application, they do not trigger the copyleft clause, and this issue can be resolved without further action.
What they do next is described bellow.
"},{"location":"snyk/curriculum/4-scan_results/#what-to-do-after-an-issue-is-resolved","title":"What to do after an issue is resolved","text":"After a license-issue is resolved, a good practice would be to document it in Snyk via the 'ignore' button.
If you do need assistance, don't be afraid to reach out on Slack
"},{"location":"snyk/curriculum/4-scan_results/#more-information","title":"More information","text":"Some useful resources are listed bellow:
Snyk Learn - Open Source Licenses
Open Source Licenses Explained
Open Source License Compliance Handbook
Open Source and Copyleft - How to ensure commercially accepted use
Some examples of compliance failures:
To get support on Snyk:
Detailed information available here.
"},{"location":"snyk/curriculum/6-faq/#2-why-is-snyk-unable-to-process-supported-files","title":"2. Why is Snyk unable to process supported files ?","text":"Here are some discussions around it:
Check below some interesting conversations:
Read more about dealing with vulnerabilities here.
"},{"location":"snyk/curriculum/6-faq/#5-where-can-i-check-the-status-of-snyk-services","title":"5. Where can I check the status of Snyk services ?","text":"The status of snyk services can be checked at https://status.snyk.io.
"},{"location":"threat-modeling/","title":"Threat Modeling","text":"Threat modeling is often cited as the practice with greatest impact on strengthening teams security posture. In this section of our AppSec pages we present relevant info related to Threat Modeling.
If you are thinking of getting started with threat modeling (good call!\ud83d\ude4c) you are welcome to join our workshops ! We are offering physical and virtual workshops on the topic to Equinor DevOps teams and will provide you with the tools needed to get started.
Github Repo: https://github.com/equinor/appsec-fundamentals-threatmodeling-101-workshop Slides: https://equinor.github.io/appsec-fundamentals-threatmodeling-101-workshop/#/
"},{"location":"threat-modeling/resources/threat_modelling/","title":"Getting Started","text":"If you are thinking of getting started with threat modeling (good call!\ud83d\ude4c) you are welcome to join our workshops ! We are offering physical and virtual workshops on the topic and will provide you with the tools needed to get started.
Pay attention to the #appsec slack-channel, this is where we announce the dates.
Don't hesitate to contact us directly if you have further questions.
"},{"location":"threat-modeling/resources/zgamified/","title":"Gamified Threat Modeling","text":"This gamified method of doing threat modeling might not be for everyone, but it has its pros and is worth testing out.
"},{"location":"threat-modeling/resources/zgamified/#eop-game-play","title":"EOP Game-play","text":"Here are the pros:
+ Depending on your level of geek: Fun! + Predefined cards with suggested threats - no need to wreck your brain + Encourages collaboration + You end up with a JSON that can follow your code + Remote!
..and the cons:
- Leads to many false positives - Time-consuming (~2+ h) - Not everyone might find the game-aspect of it as intriguing - Requires a lot more effort than for example doing Agile Threat Modeling - Everyone needs a laptop - Requires 3-6 players
"},{"location":"threat-modeling/resources/zgamified/#pre-reqs","title":"Pre-reqs","text":"Warning
Regardless of how you deploy, be weary of what you information you are exposing through the diagram (IP-addresses, \"Equinor\", stuff like that
"},{"location":"threat-modeling/resources/zgamified/#how-to","title":"How-to:","text":"Depending on the system in scope, you can choose a suitable card-deck (general vs. a web application)
Game-rules are described here
Afterwards, you can download the model with the added threats and keep it in your code repository.
"},{"location":"threat-modeling/resources/zgamified/#additional-resources","title":"Additional resources:","text":"The AppSec Team is providing a Equinor internal Threat Modeling 101 workshop. We provide instructor lead physical and virtual versions of the workshop to our AppSec/Developer community.
Monitor the #appsec channel on Slack for upcoming courses.
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/","title":"About","text":"A full day threat modeling 101 workshop from the Equinor AppSec team
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#purpose","title":"Purpose","text":"Help teams to build and operate more secure systems by incorporating threat modeling into their daily work.
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#audience","title":"Audience","text":"Software Development Teams. We prefer to run the 101 workshop for teams, preferably the whole team. We may combine several teams in a workshop. A good size for a workshop is > 10 and < 20.
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#schedule","title":"Schedule \u23f1","text":"Full day (8 hours, 9 - 16)
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#context","title":"Context","text":"Threat modeling is often cited as the practice with greatest impact on strengthening teams security posture. Very few teams practice structured threat modelling. In this workshop you will get a basic introduction to threat modeling for a software development project. We do this by working on a sample web project and explore both the software development lifecycle as well as the solution we build. Parts of the content and exercises are experimental. By participating you will be an important part of forming the workshop for our community. Context matters. All models are wrong. Some models are useful. The most important threat modelling is the one you do now! Get started. Just do it :)
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#workshop-outline","title":"Workshop Outline","text":"After being introduced to threat modeling, we in the AppSec team would very much like to assist you making this a regular effort in the work you do.
We offer to partner up for a couple of months, building the muscle-memory and finding out where threat modeling fits into your SDLC.
"},{"location":"threat-modeling/threat-modeling-101-workshop/2-next-steps/#expectations-to-participating-teams-2-months-perspective","title":"Expectations to participating teams (2 months perspective)","text":"The Elevation of Privilege (EoP) card game is designed to introduce developers who are not information security practitioners or experts to the craft of threat modeling.
The game consists of 74 playing cards which contain cyber security anti-patterns which supports players as they attempt to find validated security flaws in a system. The cards are in six suits based on the STRIDE mnemonic. The EoP card game was invented by Adam Shostack during his tenure at Microsoft. The game was released in 2010. It is a gorgeously produced design at the centre of a gamification of a security checklist, modelled after the game called Spades.
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-EOP-cardgame/#how-to-play","title":"How to Play","text":"The rules
Points: 1 for linking a threat, 1 for winning the round
There are numerous described methods out there for doing threat modeling. One approach that synergizes well with an agile approach to doing development, is Agile Threat Modeling. If you integrate this well, this process won't require any extra effort from your normal dev-cycle, but will add great value.
An example of how to get started:
Of course, no shoe fits all. Whichever method you choose, the most important aspect is that it's sustainable and you will be able to continue to do it regularly - and that it gives valuable output.
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-explore/#alternative-forms-for-doing-threat-modeling","title":"Alternative forms for doing Threat Modeling","text":""},{"location":"threat-modeling/threat-modeling-101-workshop/extention-explore/#abuser-stories","title":"Abuser stories","text":"When detailing your tasks for upcoming functionality with use cases, consider also writing misuse cases.
ref. OWASP Web Security Testing Guide
Similar to use cases, misuse or abuse cases describe unintended and malicious use scenarios of the application. These misuse cases provide a way to describe scenarios of how an attacker could misuse and abuse the application. By going through the individual steps in a use scenario and thinking about how it can be maliciously exploited, potential flaws or aspects of the application that are not well defined can be discovered. The key is to describe all possible or, at least, the most critical use and misuse scenarios
Example
For more information, read this
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-explore/#other-resources","title":"Other resources:","text":"Under consideration, and extension of STRIDE and EoP to include Privacy.
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-remote-tm/","title":"Extension: Remote Threat Modeling for Dispersed Teams","text":"We provide the workshop as a virutal experience. This will be a full day workshop, all on Teams using Miro. Monitor the #appsec channel for upcoming workshops - or reach out to the AppSec team for questions.
"}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Home","text":"Welcome to Equinor AppSec information pages. This site is primarily written by and for the people working with building/maintaining applications in Equinor, but could also function as a resource for others on the topic of application security.
"},{"location":"#guidelines","title":"Guidelines","text":"AppSec releated guidelines.
"},{"location":"#security-champion","title":"Security Champion","text":"Information about the Security Champion programme in Equinor. This site will contain guidelines and information for Security Champions
"},{"location":"#snyk-guidelines","title":"Snyk Guidelines","text":"The guidelines contain information related to how to set up Snyk for security scanning of repos, and also other guidelines related to licenses and other topics.
"},{"location":"#threat-modeling","title":"Threat Modeling","text":"With Threat Modeling being such an important practice in application security, and being a focus area for us, this topic got it's own tab. Here you can find some information about the subject, as well as information about how to get started and what resources the AppSec-team can provide.
"},{"location":"#resources","title":"Resources","text":"Some useful resources involving application security.
"},{"location":"about/","title":"Objectives and activities","text":""},{"location":"about/#background-why","title":"Background - (Why)","text":"Always safe is one of three pillar in the Equinor strategy. Safety in the digital world includes cyber security. Equinor has many software development teams (internals and partners) and we expect a growth in DevOps teams in the future. Modern software development adopts all aspects of cloud capabilities and thus there is also an increased information security and privacy risk.
The purpose of the AppSec team is to reduce cyber security risk in Equinor's SDLC - Software Development Life Cycle (DevOps teams).
The primary target audience for the team is Equinor's software development community - aka. DevOps teams.
"},{"location":"about/#main-objectives-how","title":"Main objectives - (How)","text":"This site utilizes Application Insights to log information regarding site and page usage. The purpose of the data collection is to assess the impact and reach of the content we create. By using this site, we assume your implicit consent to our privacy policy.
You can analyze the data collected by using your browser's \"developer tools\" and examining POST requests to https://northeurope-2.in.applicationinsights.azure.com/v2/track.
For any concerns, please read our security.md.
"},{"location":"guidelines/","title":"AppSec guidelines","text":""},{"location":"guidelines/#equinor-appsec-guidelines","title":"Equinor AppSec guidelines","text":"This section contains guidelines relevant anyone writing code in Equinor.
Authentication and Authorization are complex topics. Things are often very context specific. Answers are often not straight forward, we often have more than one option. In the sections below we will give advice on protocols, tools and principle we find helpful.
The scope for this guideline is web application and api's.
"},{"location":"guidelines/authn-authz/#best-current-practices-and-guidelines","title":"Best current practices and guidelines","text":"We have a 2 day workshop in Authn & AuthZ, it's open source and available at https://github.com/equinor/appsec-fundamentals-authn-authz-cs
"},{"location":"guidelines/gh-actions-runners/","title":"GitHub Actions and Self-Hosted Runners","text":"The scope of this guideline is to provide generic security advice for GitHub Actions and specific security advice for using self-hosted runners.
(To have a holistic view on security and threats in a system, we recommend that teams have a Threat Model for their Software Development Lifecycle. More informaton on threat modeling can be found here)
"},{"location":"guidelines/gh-actions-runners/#github-actions-in-general","title":"GitHub Actions in General","text":"When using GitHub Actions, it is good practice to:
When using GitHub Actions with self-hosted runners, it is good practice to:
This guideline contains some basic information on configuration of Git and user profiles on github.com. Our perspective would be security and privacy. The guideline is by no means exhaustive, it's more an introduction to basic config and the correlation between Git and github.com
Git vs Github.com
Git is a distributed version control system for tracking changes in source code, while GitHub is a platform that hosts Git repositories online. GitHub builds upon Git, offering a centralized place for developers to share and work on code together.
The SCM Policy
The Equinor Developer Portal contains our Source Code Management System Policy. Please make sure you are familiar with the content.
"},{"location":"guidelines/git-github/#tldr","title":"TLDR;","text":"For this guideline we use Git from the command line. Be aware, there are many tools that hide the internal mechanics of Git within the tool. For these tools most settings are defined within the tool itself.
We assume that git and ssh are installed on your system. We do not cover the installation process besides mentioning the fact that git and ssh like any other piece of software must be kept up-to-date.
The official Git documentation is a good source for authoritative answers and deep dives.
"},{"location":"guidelines/git-github/#how-git-manages-config","title":"How Git manages config","text":"Git is dependent on proper configuration to work. Configuration can be read from the command line (using the -c option), environment variables or files. The official guide provides the details.
