You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: practices/security.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -52,7 +52,7 @@ The remainder of this page gives more detailed and specific recommendations to b
52
52
### Application level security
53
53
54
54
- Cover the **basics**
55
-
- Ensure the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project) is well understood and considered during software delivery, other risks outside of the Top Ten should not be discounted however
55
+
- Ensure the [OWASP Top Ten](https://owasp.org/www-project-top-ten/) is well understood and considered during software delivery, other risks outside of the Top Ten should not be discounted however
56
56
- Static code analysis tools can catch some of these issues early, for example [SonarQube](https://www.sonarqube.org/features/security/owasp/)
57
57
- Beware of over-reliance on automated tools: they can help to catch some issues, but they cannot be relied on to catch everything
58
58
- Encode/validate all user input. Code against (and test for) XSS and injection attacks such as SQL/XML/JSON/CRLF
@@ -72,8 +72,8 @@ The remainder of this page gives more detailed and specific recommendations to b
72
72
- Code must be automatically scanned for secrets or other sensitive data. We have a [secret scanning guide](../tools/nhsd-git-secrets/README.md) that describes how to best achieve this using our preferred tooling, and also includes examples to get you started.
73
73
- Be wary of any 3rd party JavaScript included on the page, e.g. for A/B testing, analytics
74
74
- Pin dependencies at known versions to avoid unexpected updates
75
-
- Scan dependencies for vulnerabilities, e.g. using [OWASP Dependency Check](https://www.owasp.org/index.php/OWASP_Dependency_Check) or [Snyk](https://snyk.io/)
76
-
- Scan running software, e.g. using [OWASP ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)
75
+
- Scan dependencies for vulnerabilities, e.g. using [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) or [Snyk](https://snyk.io/)
76
+
- Scan running software, e.g. using [OWASP ZAP](https://owasp.org/www-project-zap/)
77
77
-**Automate** security testing — on every build if practical
78
78
- Generate test data in a way that avoids including personally identifiable information
79
79
- When granting roles to CI/CD tools, use different roles for the different stages in the deployment pipeline — for example so that a deployment meant for a development account cannot be performed against a production account
0 commit comments