• 安全架構設計必讀與參考材料

    Image result for secure design

    Secure Coding

    https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards

    http://cwe.mitre.org/top25/

    http://cwe.mitre.org/data/published/cwe_v2.9.pdf

    https://www.jssec.org/dl/android_securecoding_en.pdf

    安全配置

    https://benchmarks.cisecurity.org/downloads/

    Security Benchmarks are distributed free of charge in PDF format to propagate their worldwide use and adoption as user-originated, de facto standards. The CIS Security Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.

    NIST Security

    http://csrc.nist.gov/publications/PubsSPs.html

     

    ETSI

    http://www.etsi.org/technologies-clusters/technologies/security

    http://www.etsi.org/images/files/ETSIWhitePapers/etsi_wp1_security-201506.pdf

     

    CSA Cloud Security alliance

    https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

    https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf

     

    OWASP

    https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series

    https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf

    https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf

    https://www.owasp.org/images/8/82/Esapi-design-patterns.pdf

     

    德國電信

    https://www.telekom.com/en/corporate-responsibility/data-protection—data-security/security

    https://www.telekom.com/resource/blob/327540/d284622cddd1d6fb7ff784e1a46f9587/dl-security-requirements-data.zip

     

    AWS Security

    https://aws.amazon.com/whitepapers/#security

    • Introduction to AWS Security (July 2015)    PDF | Kindle
      • Introduction to AWS’ approach to security and foundational tools available to customers.
    • Overview of Security Processes (October 2016)    PDF | Kindle
      • Physical and operational security processes for network and infrastructure under AWS’ management.
    • AWS Security Best Practices (August 2016)    PDF | Kindle
      • Authoritative guidance for security when using AWS services.
    • Introduction to AWS Security Processes (June 2016)    PDF
      • Physical and operational security processes for network and infrastructure under AWS’ management.
    • Overview of AWS Security – Analytics, Mobile, and Applications Services (June 2016)    PDF
      • Security aspects of Amazon EMR, Amazon Kinesis, AWS Data Pipeline, AWS IAM, Amazon CloudWatch, AWS CloudHSM, and more.
    • Overview of AWS Security – Application Services (June 2016)    PDF
      • Security aspects of Amazon CloudSearch, Amazon SES, Amazon SNS, Amazon SQS, Amazon SWF, and more.
    • Overview of AWS Security – Compute Services (June 2016)    PDF
      • Security aspects of the hypervisor usage, instance isolation, and auto scaling.
    • Overview of AWS Security – Database Services (June 2016)    PDF
      • Security aspects of Amazon DynamoDB, Amazon RDS, encryption, and network isolation.
    • Overview of AWS Security – Network Security (August 2016)    PDF
      • Security aspects of the network architecture, access points, transmission protection, and fault-tolerant design.
    • Overview of AWS Security – Storage Services (June 2016)    PDF
      • Security aspects of storage, including data access, data transfer, durability, and access logs.
    • Security at Scale: Governance in AWS (October 2015)    PDF
      • Using governance-enabling features to drive greater security.
    • Security at Scale: Logging in AWS (October 2015)    PDF
      • Overview of common compliance requirements related to logging.
    • Cross-Domain Solutions on AWS (December 2016)    PDF
      • Best practices for deploying a cross-domain solution using AWS services.
    • Whitepaper on EU Data Protection (December 2016)    PDF
      • Meeting EU compliance requirements when using AWS services.
    • Secure Content Delivery with Amazon Cloudfront (November 2016)    PDF
      • Maintaining security while using the Amazon CDN.
    • AWS Risk and Compliance (October 2016)    PDF | Kindle
      • Integrating AWS into your existing control framework.
    • Architecting for HIPAA Security and Compliance on AWS (October 2016)    PDF | Kindle
      • HIPAA-compliant solutions using AWS services.
    • AWS Key Management Service Cryptographic Details (August 2016)    PDF
      • Detailed description of cryptographic operations when using AWS Key Management Service.
    • AWS Best Practices for DDoS Resiliency (June 2016)    PDF | Kindle
      • Techniques to mitigate Distributed Denial of Service attacks.
    • Introduction to Auditing the Use of AWS (October 2015)    PDF
      • Shared security model, tools, and appoaches for auditing security.
    • Family Educational Rights and Privacy Act (FERPA) Compliance on AWS (May 2015)    PDF
      • Considerations when using AWS services in FERPA compliance environments.
    • Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth (April 2015)    PDF
      • Integrating AWS IAM and LDAP for single sign-on solution.
    • Architecting for Genomic Data Security and Compliance in AWS(December 2014)    Executive Overview | PDF
      • Working with controlled-access datasets for genomic research repositories.
    • Encrypting Data at Rest (November 2014)    PDF | Kindle
      • Overview of options for encrypting data at rest.
    • Using Windows Active Directory Federation Services (ADFS) for Single Sign-On to EC2 (March 2010)    PDF
      • Single sign-on for hybrid environment.