We usually store Git config in files. Git will read config from multiple locations depending on their availability. The files are read in the order shown below, the last value read will take precedence over values read earlier.
/etc/gitconfig)$HOME/.gitconfig)$GITDIR/config)The config files can be updated manually with a text editor or by using Git
Git configuration from the command line follow the following structure:
git config options section.key value\nFor the examples below no \"scope\" is provided so Git will expect that you are in a Git directory and then work with a repo config file. A error message will be given if this is not the case. Use the parameter --system, --global or --local to specify scope.
Example; setting the user name:
git config user.name \"Peter Pan\"\nReading the config looks like this:
git config --get user.name\nPeter Pan\nRemoving config looks like this:
git config --unset user.name\nSetting your user name for a global scope would look like this:
git config --global user.name \"Peter Pan\"\nTip
Using the command git config --list --show-origin will expand all git config across the different levels.
This section contains the recommended basic generic configuration for Git.
git config --global user.name \"value\"\ngit config --global user.email \"value\"\nID+USERNAME@users.noreply.github.com (Privacy, Official Github documentation)Additional email privacy
We also recommend that you check the \"Keep my email address private\" and even \"Block command line pushes that expose my email\" in email section of your profile on github.com
"},{"location":"guidelines/git-github/#using-ssh-with-git","title":"Using SSH with git","text":"Git uses HTTP or SSH to communicate with github.com. Both alternatives are viable and provide a good level of security. HTTP(S) assumes the usage of PAT (Personal Access Token) tokens rather than account passwords. A short threat model of the options contains the following sections:
Threat SSH (with password-protected keys) HTTPS (with PATs) Interception Encrypted; MITM attack needed. Passphrases protect keys on disk, but not in transit since keys aren't transmitted. Encrypted; susceptible to MITM, but TLS and certificate validation mitigate risks. PATs are used instead of passwords. Impersonation Theft of private key and passphrase required for impersonation. Relies on secure storage of PATs. Impersonation possible if a PAT is exposed. Eavesdropping Encrypted traffic; passphrase adds security at rest, not in transit. Encrypted traffic; PATs should be securely stored to prevent unauthorized access. Authentication Strong, with added layer of passphrase protection for key files. PATs can be set to expire, enhancing security by limiting the lifespan of access credentials. Configuration Requires management of key pairs and passphrases, slightly more complex. Requires management of PATs, including regular rotation and setting appropriate expiration dates. Availability Direct; less prone to web attacks, but firewalls might block SSH. High through standard web ports; PATs can be revoked or expire, requiring renewal for continued access. Key/Token Expiry SSH keys do not expire by default; requires manual rotation for security. PATs can be configured to expire, forcing regular renewal and review of access permissions. Theft of Credentials Risk mitigated by passphrase encryption of the private key. Physical access or malware required to steal. Risk of PAT exposure, especially if stored insecurely or transmitted over insecure channels. Least privilege SSH keys inherit all permissions of a user. No granularity PAT tokens can be configured for fine grained permissions and then provide access to all or only specific repos. This could strengthen security. Token management will add extra complexity.Use SSH with Git
We recommend using SSH when Git authenticates and communicates with github.com. Private keys should be passphrase protected
"},{"location":"guidelines/git-github/#configuring-git-to-use-ssh","title":"Configuring Git to use SSH","text":"The Connecting to GitHub with SSH in the official Github documentation is a good source for detailed information.
The following sections of the guideline contains the usual steps to get started with SSH.
"},{"location":"guidelines/git-github/#generate-a-new-ssh-key","title":"Generate a new SSH key","text":"ed25519-f). We assume you can have multiple keys and suggest a naming convention like \"service\"-\"identity\"-\"index\". The index could be creation date and then used for automating key rotation.-C) to help identify the key's purpose. This will be added to the public key as generic text but will not have any functional impact. It will not be exposed on github.com. However, the purpose of a public key is to \"share it\", so use with caution (PII).Example; Creating a SSH key for the Github user larskaare
ssh-keygen -t ed25519 -f ~/.ssh/github_larskaare_1 -C \"Github SSH auth key for machine 1\"\nYou will be asked \"Enter passphrase (empty for no passphrase)\", we strongly recommend using a passphrase!. Two files are created, one named github_larskaare_1 and one named github_larskaare_1.pub. The file with the .pub extension contains the public part of the key. The file github_larskaare_1 contains the private part of the key which should be protected and never shared.
Re-using keys?
We advice on creating separate SSH keys for separate machines and devices and not to re-use the same key on them all. This is good security practice in case of compromise - don't have one key to the whole kingdom. A more fine grained approach will also be good when keys are to be revoked or updated. You could also consider using different keys for professional versus personal usage.
Passphrases
Store passphrases in a password manager.
"},{"location":"guidelines/git-github/#configure-ssh-and-adding-the-key-to-the-key-agent","title":"Configure SSH and adding the key to the key-agent","text":"Adding the generated SSH key to the ssh-agent gives you a secure repository for your private keys's passphrases. Adding keys and passphrases to the key agent eliminates the need to repeatedly enter the passphrase.
Follow the official documentation of and add the SSH key to the ssh-agent. Be aware of the operating system selector at the top of the page - it will give you instructions for Mac, Windows and Linux. The sections below covers a minimal set-up of how to add the SSH key to the agent. The official version has more details - you can follow either.
"},{"location":"guidelines/git-github/#adding-ssh-config","title":"Adding SSH config","text":"SSH uses a config file for it's configuration (this file is not used by Git). The user-specific file is usually stored in ~/.ssh/config and should be updated prior to using the SSH key and the ssh-key agent. Consult the documentation of your SSH client for details. (Many use OpenSSH which have good manual pages - OpenSSH Manual Pages)
A SSH config file with minimum set-up usually looks like this:
Host github.com\n AddKeysToAgent yes\n IdentitiesOnly=yes\n IdentityFile ~/.ssh/github_larskaare_1\nWe assume that the ssh-agent is available and running.
The following command will add the private part of the SSH key we generated to the ssh-agent
ssh-add ~/.ssh/github_larskaare_1\nFor MacOS we would typically add the passphrase to the keychain as well
ssh-add --apple-use-keychain ~/.ssh/github_larskaare_1\nWe now have a SSH key that we can use when communicating with github.com. To be able to use this key with Github we need to upload the public part of the key to github.com
cat ~/.ssh/github_larskaare_1.pub\nCopy the public key (algorithm and key) and add it as a new SSH Authentication key to your Github profile at https://github.com/settings/keys
Verify that Github accepts the key, test the connection
(When testing the connection to github.com, ssh will ask if the fingerprint of the SSH key presented by github.com is ok and if you would like to continue. If you are connecting to github.com answer \"yes\". Understanding this trust chain is not for this guide - but if you want to validate the fingerprint that's suggested you can correlate it to the official ssh key fingerprints. The known hosts file that is mentioned is the ~/.ssh/known_hosts file)
ssh -T git@github.com\nThe command should a message similar to this to indicate success:
Hi larskaare! You've successfully authenticated, but GitHub does not provide shell access.\nA this stage we have SSH all configured on both ends. However, how do we tell git to use SSH? You typically would do this when cloning a repo or configuring the remote
git clone git@github.com:equinor/appsec.git tells git to use SSH. The same command for using HTTPS would be git git clone https://github.com/equinor/appsec.git. The giveaway for HTTPS would be the url which starts with https \ud83d\ude05 That is not included when we use SSH - we rather have the git@github.com part of the url.git remote -v\nshould out output remote name and a URI containing the git@github.com
origin git@github.com:equinor/appsec.git (fetch)\norigin git@github.com:equinor/appsec.git (push)\ngit remote set-url <remote name> <new uri>The Equinor organization on github.com is protected behind SSO login. In order for your SSH key to be used with resources in the Github \"Equinor\" or \"Equinor-Playground\" organizations you need to authorize the key for these permissions on your behalf. Github documentation gives you all the details.
Rotate your SSH keys
Your SSH keys, and passphrases, should be rotated at least on a yearly basis. Put an re-occurring appointment in your calender for this. This process could be automated, but doing it once in a while in manual mode may help you not to forget how things work.
"},{"location":"guidelines/git-github/#githubcom","title":"Github.com","text":""},{"location":"guidelines/git-github/#basic-config-for-your-account","title":"Basic config for your account","text":"You will find your Github settings at https://github.com/settings/profile.
We recommend the following settings:
"},{"location":"guidelines/git-github/#public-profile","title":"Public profile","text":"Fine-grained tokens are in beta (March 2024). Don't use beta features for anything production.
"},{"location":"guidelines/git-github/#whats-next","title":"What's next","text":"If you have reached this far - the next natural steps would be to continue the journey with getting your git commits signed
"},{"location":"guidelines/git-github/#external-resources","title":"External resources","text":"The code from our software configuration management system (SCM) is the starting point for a lot of secure coding practices. Signed Git commits are an essential security practice which provides a layer of verification that helps mitigate several threats. Some of these threats are:
Impersonation: Signed commits use keys to sign the work. By doing so, they certify that the commit was made by the claimed individual. This helps prevent an attacker from impersonating a developer and submitting malicious code.
Code tampering: Signing commits ensures the integrity of the code from the time it was committed. If the code is altered in any way after it was signed, the signature will no longer be valid. This helps protect against unauthorized code modifications, which could introduce vulnerabilities or malicious code.
Replay attacks: Signed commits can help mitigate replay attacks where an attacker attempts to re-submit a legitimate commit to a different context, potentially causing unintended consequences. The signature verifies not just the content of the commit but also its context within the repository history.
Long-term repository integrity: By using signed commits, organizations can ensure the long-term integrity of their codebase. This is crucial for auditing and tracking the provenance of code changes, making it easier to trace back and verify the authenticity of commits over time.
Increased trust and compliance: For projects that require strict compliance and governance standards, signed commits provide a mechanism to enforce such policies. They increase trust among contributors and users by ensuring that all changes are authenticated and authorized by the rightful committers.
The official GitHub documentation on signature verification shows that commits can be signed using GPG, SSH or S/MIME. The 3 different methods have their pros and cons.
Feature/Aspect SSH Signing GPG Signing S/MIME Signing Basic Mechanism Uses SSH keys for both authentication and signing. Utilizes a public-private key pair specifically for signing. Uses certificates issued by a Certificate Authority (CA). Identity Verification SSH public keys are used to verify the signature. Verification is based on a web of trust or direct key sharing. Relies on certificates verified and issued by trusted CAs. Infrastructure Requires SSH key setup; already needed for repository access. Requires GPG software and management of key pairs. Requires obtaining and managing a certificate from a CA. Potential complex PKI Ease of Setup Simple for users already using SSH keys for Git operations. Can be complex due to key generation, management, and sharing. Varies; obtaining a certificate can be straightforward or complex depending on the provider. Cross-platform Support Broad support across various platforms and Git tools. Well-supported, with widespread integration in Git tools. Support varies; some tools may not support S/MIME directly. Pros - Simplifies workflow by using the same keys for authentication and signing\u2020. - Integrated into SSH, which is commonly used for secure Git operations. - Decentralized and flexible, with a variety of algorithms and key sizes. - Well-established in the open-source community. - Trust model is straightforward, based on established CAs. - May align with existing certificate-based security practices (e.g., email). Cons - Primarily verifies the commit was pushed by an authenticated user, not necessarily the commit's author. - SSH key management is crucial; compromised keys pose a risk. - Key management and the web of trust model can be complex. - Requires active key maintenance (revocation, expiration). - Dependent on third-party CAs for issuance and trust. - Certificates have expiration dates and may incur costs.\u2020 while reusing the SSH key is a recognized advantage of SSH signing, we recommend against this practice, see below.
Note
We recommend using self-signed SSH keys for signing your git commits (In the future we may switch to a certificate based approach)
"},{"location":"guidelines/git-signed-commits/#configure-your-local-development-environment","title":"Configure your local development environment","text":"For this guideline our reference is using Git from the command line.
We assume that Git and SSH is installed on your system.
