Skip to content

Commit

Permalink
Merge branch 'develop' into daostar/dao-governance-controls
Browse files Browse the repository at this point in the history
  • Loading branch information
eth-limo authored Oct 15, 2024
2 parents 4f2a40d + 0f119f3 commit 036e055
Show file tree
Hide file tree
Showing 24 changed files with 332 additions and 72 deletions.
49 changes: 33 additions & 16 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# Security Frameworks content repository

Official repository to the Security Frameworks by SEAL. This repository contains the entire
structure and contents of the frameworks. Feel free to suggest from new categories to grammar
corrections. Collaboration is open to everyone. **This is a work in progress.**
Expand All @@ -11,39 +12,55 @@ Production will be at [frameworks.securityalliance.org](https://frameworks.secur
but not yet available.

## Quick installation and local setup

1. `gh repo clone security-alliance/frameworks`
2. `git checkout develop`
3. `cargo install mdbook mdbook-admonish mdbook-catppuccin`
4. `./serve.sh`

## Collaboration
There are currently two ways to collaborate. The first one is by logging from your vercel account

There are currently two ways to collaborate. The first one is by logging from your Vercel account
and commenting directly on the deployed version of the book, and the second one is by forking the
repository and creating a pull request.

### Comments

To comment on the live version of the book under development, you will need to log in to your Vercel account. Please visit [this link](https://frameworks-git-develop-seal-frameworks.vercel.app/?_vercel_share=zOI0Q3riUfDv1Lq1IylFz2hXQzYPcmLp), which includes a read access token. A floating window will appear at the bottom, and you'll be ready to go.

### Pull requests
1. Fork the repository by clicking on the "Fork" button at the top-right corner of the page.
2. Clone the forked repository to your local machine. Open your terminal or command prompt and run: `git clone https://github.com/your-username/frameworks.git`
3. Make sure you're in the develop branch: `git checkout develop`
4. Create a feature branch from develop: `git checkout -b develop-{feature}`

1. Fork the repository. Click on the "Fork" button at the top right corner of the page.
2. Clone the forked repository to your local machine. Open your terminal or command prompt.
`git clone https://github.com/your-username/frameworks.git`
3. Make sure you're in the develop branch first.
`git checkout develop`
4. Inside the folder create a new branch based on `develop`.
`git checkout -b develop`
5. Make your changes.
6. Make sure your changes don't break anything by testing it locally ([see above](#quick-installation-and-local-setup)): `./serve.sh`.
7. Commit the changes with a descriptive message: `git commit -am "Fixing typos and improving readability on XXX section"`
8. Push the changes to your forked repository: `git push origin develop-{feature}`
9. Create a pull request. Go to your forked repository on GitHub. Click on the "Compare & pull request" button in the top-right. Provide a descriptive title and description for your pull request.
10. Click on the "Create pull request" button.
11. Wait for review. Once your pull request is approved, and no more changes are needed, we will merge it into the main repository.
12. Congratulations! Your changes are now part of the Security Frameworks!

# Editor area
6. Make sure your changes don't break anything by testing it in the local setup (see above).
`./serve.sh`.
7. Commit your changes.
`git add .`
8. Commit the changes with a descriptive message:
`git commit -m "Fixing typos and improving readability on XXX section"`
9. Push the changes to your forked repository.
`git push origin develop`
10. Create a pull request. Go to your forked repository on GitHub. You should see a "Compare & pull
request" button. Click on it. Provide a descriptive title and description for your pull request.
11. Click on the "Create pull request" button.
12. Wait for review. Once your pull request is approved, and no more changes are needed, we will
merge it into the main repository.
13. Congratulations! Your changes are now part of the security frameworks!

## Editor area

Editors merge PRs and push suggestions to the main branch which will be reflected on the live book.

1. `git checkout main`
2. `git fetch origin develop`
3. `git merge origin/develop`
4. Manually merge files, solve conflicts and add a description.

