From d73fc0c007d4f0abca6e6a44e1e9fbb5cb47674c Mon Sep 17 00:00:00 2001 From: Haim Cohen Date: Thu, 12 Jun 2025 10:21:57 +0300 Subject: [PATCH] =?UTF-8?q?add=20security-devsecops-ssdls-appsec.mdc.=20?= =?UTF-8?q?=20is=20a=20practical=20template=20for=20a=20Cursor=20rule=20th?= =?UTF-8?q?at=20integrates=20DevSecOps,=20Secure=20Software=20Development?= =?UTF-8?q?=20Lifecycle=20(SSDLC),=20and=20Application=20Security=20(AppSe?= =?UTF-8?q?c)=20best=20practices.=20This=20rule=20is=20intended=20for=20us?= =?UTF-8?q?e=20in=20a=20.cursor/rules/security-devsecops-ssdls-appsec.mdc?= =?UTF-8?q?=20file=20and=20can=20be=20adapted=20to=20your=20project?= =?UTF-8?q?=E2=80=99s=20needs.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/security-devsecops-ssdls-appsec.mdc | 48 +++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 rules/security-devsecops-ssdls-appsec.mdc diff --git a/rules/security-devsecops-ssdls-appsec.mdc b/rules/security-devsecops-ssdls-appsec.mdc new file mode 100644 index 00000000..420458c3 --- /dev/null +++ b/rules/security-devsecops-ssdls-appsec.mdc @@ -0,0 +1,48 @@ +--- +description: Enforce DevSecOps, SSDLC, and AppSec best practices for all code generated in this project. +globs: ["**/*.py", "**/*.js", "**/*.ts", "**/*.go", "**/*.java", "**/*.rb", "**/*.php", "**/*.cs", "**/*.sh"] +alwaysApply: true +write by Haim Cohen [https://www.linkedin.com/in/haimc/] +--- + +# DevSecOps + SSDLC + AppSec Cursor Rule + +## General Security Principles +- Never hardcode secrets, credentials, or API keys. Use environment variables or secure vaults for sensitive data. +- Prohibit the inclusion of `.env`, secret config files, or unknown tokens in source control. +- Never log sensitive data, secrets, or session tokens in application logs. +- Validate and sanitize all user input. Escape output in HTML, JS, and SQL contexts. +- Avoid unsafe functions such as `exec`, `eval`, or similar dynamic code execution. + +## Database Security +- Use parameterized queries or ORM for all database access. Do not use string concatenation for query building. +- Ensure database users have the least privilege required for their tasks. +- Regularly review and update database access policies. + +## Dependency Management +- Only use packages from verified sources. +- Do not add new dependencies without explicit approval and security review. +- Regularly update dependencies and scan for known vulnerabilities (SCA). + +## Authentication & Authorization +- Use secure authentication frameworks; never implement custom authentication. +- Store passwords using strong, salted hashes (e.g., Argon2, bcrypt). +- Implement Role-Based Access Control (RBAC) for sensitive operations. +- Enforce the principle of least privilege for APIs and UI actions. + +## Secure SDLC Practices +- Integrate Static Application Security Testing (SAST) and Software Composition Analysis (SCA) into the CI pipeline. +- Scan all code for secrets before merging (Secret Scanning). +- Use Infrastructure as Code (IaC) scanning for all infrastructure code. +- Integrate Dynamic Application Security Testing (DAST) in the CD pipeline for deployed applications. +- Enforce Policy as Code (PaC) for automated, version-controlled security policies. + +## Monitoring & Feedback +- Enable continuous vulnerability monitoring and alerting. +- Integrate Runtime Application Self-Protection (RASP) and Web Application Firewall (WAF) as appropriate. +- Encourage regular vulnerability assessments and penetration testing. +- Maintain a feedback loop to update rules and prompts based on recurring vulnerabilities. + +## Compliance & Documentation +- Align with industry standards (e.g., OWASP Top 10, NIST, ISO 27001). +- Document all security controls and decisions for auditability.