We assume that you are using SSH to authenticate Git with github.com. Consult our guideline for more information on this topic.
The GitHub documentation on SSH commit signature verification is a good source for detailed information.
"},{"location":"guidelines/git-signed-commits/#adding-a-ssh-key-for-signing","title":"Adding a SSH key for signing","text":"Note
We recommend using different SSH keys for authentication and signing. This may add some extra complexity and it may provide a more robust set-up with looser coupling of key components of the SDLC.
To create a new SSH key for signing you can use the following command (alter the date manually):
ssh-keygen -t ed25519 -f ~/.ssh/git_ssh_signing_key_1 -C \"Created on <date>, for larskaare on github.com\"\nThis will create a SSH signing key and add a comment on date and purpose. Add a passphrase to the key. Success full key generation will output the key fingerprint and a randomart image (randomart is supposed to be a visualisation making it easier to validate keys - and identify changes)(You can also find more info on SSH keys on our git guideline)
Add the new key to the ssh-agent
ssh-add ~/.ssh/git_ssh_signing_key_1\nWe will configure the git global settings to use the new SSH key for signing commits locally. Examples assume you created the key as defined above.
git config --global gpg.format ssh\ngit config --global user.signingkey ~/.ssh/git_ssh_signing_key_1.pub\ngit config --global commit.gpgsign true\nThese lines will tell git to use SSH for signing commit, tell git where to find the key that should be used and then tell git to always sign commits. If you do not add this last line you will specifically have to add the -S parameter for each commit you can to sign.
To verify that commits are signed locally you can use the following command:
git log --show-signature\nWhen you run this command on a newly configured system you may get an error message like error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification. This error will easily be overlooked in the wall of text from the log. In order for git to verify signatures locally you need to add the public keys that are used to sign to a file that Git will use.
We will create the allowed_signers file. It typically has the format like \"signer email\" \"key-type\" \"key-body\". The key in question is the public key of the SSH key we use to sign our commits.
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers\necho $(git config --get user.email) \\\n $(cat ~/.ssh/git_ssh_signing_key_1.pub) \\\n | awk '{print $1,$2,$3}' >> ~/.ssh/allowed_signers\nWhen this is done you can view the git log and verify the signature.
git log --show-signature\nThe git verify-commit options is also available. To verify the commit on HEAD you can use the following command:
git verify-commit HEAD\nUse the verbose parameter to get more information:
git verify-commit -v HEAD\nTip
You may have noticed that your local git only will show a good signature for your own signed commits. For your local git to show a good signature for other contributing team members you will have to add their public key to your local allowed_signers file. The status on github.com will be correct as it hopefully knows the public keys for the signers.
Tip
We have shown how to sign git commits. You can also sign git tags!
"},{"location":"guidelines/git-signed-commits/#configure-github","title":"Configure Github","text":"At this stage in the guideline we are able to sign and verify the signature of locally committed changes. If you push your changes to github.com they will get the Unverified status. This indicate that Github has found a signature in the commit but it is not able to verify it. You can find more detailed information on the Github docs on About commit signature verification
This makes sense. Github can not verify our signature, it does not have our public key. Telling Github about the public key we used to sign our commit is the next step.
"},{"location":"guidelines/git-signed-commits/#adding-public-keys","title":"Adding public keys","text":"We will add the public part of our SSH key to github.com.
cat ~/.ssh/git_ssh_signing_key_1.pub\nIf you now go back and look at the commits on github.com, those that were signed with the new key should have status Verified
If you select the Verified badge you will get information on the signer and the fingerprint of the public key that was used. You can find the finger print by looking at the key on your Github profile or by running ssh-keygen with the option to generate fingerprint locally:
ssh-keygen -lf ~/.ssh/git_ssh_signing_key_1\nTip
Explore Github's Vigilant Mode It should increase the trust level of signed commits yet another level.
"},{"location":"guidelines/git-signed-commits/#branch-protection","title":"Branch protection","text":"We recommend that you protect important branches with branch protection rules on. This is a feature of Github that requires a Github Team or Github enterprise account.
The official documentation can be found in Managing protected branches
We recommend the following minimum protection for important branches:
Info
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs\u2014faster \ud83d\udd17.
"},{"location":"guidelines/postman/#tldr","title":"TL;DR","text":"\u00b9 For simple usage one can use the Lightweight API Client without any account.
"},{"location":"guidelines/postman/#changes-in-2023","title":"Changes in 2023","text":"During 2023, Postman announced a change \ud83d\udd17 on how the solution works by making it mainly \"cloud only\", meaning they expect any users of the solution to always have an account and being logged in. When utilizing Postman, it's crucial to note that being logged in will automatically sync data to the cloud. As a result, users must exercise caution regarding the nature of data being transmitted. It's especially important to pay attention to the data classification, both within the requests and in the responses.
"},{"location":"guidelines/postman/#benefits-of-being-logged-in-with-an-user-account","title":"Benefits of being logged in with an user account","text":"Logging in with a user account enables most of the features within Postman, including:
However, the automatic synchronization to the cloud imposes both security and regulationary concerns. Here are the results of a simple Threat Model exercise:
Threat Description Mitigation Account takeover / session hijacking The account is breached and malicious actors can log in to Postman using your account Only use your Enterprise Account and SSO, as there are protective and preventive measures in place to avoid/detect malicious actors logging in Data breach at Postman servers A malicious actor has obtained data residing on the Postman servers Refrain from storing sensitive data that is synchronized with Postman servers, and implement additional controls such as logging and auditing for API logins and secret rotation Credentials stored unencrypted Storing credentials in (masked) plain-text fields or in local plain-text files can easily be extracted Use proper solutions when handling credentials, like Postman Vault Sensitive data being exported Anyone with access to the Workspace (collections) can export/extract it, including any variables and enviornments within Avoiding storing sensitive data in collections or environments Sensitive data exposed Anyone with access to the Workspace can read environment variables, including masked secrets Avoid storing sensitive data in environments and be aware of who can access the Workspace. Export your collections and see what data is exposed.Previously we also had an entry regarding Information disclosure, where we highlighted \"The API being tested has sensitive data in the responses - could be restricted, confidential or personal data - which could automatically be uploaded to the cloud or being exposed in pipelines\" and the recommendation \"Understand the data classification of the information in requests and responses, and if unsure, avoid using Postman for these requests. When conducting automated testing, ensure that tests are executed against a \"synthetic\" test environment\". As stated by Postman themselves, currently the responses are NOT synchronized. However, be aware where the requests are being run from and assert that the responses are handled according to their data classification.
The automatic synchronization to the cloud imposes both security and regulationary concerns. Following the best practices will mitigate some of those concerns.
"},{"location":"guidelines/postman/#sso","title":"SSO","text":"Never use a private or non-Equinor account in an Equinor context.
If needing the full feature set of Postman, request access through AccessIT and use SSO for login. Login either directly in the Desktop Client or through the browser \ud83d\udd17.
This ensures
If needing to store credentials or other sensitive data, use Postman Vault \ud83d\udd17. Note, data in the Vault is not being synchronized with Postman and anything in it remains local.
If there is no other way than storing sensitive data in the environment, the least one should do is set the type of the variable to \"secret\". This will mask the input.
Be careful
Even though one uses the \"secret\" type in an Environment, the secret is readable in plain-text by anyone who has access to it. If the access of the Workspace is set to Team, anyone in Equinor with a Postman account will be able to read the secret.
Tip
Storing variable values only in the Current value field, will ensure that the data is never shared with Postman. For more comprehensive explanation between Initial value and Current value see Postman documentation \ud83d\udd17.
Postman Vault \ud83d\udd17 is a way of handling sensitive data in Postman, without it leaving your local environment. Use the link for more deep-dive of the Postman Vault capabilities. Note that Postman Vault is only available when using the Desktop Client and will not function when using the Web Client (using Postman through the browser). If unsure on how to set up and open a Vault, use the link above.
The syntax to use a vault variable is quite similar to how other variables are referenced, but with a prefix of \"vault:\". For example to reference a value called \"MY_SECRET\" stored in the Vault, one would reference it by {{vault:MY_SECRET}}.
Important
Note that you can't set or access vault secrets in scripts \ud83d\udd17.
"},{"location":"guidelines/postman/#do-not-share-collections-uncritically","title":"Do not share collections (uncritically)","text":"If needing to share collections within the team, ensure proper processes are in place to give and revoke access. Note that collaborators might get access and see any sensitive information in the collections, including any sensitive information either in the Workspace variables or the configured environments.
"},{"location":"guidelines/postman/#set-right-access-on-workspace","title":"Set right access on Workspace","text":"The default access is \"Eveyone from team Equinor\", which makes is visible to everyone in Equinor who have an Postman account. This access will thus everyone access to the entire workspace, including the environments and the secrets within, which might not be desirable.
To change the access of a workspace, go to the workspace \"root page\" and click on the \"Workspace Settings\" button. Under the new page set the \"Who can access this workspace?\" to \"Only invited team members\".
Info
Changing to \"Only invited team members\" imposes additional administrative work, as the administrator of the Workspace needs to onboard and offboard Workspace members manually. Users who are being added to a Workspace would first need an Enterprise Account, which must be requested for in AccessIt.
"},{"location":"guidelines/postman/#cicd","title":"CI/CD","text":"It is possible to run Postman collections automatically in a CI/CD pipeline. One way of achieving this is using the Newman CLI \ud83d\udd17, a CLI tool by Postman.
Assuming
collection.json file,POSTMANAPIKEY as a GitHub Action secretcollectionIda GitHub Action workflow could look something like:
name: Running API tests\nrun-name: ${{ github.actor }} is testing the API\non: [pull_request]\njobs:\n api_tests:\n runs-on: ubuntu-latest\n steps:\n - name: Set up Node\n uses: actions/setup-node@v4\n - name: Install Newman\n run: npm install -g newman \n - name: Run API tests\n run: newman run \"https://api.getpostman.com/collections/${{collectionID}}?apikey=${{ secrets.POSTMANAPIKEY }}\" --environment \"https://api.getpostman.com/environments/${{ environmentID }}?apikey=${{ secrets.POSTMANAPIKEY }}\"\n\nSome considerations on this workflow:
POSTMANAPIKEY should be considered as a PAT - it gives the workflow the same access to Postman as your account.It is possible to run Postman without logging in or needing an account (without applying for it in AccessIT), which Postman has coined \"Lightweight API Client\".
The previous lightweight API client, based on \"Scratch Pad\", has been discountinued and there is only a single official API Client that can be downloaded from Postman. After downloading and executing the file, there is a choice of Or continue with the lightweight API client. (as of April 2024, this represents itself as a small text below the login-button on starting the application). Running the application in this mode will ensure that everything stays local - nothing is being synchronized to the cloud. However, it will not be possible to use the full set of features Postman provides and the usage in this mode will be limited to simple manual API testing.
Info
Using the Lightweight client is free and one does not need to apply for access in AccessIT. In many cases this will be sufficient.
"},{"location":"guidelines/postman/#resources-to-read-more-on-postman","title":"Resources to read more on Postman","text":"As developers, we know that secrets like passwords, API keys, and access tokens are critical to our work. But what happens when these secrets accidentally end up in our code, logs or error messages?
This guideline aims to present relevant tools, some good practices for managing this risk, and what to do when we have messed up. The AppSec team provides a 3 hour hands-on workshop on getting started with secret scanning - https://github.com/equinor/appsec-fundamentals-secret-scanning.
Please note that:
(Check out the appsec tools section for more tooling)
"},{"location":"guidelines/secret-scanning/#github-advanced-security-secret-scanning","title":"GitHub Advanced Security: Secret Scanning","text":"GitHub Advanced Security is integrated into GitHub, providing features like the secret scanning module free for public repositories. This module supports these secret types so far.
"},{"location":"guidelines/secret-scanning/#how-to-turn-it-on-for-your-repository","title":"How to turn it on for your repository","text":"GitHub provides a beta feature that will prevent pushes from you that contain supported secrets across all public repositories.
