Add CISA Secure by Design Cheat Sheet

cheatsheets/ASVS/ASVS_Index.md

@@ -0,0 +1,144 @@
+---
+layout: col-sidebar
+title: ASVS Cheat Sheet Index
+tags: ASVS, OWASP, Application Security, Verification Standard
+level: 2
+type: cheatsheet
+pitch: Index of OWASP Application Security Verification Standard (ASVS) related cheat sheets
+---
+
+## Introduction
+
+This index provides quick access to OWASP Cheat Sheets that align with the [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/). The ASVS provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development.
+
+## ASVS Version 4.0.3 Mapping
+
+### V1: Architecture, Design and Threat Modeling
+
+**Related Cheat Sheets**:
+
+- [Threat Modeling Cheat Sheet](../Threat_Modeling_Cheat_Sheet.md)
+- [Secure Architecture Cheat Sheet](../Secure_Architecture_Cheat_Sheet.md)
+- [Secure Product Design Cheat Sheet](../Secure_Product_Design_Cheat_Sheet.md)
+- [CISA Secure by Design Cheat Sheet](../CISA_Secure_By_Design_Cheat_Sheet.md)
+
+### V2: Authentication Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Authentication Cheat Sheet](../Authentication_Cheat_Sheet.md)
+- [Credential Stuffing Prevention Cheat Sheet](../Credential_Stuffing_Prevention_Cheat_Sheet.md)
+- [Multifactor Authentication Cheat Sheet](../Multifactor_Authentication_Cheat_Sheet.md)
+- [Forgot Password Cheat Sheet](../Forgot_Password_Cheat_Sheet.md)
+
+### V3: Session Management Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Session Management Cheat Sheet](../Session_Management_Cheat_Sheet.md)
+- [JSON Web Tokens Cheat Sheet](../JSON_Web_Tokens_Cheat_Sheet.md)
+
+### V4: Access Control Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Authorization Cheat Sheet](../Authorization_Cheat_Sheet.md)
+- [Access Control Cheat Sheet](../Access_Control_Cheat_Sheet.md)
+- [Least Privilege Cheat Sheet](../Least_Privilege_Cheat_Sheet.md)
+
+### V5: Validation, Sanitization and Encoding Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Input Validation Cheat Sheet](../Input_Validation_Cheat_Sheet.md)
+- [Output Encoding Cheat Sheet../Output_Encoding_Cheat_Sheet.md)
+- [XSS Prevention Cheat Sheet](../XSS_Prevention_Cheat_Sheet.md)
+- [SQL Injection Prevention Cheat Sheet](../SQL_Injection_Prevention_Cheat_Sheet.md)
+
+### V6: Stored Cryptography Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Cryptographic Storage Cheat Sheet](../Cryptographic_Storage_Cheat_Sheet.md)
+- [Password Storage Cheat Sheet](../Password_Storage_Cheat_Sheet.md)
+
+### V7: Error Handling and Logging Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Error Handling Cheat Sheet](../Error_Handling_Cheat_Sheet.md)
+- [Logging Cheat Sheet](../Logging_Cheat_Sheet.md)
+
+### V8: Data Protection Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Data Protection Cheat Sheet](../Data_Protection_Cheat_Sheet.md)
+- [Privacy Cheat Sheet](../Privacy_Cheat_Sheet.md)
+
+### V9: Communications Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Transport Layer Protection Cheat Sheet](../Transport_Layer_Protection_Cheat_Sheet.md)
+- [SSL/TLS Cheat Sheet](../SSL_TLS_Cheat_Sheet.md)
+
+### V10: Malicious Code Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Third Party Javascript Management Cheat Sheet](../Third_Party_Javascript_Management_Cheat_Sheet.md)
+- [Dependency Management Cheat Sheet](../Dependency_Management_Cheat_Sheet.md)
+
+### V11: Business Logic Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Business Logic Security Cheat Sheet](../Business_Logic_Security_Cheat_Sheet.md)
+- [API Security Cheat Sheet](../API_Security_Cheat_Sheet.md)
+
+### V12: File and Resources Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [File Upload Cheat Sheet](../File_Upload_Cheat_Sheet.md)
+- [File Integrity Monitoring Cheat Sheet](../File_Integrity_Monitoring_Cheat_Sheet.md)
+
+### V13: API and Web Service Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [API Security Cheat Sheet](../API_Security_Cheat_Sheet.md)
+- [REST Security Cheat Sheet](../REST_Security_Cheat_Sheet.md)
+- [GraphQL Cheat Sheet](../GraphQL_Cheat_Sheet.md)
+
+### V14: Configuration Verification Requirements
+
+**Related Cheat Sheets**:
+
+- [Security Configuration Cheat Sheet](../Security_Configuration_Cheat_Sheet.md)
+- [HTTP Headers Cheat Sheet](../HTTP_Headers_Cheat_Sheet.md)
+
+## How to Use This Index
+
+1. **Identify ASVS Requirements**: Determine which ASVS requirements apply to your application
+2. **Find Related Cheat Sheets**: Use this index to locate relevant OWASP Cheat Sheets
+3. **Implement Controls**: Follow the practical guidance in the cheat sheets
+4. **Verify Compliance**: Use the cheat sheets to help verify ASVS compliance
+
+## Additional Resources
+
+- [OWASP ASVS Official Documentation](https://github.com/OWASP/ASVS)
+- [ASVS Excel Spreadsheet](https://owasp.org/www-project-application-security-verification-standard/)
+- [ASVS Testing Guide](https://owasp.org/www-project-application-security-verification-standard/)
+
+## Contributors
+
+- Prasad-JB
+- OWASP Cheat Sheets Team
+- ASVS Working Group
+
+## References
+
+1. [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/)
+2. [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)