     

  • 2016 Amazon Re-Invent Security Session

    Security & Compliance track

    SAC201: Lessons from a Chief Security Officer: Achieving Continuous Compliance in Elastic Environments

    SAC303: Become an AWS IAM Policy Ninja in 60 Minutes or Less

    SAC304: Predictive Security: Using Big Data to Fortify Your Defenses

    SAC305: How AWS Automates Internal Compliance at Massive Scale using AWS Services

    SAC306: Encryption: It Was the Best of Controls, It Was the Worst of Controls

    SAC307: The Psychology of Security Automation

    SAC308: Hackproof Your Cloud: Responding to 2016 Threats

    SAC309: You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Validation from Adobe

    SAC310: Securing Serverless Architectures, and API Filtering at Layer 7

    SAC311: Evolving an Enterprise-Level Compliance Framework with Amazon CloudWatch Events and AWS Lambda

    SAC312: Architecting for End-to-End Security in the Enterprise

    SAC313: Enterprise Patterns for Payment Card Industry Data Security Standard (PCI DSS)

    SAC314: GxP Compliance in the Cloud

    SAC315: Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?

    SAC316: Security Automation: Spend Less Time Securing Your Applications

    SAC317: IAM Best Practices to Live By

    SAC318: Life Without SSH: Immutable Infrastructure in Production

    SAC319: Architecting Security and Governance Across a Multi-Account Strategy

    SAC320: Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy

    SAC321: Cyber Resiliency – Surviving the Breach

    SAC322: NEW LAUNCH: AWS Shield—A Managed DDoS Protection Service

    SAC323: NEW SERVICE: Manage Multiple AWS Accounts with AWS Organizations

    SAC326: How Harvard University Improves Scalable Cloud Network Security, Visibility, and Automation

    SAC327: No More Ransomware: How Europol, the Dutch Police, and AWS Are Helping Millions Deal with Cybercrime

    SAC401: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules

    SAC402: The AWS Hero’s Journey to Achieving Autonomous, Self-Healing Security


    re:Source Mini Con for Security Services

    SEC301: Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks

    SEC303: Get the Most from AWS KMS: Architecting Applications for High Security

    SEC304: Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service

    SEC305: Scaling Security Resources for Your First 10 Million Customers

    SEC307: Microservices, Macro Security Needs: How Nike Uses a Multi-Layer, End-to-End Security Approach to Protect Microservice-Based Solutions at Scale

    • Video to come

    SEC308: Securing Enterprise Big Data Workloads on AWS

    SEC309: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing

    SEC310: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use Cases

    SEC311: How to Automate Policy Validation

    SEC312: re:Source Mini Con for Security Services State of the Union

    SEC313: Automating Security Event Response, from Idea to Code to Execution

    SEC314: Common Considerations for Data Integrity Controls in Healthcare

    SEC401: Automated Formal Reasoning About AWS Systems

  • Software Defined Security

    software-defined-security-2 software-defined-security