Security Guidelines

The security guidelines emphasize the importance of security for AppNest, SurveySparrow, ThriveSparrow, and third-party integrations, the breadth of the document’s applicability, and the shared onus of responsibility. It also prepares the reader for detailed information on best practices and recommendations to follow throughout the app development process.

Authentication and authorization

The app needs to follow the security guidelines imposed by the third-party application if it involves integrating the app with OAuth. Any violations of the third-party application will prevent the app from making it public. There is no need to access the API keys or any sensitive information within the application as SSDK CLI allows you to use placeholders in place of those variables.

Secure Development Guidelines

By following these guidelines, you can ensure a robust and secure development process, minimizing potential security risks and vulnerabilities in your software.

Secure code review

Adopt and enforce a secure coding standard (e.g., OWASP Top Ten, CERT Secure Coding Standards).
Implement input validation, output encoding, and parameterized queries to mitigate common risks.
Use secure frameworks and libraries known for their security features.
Regularly perform source code reviews with a focus on identifying security issues.
Use checklists to ensure consistency and completeness in the review process.
Encourage a culture where feedback is professionally given and received.

Static and Dynamic Code Analysis

Implement Static Application Security Testing (SAST) to identify potential vulnerabilities in the codebase. Example:
Use Dynamic Application Security Testing (DAST) to find runtime vulnerabilities.
Integrate security analysis tools into the development environment for continuous feedback.
Use tools like Burp Suite or OWASP Zed Attack Proxy (ZAP) to identify any OWASP top 10 vulnerabilities.

Dependency Management

Keep all software dependencies, such as libraries and frameworks, up to date with the latest security patches.
Automate updates where possible, or establish a regular schedule for manual updates and reviews.
Monitor for vulnerabilities in third-party dependencies using tools like OWASP Dependency-Check, SourceClear, or Snyk.

Threat Modeling

Conduct regular threat modeling exercises to identify and mitigate potential security threats during the design phase.

Vulnerability Assessment and Penetration Testing (VAPT)

Conduct periodic vulnerability assessment and penetration testing (VAPT) for each specific functionality to identify and address security weaknesses.

Security-focused QA testing

Develop and execute test cases based on the identified security risks.
Use automated tools and manual testing to uncover security defects.
Include penetration testing by security experts every year.

Data storage

Don’t store any sensitive information such as API keys on the AppNest database and ensure it is not encoded in the application’s code as well.
Sensitive data needs to be encrypted before being stored in the AppNest database.
Encrypt all sensitive data before storage using strong encryption protocols (e.g., AES- 256).
Ensure that data transmitted across networks is protected using secure communication protocols like TLS.
Choose storage solutions known for their strong security features and track records.

Information leakage

Remove unnecessary logs that expose API keys or any sensitive data to prevent information leakage.
Configuration data such as client ID or client secret should not be thrown in console logs or alert messages.
Do not expose the actual API error message on the alert messages.

Conclusion

The Security Guidelines for AppNest, reinforce the importance of security in app development and the shared responsibility within the tech community. It is meant to empower developers with a sense of purpose and to instill in them the importance of a proactive stance towards cybersecurity.