cheatsheets/CISA_Secure_By_Design_Cheat_Sheet.md

@@ -0,0 +1,123 @@
+---
+layout: col-sidebar
+title: CISA Secure by Design Cheat Sheet
+tags: CISA, Secure-by-Design, Development, Principles
+level: 2
+type: cheatsheet
+pitch: Practical guidance for implementing CISA's Secure by Design principles in software development.
+---
+
+## Introduction
+
+This cheat sheet provides practical guidance for implementing the [CISA Secure by Design](https://www.cisa.gov/securebydesign) principles in software development. These principles encourage software manufacturers to prioritize security throughout the product lifecycle rather than treating it as an add-on or customer responsibility.
+
+## Core Principles
+
+### 1. Take Ownership of Customer Security Outcomes
+
+**Principle**: Software manufacturers should take ownership of security outcomes for their customers, rather than treating security as an optional feature or the customer's responsibility.
+
+**Implementation Guidance**:
+
+- **Security as Default**: Enable security features by default, don't make customers configure them
+- **Transparent Security**: Clearly document security features and their status
+- **Accountability**: Take responsibility when security issues occur in your products
+- **Customer Education**: Provide clear guidance on secure deployment and configuration
+
+### 2. Embrace Radical Transparency and Accountability
+
+**Principle**: Be transparent about security practices, vulnerabilities, and incidents. Hold the organization accountable for security outcomes.
+
+**Implementation Guidance**:
+
+- **Vulnerability Disclosure**: Establish clear processes for vulnerability reporting and disclosure
+- **Incident Transparency**: Communicate security incidents openly with customers
+- **Metrics Publishing**: Share security metrics and improvement progress
+- **Third-party Audits**: Welcome and publish results of independent security assessments
+
+### 3. Build Organizational Structure and Leadership
+
+**Principle**: Establish organizational structures and leadership that prioritize security throughout the product lifecycle.
+
+**Implementation Guidance**:
+
+- **Security Champions**: Appoint security champions in development teams
+- **Executive Ownership**: Ensure C-level executives own security outcomes
+- **Cross-functional Teams**: Create teams with both development and security expertise
+- **Security Training**: Provide ongoing security education for all developers
+
+### 4. Secure the Software Development Lifecycle (SDLC)
+
+**Principle**: Integrate security practices throughout the entire software development process.
+
+**Implementation Guidance**:
+
+- **Threat Modeling**: Conduct threat modeling during design phase
+- **Secure Coding Standards**: Establish and enforce secure coding guidelines
+- **Automated Security Testing**: Integrate SAST, DAST, and SCA tools into CI/CD
+- **Security Reviews**: Mandate security reviews for all major changes
+
+### 5. Only Ship Products that are Secure by Default
+
+**Principle**: Ensure products are secure in their default configuration without requiring customer intervention.
+
+**Implementation Guidance**:
+
+- **Default-Deny**: Implement principle of least privilege by default
+- **Automatic Updates**: Enable automatic security updates by default
+- **No Default Credentials**: Eliminate default passwords and credentials
+- **Secure Configurations**: Pre-configure products with security-maximizing settings
+
+### 6. Invest in Security Maintenance
+
+**Principle**: Dedicate appropriate resources to maintaining product security throughout its lifecycle.
+
+**Implementation Guidance**:
+
+- **Patch Management**: Establish robust patch development and distribution processes
+- **Vulnerability Management**: Maintain systems for tracking and addressing vulnerabilities
+- **Long-term Support**: Provide security support for products throughout their lifecycle
+- **Deprecation Planning**: Create clear plans for secure product end-of-life
+
+### 7. Use Memory Safe Languages Where Possible
+
+**Principle**: Prioritize memory-safe programming languages to eliminate entire classes of vulnerabilities.
+
+**Implementation Guidance**:
+
+- **Language Selection**: Choose memory-safe languages (Rust, Go, Java, C#, Python) for new projects
+- **Legacy Code Mitigation**: Use security tools and practices for memory-unsafe languages
+- **Training Investment**: Provide training on memory-safe language alternatives
+- **Gradual Migration**: Plan migration paths for critical components to memory-safe languages
+
+## Implementation Checklist
+
+- [ ] Security features enabled by default
+- [ ] Automatic security updates enabled
+- [ ] No default credentials in shipped products
+- [ ] Threat modeling integrated into design process
+- [ ] Automated security testing in CI/CD pipeline
+- [ ] Clear vulnerability disclosure process
+- [ ] Executive ownership of security outcomes
+- [ ] Memory-safe languages prioritized for new development
+- [ ] Long-term security support commitment
+- [ ] Transparent security communication practices
+
+## Tools and Resources
+
+- **CISA Secure by Design Alert**: [AA23-074A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a)
+- **CISA Secure by Design Principles**: [Full PDF Guide](https://www.cisa.gov/sites/default/files/2023-04/secure_by_design_alert_4.19.23.pdf)
+- **OWASP Secure Product Design Cheat Sheet**: [Link to related cheat sheet]
+- **Memory Safety**: [CISA Memory Safety Roadmap](https://www.cisa.gov/resources-tools/resources/memory-safety-roadmap)
+
+## References
+
+1. [CISA Secure by Design](https://www.cisa.gov/securebydesign)
+2. [CISA Secure by Design Alert AA23-074A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a)
+3. [CISA Memory Safety Recommendations](https://www.cisa.gov/resources-tools/resources/memory-safety-roadmap)
+
+## Contributors
+
+- Prasad-JB
+- OWASP Cheat Sheets Team
+- CISA Cybersecurity Division