The general idea is to catch secrets in code (and other places) as early as possible. Our recommendation for most teams is:
While your are developing, in your development environment
In your CI pipeline
Other places:
We will mess up sooner or later. So be prepared, both as an individual developer and as teams!
"},{"location":"guidelines/secret-scanning/#steps-to-mitigate-a-leak","title":"Steps to mitigate a leak","text":"THIS IS PRIORITY #1private until the secrets are removedThis part can be very easy to super hard, it all depends on what, where and when.
"},{"location":"guidelines/secret-scanning/#you-are-working-locally-the-secret-is-in-the-last-commit-not-pushed","title":"You are working locally, the secret is in the last commit, not pushed","text":"git reset --hard HEAD~1git add [files]; git commit --amendThen things could get complicated. Git is distributed, you are not on your own. Rewriting the history could lead to all sorts of issues
Explore:
You'll also find some guidelines in the github.com docs
Be aware of:
Context matters, a lot. There are many different ways of handling secrets in development environments. The opportunities will depend on the context. We will always have to find a good balance between security and convenience.
"},{"location":"guidelines/secret-scanning/#a-few-known-ways-of-managing-secrets-is","title":"A few known ways of managing secrets is","text":"Threat modelling your SDLC with your team is even smarter!Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. In short it allows for a self-maintained list of checks to be performed before any commit.
"},{"location":"guidelines/FAQ/pre-commit-faq/#how-do-i-install-pre-commit","title":"How do I install pre-commit?","text":""},{"location":"guidelines/FAQ/pre-commit-faq/#prerequisites","title":"Prerequisites","text":"Pre-commit can be installed in two ways, using Python pip or Homebrew.
"},{"location":"guidelines/FAQ/pre-commit-faq/#python","title":"Python","text":"pip -V.brew -v/bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\"(As usual, verify all install scripts before executing)pip install pre-commit brew install pre-commit Once pre-commit is installed you need to set up the git hook scripts by running pre-commit install. Now pre-commit wil automatically run on git commit!
pre-commit is not available after install, it might be needed to manually add it to PATH.","text":""},{"location":"guidelines/FAQ/pre-commit-faq/#how-do-i-add-pre-commit-to-my-repository","title":"How do I add pre-commit to my repository?","text":".pre-commit-config.yaml filepre-commit sample-configYes.
Each repository that uses pre-commit needs to have the .pre-commit-config.yaml file.
To-Do
We encourage readers of this page to add or edit content.
"},{"location":"resources/#equinor-resources","title":"Equinor Resources","text":"Defining your security requirements will help you out when performing various security related activities. When thinking of what can go wrong and trying to secure your system, having defined what is important to you just makes sense In addition, it helps prioritizing security-work, ex. patching vulnerabilities found in Snyk, prioritizing threats as part of Threat Modelling, or when doing Security Testing.
"},{"location":"resources/security_requirements/#what","title":"What","text":"OWASP Proactive Controls
A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied. Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. Security requirements define new features or additions to existing features to solve a specific security problem or eliminate a potential vulnerability.
"},{"location":"resources/security_requirements/#how","title":"How","text":"The first step would be to have a look at the business objectives and the functional requirements. From here you can derive security requirements by asking \"what CAN'T go wrong\" in order to meet these requirements.
A good place to define these requirements would be in the Requirements Document (having everything in one place and all that ), and gradually work towards having automated test-cases for them.
Tip
TL;DR
Define Security Requirements
What are some of the things I care about?
( * Take into account Confidentiality, integrity, availability.)
Define Compliance Requirements
Are there any special requirements that must be met (Compliance, and/or legal)?
Input:
Output:
Stands for \"Static Application Security Testing\" (tests that are ran towards applications currently not running, i.e code). That means that this activity can take place very early in the SDLC, as it does not require a working application.
SAST is considered a form of White Box Testing
A SAST-tool will report on known vulnerabilities and security misconfigurations in your code. Catching these things early, dramatically decrease the cost of fixing these issues.
There are different ways of implementing SAST-tools into your SDLC: doing periodically full scans of your codebase, and having a linter present in your dev-environment (IDE) to catch issues as you code. You should do both
An example of how to get started:
Scanner: 1. Sign up to Snyk (if you have not already) 2. Import your project, and make sure that \"Snyk Code\" is enabled 3. Review and prioritize the findings
Linter: 1. Download Snyk's IDE plugin for your IDE (usually done from the marketplace) 2. Sign in 3. Review and prioritize the findings as you code
"},{"location":"resources/security_testing/#dast","title":"DAST \u2b1b","text":"Stands for \"Dynamic Application Security Testing\". Emulating a malicious user by attacking and probing, a DAST-tool will test a running web application to detect vulnerabilities.
DAST is considered a form of Black Box Testing
As with SAST, there are a lot of tools out there that perform this type of testing.
One noteworthy that I can recommend is OWASP ZAP.
An example of how to get started:
Download OWASP ZAP and get familiar with the tool.
Browse through your application through the ZAP proxy, run the passive and active crawlers, and see if it finds any vulnerabilities.
Next steps would be to explore the scripting functionality, and look at ZAP Community Scripts repo.
OWASP ZAP is quite versatile, and is well suited for integration with your CI/CD.
"},{"location":"resources/security_testing/#iast","title":"IAST","text":"Stands for \"Interactive Application Security Testing\". IAST is dynamic and gets its feedback from sensor modules that are included with \u2013 and run in context with the application that is subject to the test.
IAST is considered a form of Grey Box Testing
As the application is being externally triggered through automated or manual events, the internal instrumentation or sensor modules evaluate the application and report in real-time \u2013 making this an interactive process.
IAST is performed in production or a production-like environment, and in contrast to SAST will be able to identify vulnerabilities based on the systems behaviour and not only its static codebase. This results in a more holistic approach to evaluating the system. It balances some of the false positives given by other more static approaches, and evaluates the system in a context determined by configuration, control and dataflow and other characteristics given by the environment where the application is running.
Proper utilization of IAST, as being included in the CI/CD pipeline will then be able to \"shift left\" the types of tests that bring information about posible observable runtime vulnerabilities into the development stage.
"},{"location":"resources/security_testing/#rasp","title":"RASP","text":"Stands for \"Runtime application self-protection\". RASP enabled systems have both the capability to identify and monitor, as well as actively stopping an attack.
As opposed to simply protecting the application from an external perspective by securing its interfaces (e.g firewall protection), RASP protects the system by also taking the internal state of the application into evaluation. By establishing protection mechanisms at the application/server layer, RASP-protected systems are less dependent on perimeter based protection.
As for IAST the mechanicm is enabled by instrumentation embedded in the system. However while IAST identifies vulnerabilities as part of the testing phase, RASP protects the application for direct attacks at runtime.
"},{"location":"resources/security_testing/#manual","title":"Manual","text":"Have a look at WSTG
"},{"location":"resources/tools/","title":"Security Tools","text":"This site is intended for AppSec related tools for developers. Most tools here should be possible to use by developers and Security Champions with little or no training. We will however include a few expert level tools for those what want to dive deeper into the topics of security tools.
If you have any tools you would like to include on this list, don't hesitate to add it yourself with a PR, or reach out to us!
"},{"location":"resources/tools/#fundamentals","title":"Fundamentals","text":""},{"location":"resources/tools/#snyk","title":"Snyk","text":"Snyk is a developer centric tool for scanning source code and dependencies for known vulnerabilities. Equinor has license for Snyk for all developers, so it's highly recommended for all teams to use.
Check out our Snyk guidelines for how to get started.
"},{"location":"resources/tools/#browser-developer-tools","title":"Browser developer tools","text":"All major browser today comes with a built in developer tools which can be opened with pressing CTRL+SHIFT+I or F12.
These built in tools are quite extensive, and you can get very far in inspecting a web application and peeking into the security in place just by using the tools in your browser. Check Chrome and Firefox for documentation of how to use these tools.
"},{"location":"resources/tools/#intermediate","title":"Intermediate","text":""},{"location":"resources/tools/#owasp-zap","title":"OWASP ZAP","text":"OWASP ZAP is an open-source web application security scanner. For automation of web scanning ZAP is a powerful tool for finding vulnerabilities. ZAP is free to use, but Equinor has no support on it's usage as of now.
"},{"location":"resources/tools/#burp-suite-community-edition","title":"Burp Suite Community Edition","text":"Burp Suite is a graphical platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
"},{"location":"resources/tools/#pre-commit-framework","title":"Pre-commit framework","text":"Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Check out our FAQ to get started using pre-commit!
"},{"location":"resources/tools/#expert","title":"Expert","text":""},{"location":"resources/tools/#kali-linux","title":"Kali Linux","text":"Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing.
Kali Linux has around 600 penetration-testing tools and is a good starting point for people interested in developing their skills in penetration testing.
Warning
Kali Linux is not officially supported by Equinor, and should not be installed Equinor managed PC's. It should only be installed on self managed devices, and never be connected to the corporate network.
"},{"location":"resources/tools/#links","title":"Links","text":"A good list of open source tools
"},{"location":"resources/stories/meet_the_appsec_team/","title":"Meet the appsec team","text":""},{"location":"resources/stories/meet_the_appsec_team/#meet-the-equinor-appsec-team","title":"Meet the Equinor AppSec Team","text":""},{"location":"resources/stories/meet_the_appsec_team/#championing-application-security","title":"Championing application security","text":"How do we build a stronger culture around application security? And how can your team take part in making us more secure? Meet the AppSec team and find out!
Once upon a time, the almighty firewall served as our castle moat. It protected us from any possible threat to our castle walls, or systems and applications if you will, but those days are behind us. Now, we\u2019re headed away from castles and moats and into the cloud.
This means the way we think about security has evolved and requires us to respond.
\u201cAs we move into the cloud and onto the internet, we become much more exposed, and more of the responsibility to keep us secure falls on our developers. Coupled with >increasingly complex technologies and a heavy cognitive load, we need to build a culture around security to give our teams the tools and mindset they need.\u201d - Lars K\u00e5re Skj\u00f8restadLars K\u00e5re is part of the Application Security (AppSec) team. He explains that while the goal is to have our development teams be cross-functional and long-lived, we\u2019re still not quite there yet. Now, most of our developer teams are smaller units with a few members. It falls to these very members to handle all aspects of development from frontend to backend \u2013 and everything else. As a result, the mindset of \u201csomeone else will probably handle security\u201d can take hold.
To avoid just that and make sure our teams have the help they need, the AppSec team was assembled in 2022.
\u201cFor us, it\u2019s all about enabling our teams to write more secure code and help them build competence in application security. This means we must understand the context of our teams,\u201d Lars K\u00e5re explains.
Currently, the AppSec team totals 6 people split between Bergen and Stavanger.
And for Equinor, the context is an important part to understand. We don\u2019t have thousands of developers working on a couple of applications, we have thousands of developers working on hundreds of applications.
\u201cA one-size solution is just not feasible for a context like ours. To make sure that we\u2019re able to maintain secure applications, we need to understand what our teams need and want. We\u2019re here to serve our community of developers and help them develop more secure applications,\u201d Lars K\u00e5re says.
\u201cBut ultimately, our goal is that our team won\u2019t be around at all in a couple of years \u2013 because security has become such an ingrained part of all our work that we\u2019re no longer needed,\u201d he adds.
So, how do you go about building this culture and making yourself obsolete? Some of the first steps along the way are recruiting security champions, focusing on open source vulnerability management and threat modeling. Let\u2019s find out more!
"},{"location":"resources/stories/meet_the_appsec_team/#benefit-from-a-collective-of-knowledge","title":"Benefit from a collective of knowledge","text":"With so many developers spread across all these teams, you need a direct line to each and every one of them for a culture to truly spread. One way of doing that is by building a network of security champions \u2013 people with a keen interest in learning more and championing security in their team.