## caveats
- Using the `serve.sh` script instead of mdBook `serve` command is needed to be able to see properly the local deployment.
- Using the `serve.sh` script instead of mdBook `serve` command is needed to be able to see properly
the local deployment.
3 changes: 1 addition & 2 deletions src/awareness/security-training.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ tag: [Security Specialist, Operations & Strategy, HR]

All team members should receive some type of security training, however how in-depth this training is depends on their specific needs and what type of access they have. It is important to not do this only once, but to keep it as a recurring activity, however a training session does not need to mean sitting down for 60 minutes to look at a power point presentation but rather could be tiny nuggets of relevant information that doesn't take more than a minute to consume each time.


## Security Training Session

As an introductory and overarching training session, this could be done:
Expand All @@ -22,7 +21,7 @@ As an introductory and overarching training session, this could be done:
### 3. Two-Factor Authentication (2FA)

- **Enabling 2FA**: Explain why it's important to enable 2FA.
- **Types of 2FA**: Explain the different types of 2FA, including SMS, authenticator apps, and hardware tokens. Each of these have their strenghts and weaknesses which should be explained (and especially why nobody should be using SMS for 2FA).
- **Types of 2FA**: Explain the different types of 2FA, including SMS, authenticator apps, and hardware tokens. Each of these have their strengths and weaknesses which should be explained (and especially why nobody should be using SMS for 2FA).

### 4. Secure Communication

Expand Down
2 changes: 1 addition & 1 deletion src/awareness/staying-up-to-date.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ It is often very valuable to have information on the latest security threats and

## 3. Follow Security Blogs and Podcasts

- **Social Feeds**: Follow blogs and listen to podcasts such as the Daily Stormcast from FIRST.org or darknet diaries to gain deeper insights into emerging threats and solutions.
- **Social Feeds**: Follow blogs and listen to podcasts such as the Daily Stormcast from FIRST.org or Darknet Diaries to gain deeper insights into emerging threats and solutions.
67 changes: 52 additions & 15 deletions src/community-management/discord.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,190 +6,227 @@ Discord has a large set of security settings to take into consideration, as well
Below, you can find some hardening suggestions when setting up a Discord server.

## Discord Server Hardening
### Server Settings:

### Server Settings

a) **Enable 2FA Requirement for Moderation**

- Go to Server Settings > Safety Setup > Moderation
- Toggle on "Require 2FA for moderation"
- This ensures all moderators have an extra layer of security
- Protects your server if a moderator's account is compromised

b) **Set Appropriate Verification Level**

- Go to Server Settings > Safety Setup > Verification Level
- Choose from: None, Low, Medium, High, Highest
- Recommended: "High" for public servers (requires verified email and server membership for 10 minutes before messaging)
- Higher levels protect against spammers and raids

c) **Enable Explicit Content Filter**

- Go to Server Settings > Safety Setup > Content Filter
- Set to "Scan messages from all members"
- This automatically blocks messages containing explicit images in non-age-restricted channels
- Age-restricted channels are exempt from this filter

### Roles and Permissions:
### Roles and Permissions

a) **Implement Role Hierarchy**

- Go to Server Settings > Roles
- Create roles like: Admin, Moderator, Trusted Member, Member, New Member
- Drag to reorder; higher roles override lower roles
- Restructure the role hierarchy by dragging roles higher or lower in the roles list

b) **Restrict Administrative Permissions**

- For each role, carefully review the 32 available permissions
- Key permissions to restrict: Administrator, Manage Server, Manage Roles, Manage Channels
- Never give Admin or Kick permissions to anyone you don't fully trust
- Good permissions for moderators: Manage Channels, Manage Roles, Manage Messages, Ban Members, Delete Messages
- Good permissions for members: View Channels, Create Invite, Send Messages, Read Message History, Connect, Speak & Use Voice Activity

c) **Use Channel-Specific Permissions**

- Right-click on a channel > Edit Channel > Permissions
- Set custom permissions for roles or members in specific channels

d) **Use the "View Server as Role" Feature**

- Go to Server Settings > Roles > Select a role > View Server as Role
- This allows you to see what members with a certain role can see and access

