documentation/bookmark/security.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

# ID

0. []()
0. [Code Smell 120 - Sequential IDs](https://maximilianocontieri.com/code-smell-120-sequential-ids)

# Anti-Debugging

0. []()
0. [JavaScript AntiDebugging Tricks](https://x-c3ll.github.io/posts/javascript-antidebugging/)

# Supply chain

0. []()
0. [chainguard](https://chainguard.dev/)

# Restraint | Sand-boxing

0. []()
0. [JavaScript Restrictor](https://polcak.github.io/jsrestrictor/)

# Memory

0. []()
0. [Provably Safe Pointers for a Parallel World](https://www.youtube.com/watch?v=ugf58HNd7Rg)

# User/human-level

0. []()
0. [Securing your development environment](https://stsewd.dev/posts/securing-your-dev-environment/)
0. [Security Checklist: Tools and resources designed to improve your online privacy, safety, and security.](https://brianlovin.com/security)

# Secrets | Confidentiality

0. []()
0. [ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-level Code](https://www.microsoft.com/en-us/research/publication/an-instrumenting-compiler-for-enforcing-confidentiality-in-low-level-code/)
0. [How to Handle Secrets on the Command Line](https://smallstep.com/blog/command-line-secrets/)

# Capability

0. []()
0. [A Comparison of the Capability Systems of Encore, Pony and Rust](https://uu.diva-portal.org/smash/get/diva2:1363822/FULLTEXT01.pdf)

# Homomorphic encryption

0. []()
0. https://github.com/Microsoft/SEAL

# Privacy

0. []()
0. [Programming Differential Privacy](https://uvm-plaid.github.io/programming-dp/intro.html)
0. https://privacypatterns.org/

# Inspiration

0. []()
0. [Kasm: Desktop and Browser Isolation Platform](https://www.kasmweb.com/)
0. https://www.mailvelope.com

# Finger-printing

0. []()
0. [How Browser Fingerprinting Works](https://kevq.uk/how-browser-fingerprinting-works/)
0. https://github.com/Valve/fingerprintjs2

# Access Control List

0. []()
0. [Capirca: Multi-platform ACL generation system](https://github.com/google/capirca)

# Return-oriented programming

0. []()
0. https://github.com/immunant/selfrando

# Static analysis

0. []()
0. [Cam Tenny - Beyond the Paper - End-to-End Program Analysis](https://www.youtube.com/watch?v=hmDz0Rv6hKI)
0. https://www.curry-on.org/2019/sessions/beyond-the-paper-end-to-end-program-analysis.html

# Programming language

0. []()
0. [Secure Compilation](https://blog.sigplan.org/2019/07/01/secure-compilation/)

# Cautionary tale

0. []()
0. [Thou Shalt Not Depend on Me: A look at JavaScript libraries in the wild](https://queue.acm.org/detail.cfm?id=3205288)
0. https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d

# Surface area

0. []()
0. [Towards Automated Application-Specific Software Stacks](https://arxiv.org/pdf/1907.01933.pdf)

# Vulnerability

0. []()
0. [Big List of Naughty Strings](https://github.com/minimaxir/big-list-of-naughty-strings)
0. [SAML is insecure by design](https://joonas.fi/2021/08/saml-is-insecure-by-design/)
0. [Against Cipher Agility in Cryptography Protocols](https://paragonie.com/blog/2019/10/against-agility-in-cryptography-protocols)
0. [Padding the struct: How a compiler optimization can disclose stack memory](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/october/padding-the-struct-how-a-compiler-optimization-can-disclose-stack-memory/)
0. [PCG generators are easily “crackable”](https://news.ycombinator.com/item?id=21475210)
0. [Safely Creating And Using Temporary Files](https://www.netmeister.org/blog/mktemp.html)
0. [CSS Injection Primitives](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)
0. https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6
0. [ACLs don’t](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.406.4684&rep=rep1&type=pdf)
0. https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf
0. https://pwnedkeys.com/
0. [What Spectre Means for Lanugage Implementers - Ben Titzer - PLISS 2019](https://www.youtube.com/watch?v=FGX-KD5Nh2g)
0. https://rambleed.com/
0. https://browserleaks.com/

# Reference

0. [The immutable laws of security](https://learn.microsoft.com/en-us/security/compass/ten-laws-of-security)
0. [Suricata: the leading independent open source threat detection engine](https://suricata.io/)
0. [CS 253 Web Security](https://web.stanford.edu/class/cs253/)
0. [Secure By Design](https://www.amazon.com/Secure-Design-Daniel-Deogun/dp/1617294357)
0. [Intro to Just-In-Time Access](https://compliance.dev/2021/04/29/introduction-to-just-in-time-access/)
0. https://www.nomoreransom.org/en/index.html
0. [Open Source Security Foundation (OpenSSF)](https://openssf.org/)
0. [Don't get pwned: practicing the principle of least privilege](https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege)
0. [Good Practices for Capability URLs](https://www.w3.org/TR/capability-urls/)
0. [Secure Socket API](https://securesocketapi.org/)
0. [Mind your Language(s): A discussion about languages and security](https://www.ssi.gouv.fr/uploads/IMG/pdf/Mind_Your_Languages_-_version_longue.pdf)
0. https://www.microsoft.com/en-us/research/blog/scaling-the-everest-of-software-security-with-dr-jonathan-protzenko/
0. https://www.owasp.org/index.php/Main_Page
0. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
0. https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices
0. https://www.archive.ece.cmu.edu/~grey/
0. http://www.cs.umd.edu/projects/PL/selinks/
0. http://www.cis.upenn.edu/~stevez/sol/related.html
0. https://www.bsimm.com/
0. https://www.microsoft.com/en-us/securityengineering/sdl/
0. https://www.engineeringtrustworthysystems.com/
0. http://www.ats-lang.org/
0. http://www.cis.upenn.edu/~stevez/papers/publications.html
0. http://collingreene.com/6_buckets_of_prodsec.html
0. [On Post-Compromise Security](https://eprint.iacr.org/2016/221.pdf)
0. https://messaginglayersecurity.rocks/
0. https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/
0. [RustBelt](https://plv.mpi-sws.org/rustbelt/popl18/)
0. https://github.com/dckc/awesome-ocap
0. https://projects.csail.mit.edu/jeeves/
0. https://www.sans.org/top25-software-errors/
0. https://www.owasp.org/index.php/Top_10_2013-Top_10
0. https://nvd.nist.gov/cwe.cfm
0. https://en.wikipedia.org/wiki/Software_Development_Security
0. http://gigi.nullneuron.net/gigilabs/the-sorry-state-of-the-web-in-2016/
0. http://www.ranum.com/security/computer_security/editorials/dumb/index.html
0. [Information Technology — Programming languages — Guidance	to avoiding vulnerabilities in programming languages](http://www.open-std.org/jtc1/sc22/wg23/docs/ISO-IECJTC1-SC22-WG23_N0751-tr24772-1-after-pre-meeting-51-webex-20171016.pdf)

# Control-flow integrity

0. []()
0. [On the Effectiveness of Type-based Control Flow Integrity](https://sajjadium.github.io/files/acsac2018typecfi_paper.pdf)