\u201cBeing a security champion doesn\u2019t mean you\u2019re \u2018Head of Security\u2019 for your team. It means you\u2019re interested in, want to learn more about security and be someone who champions that work in your team.\u201d - Kristian ReedJust a month into the network\u2019s lifespan they already have more than 140 members, with numbers growing each week. The network officially kicked off with an in-person gathering in Stavanger, where we hosted a Capture the Flag (CTF) competition and community building.
The network also hosts a variety of events; from weekly virtual coffees to monthly seminars on relevant topics. But the heart of everything the network and the AppSec team do is the Slack channel.
\u201cWe wanted to create a place where our champions can benefit from the collective knowledge of the entire network and somewhere people could ask for help when they had any questions. Slack was the natural choice to do so,\u201d Kristian says.
In September 2022, the Security Champion Network kicked off More than 40 Security Champions gathered in Stavanger for the kickoff.Security champion networks are no brand-new concept. NAV, the Norwegian Labor and Welfare Administration, NRK, Telenor, Finn.no and the Norwegian Police all have their own security champions network. There\u2019s also a Norwegian security champions network Slack-community, with participants from a variety of companies, available for anyone who speaks Norwegian.
And all the information on the AppSec GitHub is available to the world \u2013 inspired by NAV\u2019s own approach.
\u201cSharing our knowledge and competence with the world outside of Equinor is just as important as sharing it with our colleagues. If we can help build a community focused around security, we\u2019ll benefit from that in the end,\u201d Kristian says.
The Equinor Security Champion NetworkTogether with Kristian, Ipsita Mishra also runs the security champion network. Her experience was that people were rarely all that interested in security. Many considered it \u2018someone else\u2019s responsibility\u2019, but it was the other way around in Equinor:
\u201cA\u201cAfter we got our first couple of members, the response was overwhelming. We didn\u2019t expect that so many people would be interested in security, nor that they would be so knowledgeable from the start. I think Equinor\u2019s emphasis on safety might have something to do with that.\u201d - Ipsita Mishra\u201cWhat we\u2019ve started with is getting teams to interact, talk about issues, and do it in a constructive way. This hopefully means we can have progress come out of the conversation and put that into action later,\u201d Ipsita explains.
Getting people to come together is no simple task, but it\u2019s one they\u2019ve already made great progress on with the network. The next step is to find out what direction to take it further in - and create a platform where people can learn and get value from together with the rest of the community.
\u201cWe\u2019re still a young team, so we\u2019re focusing on trying to understand how we can help people improve their processes and help teams be in a better place. Either through talking to teams and advising them when needed or through introducing people to the tools and software we use,\" Ipsita explains.
"},{"location":"resources/stories/meet_the_appsec_team/#automate-scanning-your-code","title":"Automate scanning your code","text":"The last years, there\u2019s been a solid increase in malicious attacks through third-party dependencies. Just about all Equinor\u2019s software development projects contain open source components and manually keeping up to date on potential security breaches in all of them would be an impossible task. Luckily, Snyk now automates that job.
\u201cSnyk lets us scan all the dependencies in a project for vulnerabilities or malware. Thanks to this, we have an overview of all the possible vulnerabilities in our projects,\u201d Petter Moe Kvalvaag says.
How each team uses the tool in their daily work is up to them to decide, but the most common approach is to tell the tool where your code and GitHub repo is.
\u201cSnyk will automatically and continuously scan your code and give you a overview of your status; how many vulnerabilities you have, what they are and what you need to do. Snyk can make a developer's life much easier and can even create pull requests automatically for you.\u201d - Petter Moe KvalvaagTogether with Ipsita, Petter has been running onboarding sessions and workshops to help spread the word of Snyk to the developer community. They\u2019 also spent time working on a backend solution to Snyk that will help give us even better reporting capabilities.
\u201cSince Snyk itself has limited reporting capabilities, we\u2019ve had to make our own way around it. We\u2019ve used their API, imported vulnerability data into our own database and created visualizations based on this,\u201d Petter explains.
Petter works with vulnerability management as part of the AppSec-team. Benjamin focuses on threat modelling.But why bother with a workaround to visualize data, you might ask? To be able to take an analytical approach and see a bigger picture \u2013 of course!
\u201cThis could let us see that many different teams are facing the same problem, for example vulnerabilities with Docker Images. We could then help the teams find each other to discuss their problems, but we could also target this issue specifically and provide workshops or training to help solve it. This means we can help the community as a whole,\u201d Petter says.
\u201cGetting to work with taking an analytical and data-driven approach to the work is really interesting \u2013 and very motivating. Not only are we able to find potential problems, but we can also use the data to see if what we did helped or not.\u201d - Petter Moe Kvalvaag\u201cOnce we have identified an issue and launched an initiative to mitigate it, we're able to see in retrospect how effective our initiative was. This helps us find the most effective way to reach out and assist the teams in the future,\u201d Ipsita explains.
"},{"location":"resources/stories/meet_the_appsec_team/#why-you-should-prepare-for-an-attack","title":"Why you should prepare for an attack","text":"Knowing what weaknesses you have is one thing, but you should also plan for someone to exploit them right from the start. Welcome to the world of threat modeling. Simply put, it means identifying and discussing the possible threats and weaknesses to your system.
\u201cThere are many different methods to do threat modeling, but what they all have in common is that you draw up a diagram of your system. Then, you use this to think of ways that someone could attack your system \u2013 and how to prevent or deal with it. You need to think like an attacker to identify your weaknesses. It\u2019s a big clich\u00e9 but it\u2019s incredibly efficient.\u201d - Benjamin L\u00f8kling RandebergThe team even hosted a threat modeling workshop at EDC 2022, which acts as the foundation for future workshops for threat modeling. So far, they\u2019ve introduced several teams to the concept and are hoping to add even more in the future.
\u201cWe\u2019re hosting an in-person workshop, but we\u2019re also following up on the teams in the months after their introduction. This makes sure we can help them with any questions, build upon anything they find and help them become even more secure \u2013 based on their team\u2019s context. We really hope threat modeling is something people will adapt, because it\u2019s such a great tool to have,\u201d Benjamin explains.
What kind of team would the AppSec team be without their own merch? What else is there to do when a colleague has a question than to bust out the good old whiteboard?"},{"location":"resources/stories/meet_the_appsec_team/#learn-and-consider-how-things-work","title":"Learn and consider how things work","text":"We\u2019ve heard about what the team does, but what is it like to work in the AppSec team? Being part of an enabler team, whose aim is to enable others to be better, can feel quite different from a regular development team.
\u201cBeing part of a team that also aims to build a wider culture in the community is new to me, and even though we\u2019re still new it\u2019s really inspiring to see the effect of the work we\u2019re doing,\u201d Petter explains.
Working with security is just like working with technology in general \u2013 to keep up you need an eagerness to learn and keep up with what\u2019s new. You also get to understand and explore the bigger picture:
\u201cWorking in security means not only do you get to learn how everything works, but you also get to think about how someone could exploit things. Together, you get an all-round view of what you can do with different things. It\u2019s not just software either, it\u2019s hardware or gadgets too. This combination is what makes it so incredibly interesting. You get to do new things every day and learn new things every day.\u201d - Ipsita MishraYou\u2019ll get to learn a lot, but you\u2019ll also get to be a teacher in order to spread the good word of application security \u2013 for example at internal conferences and workshops. But the gospel of AppSec stretches outside of Equinor as well: Lars K\u00e5re even held a presentation at Defcon in Las Vegas of 2022.
\u201cBeing part of a team with people who are all so dedicated to and interested in the world of AppSec is really exciting. I get to do what I\u2019m interested in, I get to learn \u2013 both on my own and through the team \u2013 and the purpose is to make all our teams\u2019 security better,\u201d Benjamin smiles.
As a newly started team, they\u2019re still charting the course for the future.
\u201cWe have a lot of freedom to shape the future ourselves and decide the tasks we want to take on. That played a big part in my motivation to join, and still does,\u201d Kristian says.
\u201cAnd we\u2019re always open to suggestions and are looking to expand the team, so keep an eye out in the future if you would like to join us. Or get in touch directly,\u201d Kristian smiles.
Only time will show if the AppSec team are successful in building a culture around security in our developer community. We\u2019ll be sure to get back to them in a while to get an update on they\u2019re doing.
"},{"location":"resources/stories/meet_the_appsec_team/#people","title":"People","text":"Lars K\u00e5re Skj\u00f8restad Kristian Reed Benjamin L\u00f8kling Randeberg Ipsita Mishra Petter Moe Kvalvaag Andrea BrambillaStory, text and photographs: Torstein Lund Eik. Published January 2023
"},{"location":"security-champion/","title":"What is a Security Champion","text":"You are probably wondering what a Security Champion is in Equinor context and what you can expect if you join? Well then you are on the right track.
A Security Champion in our context is a person who has a interest in security and want to expand on this interest. The Security Champions Network (SCN) is a network where people and security is in the center.
Info
You do not need to have any security knowledge to join, but the eagerness to learn and share
"},{"location":"security-champion/#what-do-we-expect-from-you","title":"What do we expect from you?","text":"Info
A Security Champion is the voice of security, and security is a team effort.
You as a champion are the heart of this network. We know time might be tight, but we greatly appreciate all participation.
"},{"location":"security-champion/#what-can-you-expect","title":"What can you expect?","text":"Becoming a Security Champion is as easy as filling out this form.
"},{"location":"security-champion/#questions","title":"Questions?","text":"Try checking out our FAQ.
"},{"location":"security-champion/1-new_security_champion/","title":"I've joined, now what?","text":""},{"location":"security-champion/1-new_security_champion/#welcome-young-padawan","title":"Welcome young padawan","text":"This is where the fun begins.
Here's a puzzle for you :
Get your gift by decoding this challenge - https://forms.microsoft.com/r/cLRPzRtPGQ
"},{"location":"security-champion/1-new_security_champion/#add-security-champion-events-to-your-calendar","title":"Add Security Champion events to your calendar","text":"To check all events, and add them to your own calendar, go to your outlook calendar and select the Security Champion Calendar from group calendars:
Note: This option might not be available on Mac, if that is your case, another option is to use outlook through connectit to add the events.
You can also find a calendar of events on SharePoint
"},{"location":"security-champion/1-new_security_champion/#relevant-slack-channels","title":"Relevant Slack channels","text":"Info
#AppSec Most general information should be posted here so everyone in Equinor has access to it and can participate! Dropping a @appsecteam in this channel will get our attention immediately.
Say hello in the Security Champion channel \ud83d\udc4b Always fun to meet new champions.
"},{"location":"security-champion/2-security_champion_activities/#ensure-that-all-your-code-is-being-scanned-by-sast","title":"Ensure that all your code is being scanned by SAST","text":"Ensure all your projects code is scanned by Snyk, and that you have Snyk Code enabled for your projects. Using a linter is always good when you develop!
"},{"location":"security-champion/2-security_champion_activities/#define-security-requirements","title":"Define security requirements","text":"Have a look at our security requirements page and define some for your project.
"},{"location":"security-champion/2-security_champion_activities/#check-out-our-guidelines","title":"Check out our guidelines","text":"We have created a few guidelines. Please check them out and consider implementing them in your projects where it makes sense.
Info
Feedback is good, so if you have any, feel free to contact us, or even create a PR on our github repo!
"},{"location":"security-champion/2-security_champion_activities/#threat-modelling-activities","title":"Threat Modelling activities","text":"We can organize introductory sessions to threat modelling, simply reach out to the @appsecteam on our Slack channel #appsec.
As of now, a lot of the content on this site is written by the AppSec-team. This site is meant to be a resource for the Security Champion community, and thus contribution from the community is crucial for making this site useful.
If you have anything to share that you think will be useful for others, don't hesitate. Same goes for editing the content that already exists.
Just go to our github-repo and make a PR. Pro tip: You can use Visual Studio Code directly from your browser by pressing \".\" when you are on a page. Contributing has never been easier!