### Moderation:
### Moderation

a) **Set Up Auto-Moderation Rules**

- Go to Server Settings > AutoMod
- Set up rules for: Spam, Harmful Links, Mention Spam, Inappropriate Words
- Configure custom keyword filters and exempted roles
- Customize the response to spam, like blocking the message, sending an alert, or timing out the member
- Allow certain roles to bypass the spam filter if needed

b) **Configure Timeout Durations**
b) **Configure Timeout Duration**

- Go to Server Settings > Safety Setup > Timeout
- Set default duration (e.g., 60 minutes)
- Educate moderators on using timeouts effectively

c) **Establish Clear Server Rules**

- Create a #rules channel
- Use Discord's built-in rules screening feature
- Include sections on: Behavior, Content, Moderation Actions, Appeals Process

### Bots:
### Bots

a) **Audit Bot Permissions**

- Go to Server Settings > Integrations
- Review each bot's permissions
- Remove unnecessary permissions

b) **Remove Unnecessary Bots**

- Uninstall any bots that aren't actively used or needed

c) **Implement Security/Moderation Bots**

- Consider bots like:
- MEE6 for auto-moderation and leveling
- Dyno for advanced moderation and logging
- Carl-bot for reaction roles and custom commands

### Channels:
### Channels

a) **Organize Channels Logically**

- Use categories to group related channels
- Suggested categories: Information, General, Voice Channels, Topic-Specific

b) **Set Slow Mode Where Needed**

- Channel Settings > Overview > Slow Mode
- Set appropriate cooldown (e.g., 5-30 seconds) for busy channels

c) **Use Age-Restricted Channels Appropriately**

- Channel Settings > Overview > Age-Restricted Channel
- Enable for channels with mature content

### Invites:
### Invites

a) **Disable Permanent Invites**

- Server Settings > Invites
- Uncheck "Allow anyone with administrative permissions to create invites"
- Un-check "Allow anyone with administrative permissions to create invites"

b) **Set Invite Expiration and Usage Limits**

- When creating an invite: Set "Expire After" and "Max Number of Uses"
- Recommended: 24 hours expiration, 50-100 uses

c) **Regularly Audit Active Invites**

- Server Settings > Invites
- Review and delete unnecessary or old invites

### Member Screening:
### Member Screening

a) **Enable Membership Screening**

- Server Settings > Safety Setup > Membership Screening
- Toggle on "Enable Membership Screening"

b) **Set Up Screening Questionnaire**

- Add questions about server rules, age verification, etc.
- Require members to agree to rules before joining

c) **Set Up Membership Requirements**

- Require users to react to a message or post an introduction
- This helps filter out bots and spam accounts from joining

### Logging:
### Logging

a) **Enable Audit Logs**

- Ensure admin/mod roles have "View Audit Log" permission

b) **Set Up a Private Logging Channel**

- Create a private channel visible only to admins/mods
- Use a logging bot like Logger or Dyno to send detailed logs

### Regular Reviews:
### Regular Reviews

a) **Conduct Periodic Permission Audits**

- Monthly: Review all role permissions
- Use a spreadsheet to track changes and justifications

b) **Review and Update Server Rules**

- Quarterly: Assess if rules need updating
- Announce any changes in a dedicated announcements channel

c) **Check for Unused Channels/Roles**

- Bi-annually: Delete or archive inactive channels
- Remove roles that are no longer needed

### Cold Admin Accounts:
### Cold Admin Accounts

a) **Set Up a "Cold" Admin Account**

- Create a new account on a separate device never used for chatting or clicking links
- This account is highly resistant to phishing and provides an extra layer of security for the server owner

b) **Secure the Cold Account**

- Create a new email account for the cold account
- Factory reset the device used for this account

c) **Use the Cold Account for Critical Actions**

- Manage bots, modify server settings, and respond to compromises
- Never use this account for regular server activities

### Additional Security Measures:
### Additional Security Measures

a) **Verification Systems**

- Implement a verification bot like Wick or Captcha.bot
- Require users to complete a captcha or react to a message before accessing the server

b) **Raid Protection**

- Use anti-raid bots like Wick or Dyno
- Configure automatic lockdown settings for suspicious activity
- Configure automatic lock-down settings for suspicious activity

c) **Privacy Settings**

- Server Settings > Privacy Settings
- Disable "Allow direct messages from server members"

d) **Integration Whitelisting**

- Server Settings > Integrations > Allow new integrations to be added by:
- Set to "Only Administrators" to prevent unauthorized bot additions

e) **Server Insights**

- Enable Server Insights for detailed analytics
- Use this data to inform moderation strategies and server improvements

f) **Backup Systems**

- Use a bot like ServerBackup to regularly backup your server configuration
- Store backups securely off-platform