"},{"location":"security-champion/2-security_champion_activities/#have-the-team-work-through-the-owasp-juice-shop","title":"Have the team work through the OWASP Juice Shop","text":"OWASP JuiceShop is a great resource for security training and getting familiar with OWASP Top Ten. There are many ways to utilize this project for training, with some of them being:
OWASP ASVS is a collection of web application technical security controls and requirements. Have a look and see if this makes sense to use for your project :)
"},{"location":"security-champion/2-security_champion_activities/#manually-security-test-your-application","title":"Manually security test your application","text":"Have a look at WSTG.
"},{"location":"security-champion/3-faq/","title":"Frequently Asked Questions \u2753","text":""},{"location":"security-champion/3-faq/#do-i-have-to-be-a-security-expert-to-be-a-security-champion","title":"Do I have to be a security expert to be a Security Champion?","text":"Absolutely not! This is a initiative for people to learn more about security and generate a network for people to share experiences and competence.
"},{"location":"security-champion/3-faq/#who-can-become-a-security-champion","title":"Who can become a Security Champion?","text":"Everyone who considers themselves part of a development team can become a Security Champion. If you are a developer, ux-designer, tester, citizen developer or anything in-between, you are welcome to join. There is no requirement to be an Equinor employee to join, we invite consultants as well!
"},{"location":"security-champion/3-faq/#does-being-a-security-champion-result-in-a-lot-of-extra-work","title":"Does being a Security Champion result in a lot of extra work?","text":"It depends on what you want to do. It can be everything from just informing the team about security related issues/questions you hear about in the network, to facilitating regular threat modelling sessions, or implementing Snyk in your pipelines, and a ton of other activities one can do. There are events organized by the network one can attend; e.g. weekly \"morning coffee\" and monthly seminars (both can be joined digitally).
"},{"location":"security-champion/3-faq/#am-i-required-to-contributehave-talks-in-the-network","title":"Am I required to contribute/have talks in the network?","text":"No, but we highly recommend everyone on sharing. It might also be that you hear about a problem or solution from a team member or co-worker that can be shared. Asking questions is also contributing!
"},{"location":"security-champion/3-faq/#i-dont-know-anything-thats-worth-sharing","title":"I don't know anything that's worth sharing","text":"Are you sure? Everyone knows something, and how you apply certain tools or how you've implemented security testing could be very interesting! The Impostor syndrome is real, and we need to combat it.
"},{"location":"security-champion/3-faq/#i-have-a-story-i-want-to-share","title":"I have a story I want to share","text":"Awesome! We want to hear about what you did. Reach out to the AppSec team on Slack after reading the stories page. Maybe we will award this with unique merch as well?
Even if it was something \"bad\" you discovered in your project, why not share? It's important to highlight the issues we have as well as the good, as everything can be used to learn from.
"},{"location":"security-champion/3-faq/#so-i-joined-what-now","title":"So I joined, what now?","text":"Check out what you can do in the activities section.
"},{"location":"security-champion/3-faq/#i-want-to-attend-one-of-the-security-champion-events-meetups-do-you-provide-a-wbs-for-hours-and-travel-expenses","title":"I want to attend one of the Security Champion events / meetups. Do you provide a WBS for hours and travel expenses?","text":"The Security Champion initiative is a network we invite IT professionals to join and share experiences. Members need to ask their project managers or line leaders for approval to travel and spend time on the network.
"},{"location":"security-champion/3-faq/#i-dont-have-enough-time-to-spend-on-security-related-work","title":"I don't have enough time to spend on security related work","text":"If you feel like the team do not get the needed time to work on security, please reach out to the AppSec team on Slack. We can help convey the importance and help highlight risk in your team.
"},{"location":"security-champion/3-faq/#can-we-have-more-security-champions-in-our-team","title":"Can we have more Security Champions in our team?","text":"Ideally, each development team should have one or more team-members who takes on the role of Security Champion. If you are unsure if you have too many, don't hesitate in reaching out to ask.
Remember that it is the entire team that is responsible for the security of applications in the team's portfolio. The Security champions will support the team, but not bear any extended responsibility.
"},{"location":"security-champion/3-faq/#how-can-sign-up-to-become-a-security-champion","title":"How can sign up to become a Security Champion?","text":"Use this form to sign up!
"},{"location":"security-champion/3-faq/#any-more-questions","title":"Any more questions?","text":"Please reach out to us on Slack, #appsec / #security-champion or email at appsec[at]equinor.com.
We are testing out a secure coding learning platform. You as a champion are a perfect match, and that is why you get special merch by learning!
"},{"location":"security-champion/4-learning-platform/#what-can-you-expect","title":"What can you expect?","text":"Info
You can gain unique merch based on your belt level!
There is a wide arrangement of subjects, and you can do them all if you wish! So there are tracks for:
Use this form to sign up for it! Happy learning!
"},{"location":"security-champion/4-learning-platform/#belt-system","title":"Belt system","text":"We are launching a new belt system with this learning platform. There are 5 belts you can achieve, where White, Yellow, and Green belt are achievable from only learning through the platform. More on the merch you can get from the different belts here. The brown and black belts are something special. They require you to complete activities that give back to the Security Champion network.
The brown and black belts are special and require you to complete activities normally in the Security Champion network.
white, yellow, and green).brown belt, you need to complete 3 activities from the list below. To achieve the black belt, you need to complete 6 new activities, for a total of 9.You report this by using the \"Champion passport\", add your activity, select 1 in hour slot, and comment on what you did, and when you did it. We will then go through and double-check the activity, and if everything is A-OK, you get the activity successfully registered!
Please help contribute with useful activities that make sense in Equinor context for Equinor Security Champions. The list below might change based on your feedback.
white beltsyellow beltsgreen beltsNote
The list of activities might change based on your feedback.
"},{"location":"security-champion/5-merch/","title":"Merchandise","text":"Merch is an important tool in building a security culture. We need to be visible, both the AppSec team and our champions to raise awareness to security. We also want to make being a Security Champion something to be proud of, and we are leveraging merch as one of the tools in order to manage this.
As SCN age, we will have different merch come and go. Below we have a record of some of the selections we have given out. Some of them are out of stock, some are in stock, you never know! Should we get keep inventory? Probably...
Stickers: A large assortment of stickers to help show that you are the voice of security! With the number of stickers we have, you will get a proper workout while carrying your laptopBlack Hoodie: Display your black belt to everyone in the vicinity. You are a true championSocks: Socks decorated with The Security Champion shields! Would they have protected Achilles? Maybe not. Will they protect you from cyber criminals? Who knows! But you will certainly look stylish while being hacked!Book (Alice and Bob Learn Application Security): Complete the challenge at this formAbbSack: You have to see it to believe it! Keep your items secure while travelingBallSec: Those pesky attackers are giving you a lot of stress? Relieve it with your branded stress ball!Lanyard: Start your belt journey to black belt here with a stylish card holderPins: Decorate your lanyard to display your belt level to the worldChristmas ornament: No Christmas tree is secure without your own Security Champion Christmas tree ornament. Is it because the christmas tree is offline? Most likelyS.W.A.T. (Small Work Addictive Thing): the latest and freshest within fidget toy technology. Meetings will never be the same! This exists in multiple colors. Gotta cath'em all!Since we are launching a new belt system connected to the secure coding platform, we need fresh merch! Below is a list of what you can get at the different belt systems. The items will be shipped via mail unless you can pick it up in the building (Forus \u00d8st).
White belt:Yellow belt:Green belt:Brown belt:Black belt:Note
Merch will \"build up\" and be shipped in bulk, normally every 2/3 belt levels in order to avoid too much shipping work.
"},{"location":"security-champion/6-offboarding/","title":"Offboarding for Security Champions","text":""},{"location":"security-champion/6-offboarding/#sad-to-see-you-go","title":"Sad to see you go","text":"We are all busy people in a busy time. If you feel the need to leave the Security Champion Network, then it's all good. Circumstances change, and you are free to use this offboarding form to automagically leave.
If you have someone that is interested in taking over the role for you, please point them to the champions onboarding section.
Though you may leave the network, we hope the learnings from the network stay with you forever. You are always welcome back at a later time!
"},{"location":"security-champion/7-about/","title":"About the network","text":"The Security Champion Network is intended to be a community for Security Champions in Equinor. Software development over the last years has rapidly evolved from big development teams consisting of dozens of developers to smaller autonomous teams where we are today. With greater responsibility of the whole lifecycle of applications, modern DevOps teams are also expected to handle security.
This network was born to facilitate security awareness and competence building in DevOps teams. These are necessary ingredients for successfully shifting security left. It is a place where teams can safely exchange experiences - both good and bad, and hopefully learn from each others. The end goal is for the Security Champion Network to become Equinor's powerhouse for application security.
"},{"location":"security-champion/7-about/#desired-outcome","title":"Desired outcome","text":"Create a lively community for people working with Application Security in Equinor. Knowledge is shared across teams, and we are then able to scale security in a more impactful way.
"},{"location":"security-champion/7-about/#activities","title":"Activities","text":"Please check our event site for info about upcoming and past Security Champion network events.
The main communication channel for the community is Slack. This is where people can post questions exchange experiences when it comes to different tools and technologies etc.
"},{"location":"security-champion/7-about/#role-of-the-appsec-team","title":"Role of the AppSec team","text":"The Security Champions Network is run by the AppSec team, but we aim to empower our champions to contribute in any way they can.
Do you have a guideline you want to create? Do you want to hold a seminar talk? Would you want to organize an event? Whatever the idea is, let's have a chat! \ud83e\udd1f
Reach out to us on Slack or e-mail at appsec[at]equinor.com
If you are reading this from across the web and want to reach out about the program and how we do things, please do so by sending an e-mail to appsec[at]equinor.com or reach us through the Security Champions Norge Slack.
These are some relevant resources for security champions
Informal chat around application security topics, it's a great place to ask questions and start discussions. It happens every Wednesday from 10:00 to 10:30. You can also propose topics in advace in the #security-champion channel on Slack.
"},{"location":"security-champion/events/#security-champion-seminar","title":"Security Champion Seminar","text":"On the last Thursday of every month, from 12.00 to 13.00, we host the Security Champion Seminar. The seminar typically includes talks from members of the Security Champion network and/or the Application Security team. The agenda of all the past seminars can be found on the internal Security Champion page.
"},{"location":"security-champion/events/#presenting-at-the-seminar","title":"Presenting at the seminar","text":"Do you have any topics you are interested in sharing? Great!\ud83d\ude0d Please submit your interest using this form, or get in touch with the @appsecteam on Slack. If you do, not only will you be rewarded with positive feedback, but you will get unique merch!
To check all events, and add them to your own calendar, go to your outlook calendar and select the Security Champion Calendar from group calendars:
Note: This option might not be available on Mac, if that is your case, another option is to use outlook through connectit to add the events.
You can also find a calendar of events on SharePoint.
"},{"location":"security-champion/events/2022/1-sc-info-meeting/","title":"Security Champion info meeting","text":"We are excited to announce that we will launch a Security Champion network among the broader developer community in Equinor! Everyone who considers themselves part of a development team can become a Security Champion. If you are a developer, UX-designer, tester, citizen developer or anything in-between, you are welcome to join \ud83e\udd73
Signup Information
Use this form for signing up to the security champion's network.
"},{"location":"security-champion/events/2022/1-sc-info-meeting/#puzzle","title":"Puzzle","text":"Puzzle
Try the puzzle HERE
Among everyone that manages to solve all 3 challenges, we will draw a winner that will receive a price that is yet to be announced!
"},{"location":"security-champion/events/2022/sc-kickoff-agenda/","title":"Security Champions Kickoff \ud83d\ude80","text":""},{"location":"security-champion/events/2022/sc-kickoff-agenda/#welcome-champions","title":"Welcome Champions","text":"To initiate the security champions network, we invite you to the kickoff!
The Security Champions network is a crucial part to create a strong security culture at Equinor. So get ready to join a bunch of security minded people in a journey to develop a unique perspective, engage in some cool security activities, learn niche new things and have a great time together.
Like it is often said, security champions make everything better!
"},{"location":"security-champion/events/2022/sc-kickoff-agenda/#agenda","title":"Agenda","text":"When What 08.30 - 09:00 Morning Coffee 09:00 - 09:30 Safety moment and introduction 09:30 - 11:00 Capture the Flag 11:00 - 12:00 Lunch 12:00 - 12:45 Building a security culture by Niall Merrigan 12:45 - 13:00 Break 13:00 - 13:30 About the network 13:30 - 14:00 ISC introduction 14:00 - 14:15 Break 14:15 - 16:00 Workshop 16:00 - 18:00 Tapas & Mingling"},{"location":"security-champion/events/2023/1-sc-meetup-2/","title":"Security Champions Meetup #2","text":"We are excited to invite you to our upcoming network meetup on all things security! This is where we all come together to share our experiences, learn from each other, and discuss the latest on security.
The meetup will be held on 7th June 2023. So, mark your calendars and join us for a day of insightful discussions and valuable connections. More details in the invite.
We look forward to seeing you there!
"},{"location":"security-champion/events/2023/1-sc-meetup-2/#agenda","title":"Agenda","text":""},{"location":"security-champion/events/2023/1-sc-meetup-2/#6th-june-2023","title":"6th June 2023","text":"When What 18.00 - 20:00 CTF teams solving challenges together !"},{"location":"security-champion/events/2023/1-sc-meetup-2/#7th-june-2023","title":"7th June 2023","text":"When What 08.00 - 08:30 Morning Coffee 08.30 - 08:45 Safety Moment 08.45 - 09:00 Introduction and Agenda 09:00 - 11:00 CTF time! 11:00 - 12:00 Winner announcement followed by Lunch 12:00 - 12:30 Snyk Statistics after a Year of Operation 12:30 - 12:45 Quiz time! 12:45 - 13:15 Learning from the Community 13:15 - 13:25 Break 13:25 - 14:10 Threat Modelling PechaKucha 14:10 - 14:55 OT Hacking Demonstration 14:55 - 15:00 Break 15:00 - 15:45 World's Largest Cyber Defense Exercise 15:45 - 16:00 Conclusion"},{"location":"security-champion/events/2024/1-sc-meetup-3/","title":"Security Champions Meetup 3","text":"We are excited to announce our upcoming security champion's meetup!
This will be our network's third meetup and we have put together a fantastic agenda filled with social acitivities, presentations and challenges.
We will have cool merch and prizes to hand out. You will not want to miss it.
"},{"location":"security-champion/events/2024/1-sc-meetup-3/#agenda","title":"Agenda","text":""},{"location":"security-champion/events/2024/1-sc-meetup-3/#7th-march-2024","title":"7th March 2024","text":"When What 8:00 - 8:30 Morning Coffee & Mingling 8:30 - 9:00 Safety Moment, Introduction & Team Building 9:00 - 9:45 LLM Hacking 9:45 - 10:00 Break 10:00 - 11:00 GitHub Copilot introduction 11:00 - 12:00 Lunch 12:00 - 12:20 How to set up your home office securely 12:20 - 12:30 Ctrl+Alt+Deceit: The Game Jam Scam 12:30 - 13:00 How to communicate security to your team 13:00 - 13:15 Break 13:15 - 13:45 Lifting the lid on last summer's QR code phishing attacks 13:45 - 14:15 Mad Rabbit & Hacking Workshop 14:15 - 14:35 Break 14:35 - 15:05 Hacking Workshop Cont. 15:05 - 15:50 Red & Blue teams threat modeling 15:50 - 16:00 Conclusion 16:00 - 18:00 Pizza After Party"},{"location":"security-champion/stories/","title":"Stories \ud83c\udfc6","text":"We want to highlight stories from our teams, to promote both learning and sharing culture, in the context of security.
"},{"location":"security-champion/stories/#what-is-a-story","title":"What is a story?","text":"A few examples:
If you have something in mind, consider writing a story. It's even an activity to reach the brown/black belt!
Info
Please use the below template and send it to the AppSec team on Slack or e-mail at appsec[at]equinor.com
Feel free to include pictures to illustrate, and provide sources where applicable.
The title: Every story needs a snappy title.
The team: This is normally you and your team.
Initial situation: This is the initial situation of why you are telling the story. Did some security control go wrong? Did a new feature get in the backlog?
The mission: What activities was made to improve or remediate the initial situation? What challenges occurred along the way? Usually the part where readers can learn something to take home, or get new ideas.
Outcome: What was the outcome? Did it improve the initial situation and give some new learning to the team?
Tips
Try to add technical and quantifiable information to the story to better showcase the value.
"},{"location":"snyk/","title":"Getting started","text":"Snyk is available to all teams who code in Equinor.
After your first time sign in, you will be able to list organizations available at the Equinor Group overview (top level). If you see a relevant org to join, request one of the listed org admins to add you to the org.
"},{"location":"snyk/#crash-course-common-snyk-situations","title":"Crash Course: Common Snyk Situations","text":"We have built a short curriculum, to help you learn the basics of Snyk. Take a look here.
The curriculum is tailored to using Snyk in Equinor.
"},{"location":"snyk/#privacy","title":"Privacy","text":"Concerns about which data snyk collects are addressed on Snyk's privacy policy page
"},{"location":"snyk/2-about-snyk/","title":"About Snyk","text":""},{"location":"snyk/2-about-snyk/#what-is-it","title":"What is it","text":"Snyk is a bundle of tools which helps managing vulnerabilities throughout the software development lifecycle. Currently Equinor has licenses for Snyk Open Source and Snyk Container which helps manage vulnerabilities related to third party software either as dependencies or as part of the base docker images your app depends on.
"},{"location":"snyk/2-about-snyk/#third-party-dependencies","title":"Third party dependencies","text":"All modern IT projects today pull in volumes of code from open source projects. It is not possible to read and understand this code, and as such this becomes a legitimate application security risk. An example is the recent supply chain attack through colors.js, where the maintainer simply added an infinite loop in the code resulting in a Denial of Service to any Node.js server using it.
This is a strong argument for pinning packages to exact versions as provisioned in e.g. npm lock files, but the counter side of that is that you need to explicitly upgrade to get the latest security patches. Given the complexity of this landscape, using automated tools quickly becomes a requirement to keep software patched and secure.
So what can we do to mitigate this risk? The current strategy in Equinor is to automatically scan the projects using tools like Snyk. These tools can scan code repositories continuously and on every pull request. They will find your Dockerfiles, npm package-locks, pip requirements and many other packaging formats and check if you are currently installing a dependency with an associated known vulnerability. They will also assist you in assessing the severity and suggesting mitigating actions.
To learn more, check out how to get started
"},{"location":"snyk/3-snyk_support/","title":"Getting Snyk Support","text":"This short guideline give some advice on how and where to get Snyk support. The AppSec team will provide help, but most of the Snyk support in Equinor should be community driven. We have a direct connection to Snyk's Customer Success staff which also will help out (the Slack channel #snyk-equinor-bridge)
Consult the documentation part. If you cannot find your solution, considering raising a Snyk Support Ticket.
"},{"location":"snyk/3-snyk_support/#documentation-and-relevant-community-resources","title":"Documentation and relevant community resources","text":"We encourage raising Support tickets with Snyk. To enable some follow-up and transparency into the Equinor Community on questions/challenges, please use the following procedure:
When Snyk has identified vulnerabilities in source code, it's time to decide what to do with them. This section will provide some expectations for how to resolve vulnerabilities in Equinor.
"},{"location":"snyk/4-vulnerabilities/#remediation","title":"Remediation","text":"Ultimately it is up to each devOps team to decide how to remediate their vulnerabilities. However, for Equinor to have a total overview of the total security posture of the entire portfolio, we have expectations to how vulnerabilities should be evaluated once they are identified.
Snyk uses four severity levels: low, medium, high and critical to evaluate the risk of a particular vulnerability. The expected action depends on the severity of a given vulnerability.
Level Description Critical This may allow attackers to access sensitive data and run code on your application High This may allow attackers to access sensitive data in your application Medium Under some conditions, this may allow attackers to access sensitive data on your application Low Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application"},{"location":"snyk/4-vulnerabilities/#critical","title":"Critical","text":"Vulnerabilities should be evaluated and remediated as soon as possible. If a vulnerability is critical, there should be a plan for either fixing or removing the vulnerability within 24 hours.
"},{"location":"snyk/4-vulnerabilities/#high","title":"High","text":"High vulnerabilities should be evaluated and remediated as soon as possible. If a vulnerability is high, there should be a plan for either fixing or removing the vulnerability within 7 days.
"},{"location":"snyk/4-vulnerabilities/#medium","title":"Medium","text":"Medium vulnerabilities should be evaluated and remediated. If a vulnerability is medium, there should be a plan for either fixing or removing the vulnerability within 30 days.
"},{"location":"snyk/4-vulnerabilities/#low","title":"Low","text":"If a vulnerability is low, it should be evaluated to see if a fix is available.
"},{"location":"snyk/4-vulnerabilities/#priority-score","title":"Priority score","text":"Snyk also provides a priority score from 0-1000 for each vulnerability. This score is based on the CVSS severity score, rechability of the vulnerability and the maturity of the exploit. The priority score is used to prioritize the work of the devOps teams. Note that the priority score may vary from project to project based on wether a fix is available or not.
"},{"location":"snyk/4-vulnerabilities/#ignoring-vulnerabilities","title":"Ignoring vulnerabilities","text":"If the detected vulnerability is not applicable to your project, it can be ignored with a comment explaining why it should be ignored.
If the vulnerability is in a project not in production it can be tagged with the lifecycle tag \"sandbox\" to exclude it from the aggregated dashboard.
"},{"location":"snyk/4-vulnerabilities/#who-to-contact","title":"Who to contact","text":"Please reach out to the AppSec team on Slack or email at appsec[at]equinor.com if you have any questions regarding evaluating vulnerabilities.
When you sign up for Snyk, you get access to the following products:
.. and a ton of integrations!
"},{"location":"snyk/curriculum/2-integrations/","title":"Integrations","text":"Integrations are merely ways to connect and interact with Snyk. You can find all the supported integrations here.
"},{"location":"snyk/curriculum/2-integrations/#recommended-integrations","title":"Recommended Integrations","text":""},{"location":"snyk/curriculum/2-integrations/#1-github-integration","title":"1. Github Integration","text":"We recommend starting with adding your github repositories. The easiest way to do this is by adding the Github integration. Doing this will create one snyk project for each source file it understands, e.g. requirements.txt or package-lock.json.
Configuration settings for this integration can be found here.
Please ensure the following:
It is recommended to use Snyk IDE plugins while developing applications. This is in addition to the Github integration.
The results of a vulnerability scan show issues with context, impact, and fix guidance in your IDE, where the fix for the vulnerability can be done right in the IDE itself.
Read more here.
"},{"location":"snyk/curriculum/3-projects/","title":"Projects","text":""},{"location":"snyk/curriculum/3-projects/#import-a-project","title":"Import a Project","text":"Snyk Projects are items that Snyk scans for issues, for example, a manifest file listing your open-source dependencies. When you import a Project, Snyk scans that imported Project, and displays the results for you to review.
Check how to import a project here.
"},{"location":"snyk/curriculum/3-projects/#tagging-snyk-projects-in-equinor","title":"Tagging Snyk Projects in Equinor","text":"We use tagging of Snyk projects to assist us in getting useful metrics. Please make sure that your projects are tagged correctly!
"},{"location":"snyk/curriculum/3-projects/#tldr","title":"TL;DR","text":"Extracts from Snyk projects are imported into an external dashboard. We use information from this Dashboard to help us increase the security posture of our code products and projects. Quite often teams will scan/import projects that should not be part of the official results. This could be scenarios such as testing Snyk, scanning the same code base from multiple angles (CLI, SCM, Container, ++). For each code-base there should be one \"official scanning\". For most teams this will quite often be the SCM (Github integration).
The default is that \"all\" projects will be included in the aggregated Dashboard. To omit a project from the aggregated Dashboard change the \"Life Cycle\" tag for your project as follow:
The role Org Admin is required to make a change to the \"Life cycle\" tag.