## Additional Resources

- [Securing Your Server - Discord](https://discord.com/community/securing-your-server)
- [Four Steps for a Super Safe Server - Discord](https://discord.com/safety/360043653152-four-steps-to-a-super-safe-server)
4 changes: 2 additions & 2 deletions src/community-management/telegram.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Telegram Security
tag: [Community & Marketing]

Telegram, in its default mode, is actually not providing end-to-end encryption between users. If it's important to have end-to-end encryption, using a messenger suc has [Signal](https://signal.org/) should be used instead. With that said, Telegram is popular in the crypto ecosystem, and as such you can find some best practices below when it comes to securing Telegram.
Telegram, in its default mode, is actually not providing end-to-end encryption between users. If it's important to have end-to-end encryption, using a messenger such has [Signal](https://signal.org/) should be used instead. With that said, Telegram is popular in the crypto ecosystem, and as such you can find some best practices below when it comes to securing Telegram.

## Standard Security

Expand All @@ -11,7 +11,7 @@ Telegram might require you to sign up using a phone number, but you can also set

![*Logging in with 2FA enabled*](https://prod-files-secure.s3.us-west-2.amazonaws.com/b1d29658-a003-4e92-93b6-241efdd083f6/c9d574e8-1ad9-4aad-a93f-e33bce31581b/Screen_Shot_2023-11-29_at_23.17.33.png)

*Logging in with 2FA enabled*
**Logging in with 2FA enabled**

1. Go to Settings > Privacy and Security > Two-Step Verification
2. Select a password and recovery email (and save it in your password manager)
Expand Down
6 changes: 3 additions & 3 deletions src/contribute/contributing.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The audience of this wiki is technical and the content should reflect that. Ther
- Avoid unnecessary simplifications, describe the technical reality
- Avoid using too long and complex sentences or paragraphs
- Use concise and clear statements
- Break down your text using blockquotes, bullet points or images
- Break down your text using block-quotes, bullet points or images
- Always link your resources and verify them
- Use bullet points or tables for topics which require enumerating
- Highlight keywords to support scanning and skimming through the article
Expand All @@ -60,7 +60,7 @@ The wiki uses American English over British spelling. Terminology, capitalizatio

Usage of images and visualizations is encouraged. If you are using an image created by a third party, make sure its license allows it and provide link to the original. For creating your own visualizations, we suggest [excalidraw.com](https://github.com/excalidraw/excalidraw).

Feel free to use [emojis](https://docsify.js.org/#/emoji?id=emoji) or [icons](https://icongr.am/fontawesome) where it fits, for example in blockquotes.
Feel free to use [emojis](https://docsify.js.org/#/emoji?id=emoji) or [icons](https://icongr.am/fontawesome) where it fits, for example in block-quotes.

### Linking resources

Expand All @@ -76,7 +76,7 @@ For other important links, add a section on the bottom of the page with list of

### In-page notices

We use blockquote notices at the top of the page to provide readers with appropriate context regarding the content of the page.
We use block-quote notices at the top of the page to provide readers with appropriate context regarding the content of the page.

#### Incomplete pages

Expand Down
2 changes: 1 addition & 1 deletion src/devsecops/security-testing.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ Security testing is a crucial part of the DevSecOps process, as it helps identif

1. Integrate SAST tools into the CI/CD pipeline to analyze source code for vulnerabilities.
2. Use DAST tools to test running applications for security issues.
3. ombine SAST and DAST approaches with IAST tools for comprehensive security testing.
3. Combine SAST and DAST approaches with IAST tools for comprehensive security testing.
4. Implement fuzz testing to discover security vulnerabilities by inputting random data.
Loading

0 comments on commit 036e055

Please sign in to comment.