"},{"location":"snyk/curriculum/3-projects/#toggling-the-rule-set-for-equinors-opensource-distributed-projects","title":"Toggling the rule-set for Equinor's OpenSource distributed projects","text":"We have configured Snyk to no longer by default alert of potential license issues for projects. If your project is distributed (ex. exposed on the internet, source-code is OpenSource), you should use the tag \"Distributed\" in the Environment section. This will enable the correct rule-set for your project.
If you cant see 'Distributed' in the list, try searching for it!
"},{"location":"snyk/curriculum/4-scan_results/","title":"Scan Results","text":""},{"location":"snyk/curriculum/4-scan_results/#view-snyk-scan-results","title":"View Snyk Scan Results","text":"Once you have imported a project, it will be scanned. Learn how to view the scan results here.
"},{"location":"snyk/curriculum/4-scan_results/#interpreting-and-prioritizing-snyk-findings","title":"Interpreting and Prioritizing Snyk Findings","text":"The Snyk Priority Score is a good reference when prioritizing Snyk findings, and should be taken into consideration. Be mindful that Snyk reports on potential vulnerabilities, so you will still need to investigate if the reported issue is a true positive or not.
For issues with a fix available, you can trigger Snyk to create a pull-request which addresses the issue. The fix usually involves upgrading the dependency to a vulnerability free version or with a patch. This upgrade might break the code and Snyk will indicate this in the pull-request created. The reviewer is responsible to ensure that the changes in the PR won't cause issues with the project.
In most languages, a minor (1.1.x \u2192 1.2.x) or patch (1.1.1 \u2192 1.1.2) release is considered \u201cnon-breaking\u201d. Whilst a major version (1.x.x \u2192 2.x.x) contains breaking changes.
For issues with no fix available it is up to the developers to evaluate how to handle this - whether it be explicitly ignoring the issue until a fix is available, replacing the dependency, or removing the dependency all together as you discover it is not really needed.
On a side-note: It is a good practice to define Security Requirements for your applications. In the context of adopting Snyk, it makes a lot of sense to add a requirement covering the how long exposure window is tolerated for your application.
Ex.
The remediation time of newly discovered vulnerabilities for our application will take no longer than: Critical: < 7 days High: < 30 days Medium-Low: Resolve based on availability
For more information, see Snyk's documentation
"},{"location":"snyk/curriculum/4-scan_results/#interpreting-issues-regarding-licenses","title":"Interpreting Issues regarding Licenses","text":""},{"location":"snyk/curriculum/4-scan_results/#intro","title":"Intro","text":"Disabled by default
To enable the rule-set that alerts on potential issues, add the \"Distributed\" environment-tag in your projects. If you cant see 'Distributed' in the list, try searching for it
Open source software you use in your projects (eg. libraries) are licensed by the author(s) to ensure that it is used the way the author attended. There are many different licenses out there. Some of them are created to ensure the freedom of use without asking anything in return. Others may require that projects using the licensed software adopt the same license and make their software open and free.
Information on why/how Snyk reports on License-issues
The subject of license-issues is most relevant for Equinor's Open Source Software projects, as obligations to comply is usually triggered by distribution.
From the OSLC-handbook:
Distribution is defined as: providing software to another entity, i.e., an individual or organization outside your company or organization.
Determining the requirements that need to be met to comply with open source licenses involves the following:
We recommend that all teams, regardless of whether they are distributing their solutions or not, acquire a working knowledge of the subject of Open Source Licenses.
You should act when Snyk report on license issues. This will involve investigating the terms of the license in question, and to do the necessary steps to comply.
Sometimes in order to stay compliant, one might have to adopt a new license for your software, replace the open source software, or in some cases ignore it because you find out you are not under obligation to comply.
Example
This Equinor team maintains an application used by Equinor employees. The source-code is not made available, and the application is only reachable from the internal network.
Snyk report the following issue:
Investigating the AGPL-3.0 license, looking into the resources linked to at the bottom of this guide, the investigator finds the following useful information:
As any distribution of software that is linked to or incorporates AGPL components triggers copyleft, either the entire product must be made available under the AGPL or the product must only be used strictly internally.
Since this is the case for their application, they do not trigger the copyleft clause, and this issue can be resolved without further action.
What they do next is described bellow.
"},{"location":"snyk/curriculum/4-scan_results/#what-to-do-after-an-issue-is-resolved","title":"What to do after an issue is resolved","text":"After a license-issue is resolved, a good practice would be to document it in Snyk via the 'ignore' button.
If you do need assistance, don't be afraid to reach out on Slack
"},{"location":"snyk/curriculum/4-scan_results/#more-information","title":"More information","text":"Some useful resources are listed bellow:
Snyk Learn - Open Source Licenses
Open Source Licenses Explained
Open Source License Compliance Handbook
Open Source and Copyleft - How to ensure commercially accepted use
Some examples of compliance failures:
To get support on Snyk:
Detailed information available here.
"},{"location":"snyk/curriculum/6-faq/#2-why-is-snyk-unable-to-process-supported-files","title":"2. Why is Snyk unable to process supported files ?","text":"Here are some discussions around it:
Check below some interesting conversations:
Read more about dealing with vulnerabilities here.
"},{"location":"snyk/curriculum/6-faq/#5-where-can-i-check-the-status-of-snyk-services","title":"5. Where can I check the status of Snyk services ?","text":"The status of snyk services can be checked at https://status.snyk.io.
"},{"location":"threat-modeling/","title":"Threat Modeling","text":"Threat modeling is often cited as the practice with greatest impact on strengthening teams security posture. In this section of our AppSec pages we present relevant info related to Threat Modeling.
If you are thinking of getting started with threat modeling (good call!\ud83d\ude4c) you are welcome to join our workshops ! We are offering physical and virtual workshops on the topic to Equinor DevOps teams and will provide you with the tools needed to get started.
Github Repo: https://github.com/equinor/appsec-fundamentals-threatmodeling-101-workshop Slides: https://equinor.github.io/appsec-fundamentals-threatmodeling-101-workshop/#/
"},{"location":"threat-modeling/resources/threat_modelling/","title":"Getting Started","text":"If you are thinking of getting started with threat modeling (good call!\ud83d\ude4c) you are welcome to join our workshops ! We are offering physical and virtual workshops on the topic and will provide you with the tools needed to get started.
Pay attention to the #appsec slack-channel, this is where we announce the dates.
Don't hesitate to contact us directly if you have further questions.
"},{"location":"threat-modeling/resources/zgamified/","title":"Gamified Threat Modeling","text":"This gamified method of doing threat modeling might not be for everyone, but it has its pros and is worth testing out.
"},{"location":"threat-modeling/resources/zgamified/#eop-game-play","title":"EOP Game-play","text":"Here are the pros:
+ Depending on your level of geek: Fun! + Predefined cards with suggested threats - no need to wreck your brain + Encourages collaboration + You end up with a JSON that can follow your code + Remote!
..and the cons:
- Leads to many false positives - Time-consuming (~2+ h) - Not everyone might find the game-aspect of it as intriguing - Requires a lot more effort than for example doing Agile Threat Modeling - Everyone needs a laptop - Requires 3-6 players
"},{"location":"threat-modeling/resources/zgamified/#pre-reqs","title":"Pre-reqs","text":"Warning
Regardless of how you deploy, be weary of what you information you are exposing through the diagram (IP-addresses, \"Equinor\", stuff like that
"},{"location":"threat-modeling/resources/zgamified/#how-to","title":"How-to:","text":"Depending on the system in scope, you can choose a suitable card-deck (general vs. a web application)
Game-rules are described here
Afterwards, you can download the model with the added threats and keep it in your code repository.
"},{"location":"threat-modeling/resources/zgamified/#additional-resources","title":"Additional resources:","text":"The AppSec Team is providing a Equinor internal Threat Modeling 101 workshop. We provide instructor lead physical and virtual versions of the workshop to our AppSec/Developer community.
Monitor the #appsec channel on Slack for upcoming courses.
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/","title":"About","text":"A full day threat modeling 101 workshop from the Equinor AppSec team
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#purpose","title":"Purpose","text":"Help teams to build and operate more secure systems by incorporating threat modeling into their daily work.
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#audience","title":"Audience","text":"Software Development Teams. We prefer to run the 101 workshop for teams, preferably the whole team. We may combine several teams in a workshop. A good size for a workshop is > 10 and < 20.
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#schedule","title":"Schedule \u23f1","text":"Full day (8 hours, 9 - 16)
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#context","title":"Context","text":"Threat modeling is often cited as the practice with greatest impact on strengthening teams security posture. Very few teams practice structured threat modelling. In this workshop you will get a basic introduction to threat modeling for a software development project. We do this by working on a sample web project and explore both the software development lifecycle as well as the solution we build. Parts of the content and exercises are experimental. By participating you will be an important part of forming the workshop for our community. Context matters. All models are wrong. Some models are useful. The most important threat modelling is the one you do now! Get started. Just do it :)
"},{"location":"threat-modeling/threat-modeling-101-workshop/1-about/#workshop-outline","title":"Workshop Outline","text":"After being introduced to threat modeling, we in the AppSec team would very much like to assist you making this a regular effort in the work you do.
We offer to partner up for a couple of months, building the muscle-memory and finding out where threat modeling fits into your SDLC.
"},{"location":"threat-modeling/threat-modeling-101-workshop/2-next-steps/#expectations-to-participating-teams-2-months-perspective","title":"Expectations to participating teams (2 months perspective)","text":"The Elevation of Privilege (EoP) card game is designed to introduce developers who are not information security practitioners or experts to the craft of threat modeling.
The game consists of 74 playing cards which contain cyber security anti-patterns which supports players as they attempt to find validated security flaws in a system. The cards are in six suits based on the STRIDE mnemonic. The EoP card game was invented by Adam Shostack during his tenure at Microsoft. The game was released in 2010. It is a gorgeously produced design at the centre of a gamification of a security checklist, modelled after the game called Spades.
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-EOP-cardgame/#how-to-play","title":"How to Play","text":"The rules
Points: 1 for linking a threat, 1 for winning the round
There are numerous described methods out there for doing threat modeling. One approach that synergizes well with an agile approach to doing development, is Agile Threat Modeling. If you integrate this well, this process won't require any extra effort from your normal dev-cycle, but will add great value.
An example of how to get started:
Of course, no shoe fits all. Whichever method you choose, the most important aspect is that it's sustainable and you will be able to continue to do it regularly - and that it gives valuable output.
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-explore/#alternative-forms-for-doing-threat-modeling","title":"Alternative forms for doing Threat Modeling","text":""},{"location":"threat-modeling/threat-modeling-101-workshop/extention-explore/#abuser-stories","title":"Abuser stories","text":"When detailing your tasks for upcoming functionality with use cases, consider also writing misuse cases.
ref. OWASP Web Security Testing Guide
Similar to use cases, misuse or abuse cases describe unintended and malicious use scenarios of the application. These misuse cases provide a way to describe scenarios of how an attacker could misuse and abuse the application. By going through the individual steps in a use scenario and thinking about how it can be maliciously exploited, potential flaws or aspects of the application that are not well defined can be discovered. The key is to describe all possible or, at least, the most critical use and misuse scenarios
Example
For more information, read this
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-explore/#other-resources","title":"Other resources:","text":"Under consideration, and extension of STRIDE and EoP to include Privacy.
"},{"location":"threat-modeling/threat-modeling-101-workshop/extention-remote-tm/","title":"Extension: Remote Threat Modeling for Dispersed Teams","text":"We provide the workshop as a virutal experience. This will be a full day workshop, all on Teams using Miro. Monitor the #appsec channel for upcoming workshops - or reach out to the AppSec team for questions.
"}]} \ No newline at end of file diff --git a/sitemap.xml b/sitemap.xml index 054f41f..d7c5ff6 100644 --- a/sitemap.xml +++ b/sitemap.xml @@ -2,272 +2,272 @@