├── .envrc ├── docs └── pages │ ├── contribute │ ├── champions.mdx │ ├── spotlight-zone.mdx │ └── index.mdx │ ├── opsec │ ├── old │ │ ├── incident-response │ │ │ ├── playbooks.mdx │ │ │ ├── containment-recovery.mdx │ │ │ └── index.mdx │ │ ├── monitoring │ │ │ ├── log-management.mdx │ │ │ ├── alert-thresholds.mdx │ │ │ └── index.mdx │ │ ├── lifecycle │ │ │ ├── identify.mdx │ │ │ ├── threat-modeling.mdx │ │ │ ├── risk-prioritization.mdx │ │ │ ├── vulnerability-assessment.mdx │ │ │ ├── countermeasures.mdx │ │ │ └── index.mdx │ │ ├── risk-management │ │ │ ├── trade-off-analysis.mdx │ │ │ ├── risk-assessment-prioritization.mdx │ │ │ └── index.mdx │ │ ├── governance │ │ │ ├── security-policies-roles.mdx │ │ │ ├── third-party-vendor-governance.mdx │ │ │ └── index.mdx │ │ ├── digital-identity-access │ │ │ ├── overview.mdx │ │ │ └── index.mdx │ │ ├── data-protection │ │ │ └── index.mdx │ │ ├── physical-security │ │ │ └── index.mdx │ │ ├── web3-specific-opsec │ │ │ └── index.mdx │ │ ├── cloud-third-party │ │ │ └── index.mdx │ │ ├── device-endpoint-security │ │ │ └── index.mdx │ │ ├── network-communication │ │ │ └── index.mdx │ │ ├── human-centered-security │ │ │ └── index.mdx │ │ └── index.mdx │ ├── integration │ │ ├── devsecops.mdx │ │ ├── governance.mdx │ │ ├── privacy.mdx │ │ └── index.mdx │ ├── improvement │ │ ├── security-kpis.mdx │ │ ├── post-mortem.mdx │ │ └── index.mdx │ ├── control-domains │ │ ├── technical │ │ │ ├── device-hardening.mdx │ │ │ ├── encrypted-storage-backups.mdx │ │ │ ├── cryptocurrency-controls.mdx │ │ │ ├── network-communication-security.mdx │ │ │ ├── two-factor-hardware-auth.mdx │ │ │ └── index.mdx │ │ ├── organizational │ │ │ ├── supply-chain-security.mdx │ │ │ ├── compliance-regulatory-alignment.mdx │ │ │ └── index.mdx │ │ ├── people │ │ │ ├── insider-threat-mitigation.mdx │ │ │ ├── security-training-culture.mdx │ │ │ ├── social-engineering-defense.mdx │ │ │ └── index.mdx │ │ ├── physical-environmental │ │ │ ├── tamper-evidence.mdx │ │ │ ├── secure-workspace-travel.mdx │ │ │ └── index.mdx │ │ └── index.mdx │ ├── mfa │ │ ├── index.mdx │ │ └── overview.mdx │ ├── browser │ │ ├── index.mdx │ │ └── overview.mdx │ ├── endpoint │ │ ├── index.mdx │ │ └── overview.mdx │ ├── google │ │ └── index.mdx │ ├── passwords │ │ ├── index.mdx │ │ └── overview.mdx │ ├── travel │ │ ├── index.mdx │ │ └── overview.mdx │ ├── appendices │ │ └── index.mdx │ ├── core-concepts │ │ └── index.mdx │ ├── principles │ │ └── index.mdx │ └── index.mdx │ ├── wallet-security │ ├── signing-schemes.mdx │ ├── hardware-wallets.mdx │ ├── software-wallets.mdx │ └── index.mdx │ ├── user-team-security │ ├── overview.mdx │ ├── security-training.mdx │ ├── security-aware-culture.mdx │ ├── phishing-social-engineering.mdx │ └── index.mdx │ ├── index.mdx │ ├── config │ └── index.mdx │ ├── monitoring │ ├── index.mdx │ ├── overview.mdx │ ├── guidelines.mdx │ └── thresholds.mdx │ ├── iam │ ├── index.mdx │ ├── overview.mdx │ ├── role-based-access-control.mdx │ ├── access-management.mdx │ └── secure-authentication.mdx │ ├── supply-chain │ ├── index.mdx │ ├── overview.mdx │ └── dependency-awareness.mdx │ ├── threat-modeling │ ├── index.mdx │ └── overview.mdx │ ├── community-management │ └── index.mdx │ ├── vulnerability-disclosure │ ├── index.mdx │ └── overview.mdx │ ├── governance │ ├── index.mdx │ ├── overview.mdx │ ├── risk-management.mdx │ └── security-metrics-kpis.mdx │ ├── intro │ ├── index.mdx │ ├── what-is-it.mdx │ ├── what-it-isnt.mdx │ ├── how-to-navigate-the-website.mdx │ └── introduction.mdx │ ├── external-security-reviews │ ├── index.mdx │ ├── smart-contracts │ │ └── index.mdx │ └── security-policies-procedures.mdx │ ├── security-automation │ ├── index.mdx │ └── overview.mdx │ ├── safe-harbor │ ├── index.mdx │ └── self-checklist.mdx │ ├── ens │ ├── index.mdx │ ├── data-integrity-verification.mdx │ ├── overview.mdx │ └── smart-contract-integration.mdx │ ├── infrastructure │ ├── identity-and-access-management.mdx │ ├── domain-and-dns-security │ │ └── index.mdx │ ├── index.mdx │ ├── asset-inventory.mdx │ ├── zero-trust-principles.mdx │ ├── operating-system-security.mdx │ ├── network-security.mdx │ ├── overview.mdx │ └── ddos-protection.mdx │ ├── incident-management │ ├── index.mdx │ ├── playbooks │ │ ├── index.mdx │ │ ├── overview.mdx │ │ └── hacked-drainer.mdx │ ├── overview.mdx │ ├── lessons-learned.mdx │ ├── incident-detection-and-response.mdx │ └── communication-strategies.mdx │ ├── devsecops │ ├── index.mdx │ ├── security-testing.mdx │ ├── code-signing.mdx │ ├── integrated-development-environments.mdx │ ├── continuous-integration-continuous-deployment.mdx │ ├── overview.mdx │ └── repository-hardening.mdx │ ├── dprk-it-workers │ └── index.mdx │ ├── front-end-web-app │ ├── index.mdx │ ├── overview.mdx │ ├── security-tools-resources.mdx │ ├── mobile-application-security.mdx │ ├── web-application-security.mdx │ └── common-vulnerabilities.mdx │ ├── encryption │ ├── file-encryption.mdx │ ├── index.mdx │ ├── hardware-encryption.mdx │ ├── encryption-in-transit.mdx │ ├── full-disk-encryption.mdx │ ├── database-encryption.mdx │ ├── overview.mdx │ └── communication-encryption.mdx │ ├── security-testing │ ├── index.mdx │ └── integration-testing.mdx │ ├── privacy │ ├── overview.mdx │ ├── index.mdx │ ├── financial-privacy-services.mdx │ ├── privacy-focused-operating-systems-tools.mdx │ └── data-removal-services.mdx │ ├── awareness │ └── index.mdx │ ├── certs │ ├── certified-protocols.mdx │ ├── index.mdx │ ├── certified-partners.mdx │ └── contributions.mdx │ ├── secure-software-development │ ├── index.mdx │ ├── overview.mdx │ ├── secure-code-repositories-version-control.mdx │ ├── secure-coding-standards-guidelines.mdx │ └── code-reviews-peer-audits.mdx │ ├── multisig-for-protocols │ ├── index.mdx │ ├── offboarding.mdx │ ├── communication-setup.mdx │ ├── hardware-wallet-setup.mdx │ └── joining-a-multisig.mdx │ └── treasury-operations │ └── overview.mdx ├── public └── _redirects ├── shell.nix ├── vercel.json ├── .editorconfig ├── .github ├── workflows │ └── md-lint.yaml ├── PULL_REQUEST_TEMPLATE.md └── ISSUE_TEMPLATE │ └── non-content-request.yml ├── components ├── cert │ ├── types.ts │ └── SectionProgress.tsx ├── tags │ ├── TagList.tsx │ ├── TagList.css │ ├── TagContext.tsx │ ├── withTagFiltering.tsx │ └── withTagFiltering.css ├── index.ts ├── mermaid │ └── MermaidRenderer.tsx ├── shared │ └── constants.ts ├── footer │ └── ContributeFooter.tsx ├── certified-protocols │ └── CertifiedProtocols.tsx └── benchmark │ └── Benchmark.css ├── tsconfig.json ├── justfile ├── cspell.json ├── .gitignore ├── .markdownlint.json ├── .devcontainer ├── Dockerfile └── devcontainer.json └── package.json /.envrc: -------------------------------------------------------------------------------- 1 | use nix -------------------------------------------------------------------------------- /docs/pages/contribute/champions.mdx: -------------------------------------------------------------------------------- 1 | # Champions 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/incident-response/playbooks.mdx: -------------------------------------------------------------------------------- 1 | # Playbooks 2 | -------------------------------------------------------------------------------- /docs/pages/wallet-security/signing-schemes.mdx: -------------------------------------------------------------------------------- 1 | # Signing Schemes 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/integration/devsecops.mdx: -------------------------------------------------------------------------------- 1 | # DevSecOps Integration 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/integration/governance.mdx: -------------------------------------------------------------------------------- 1 | # Governance Alignment 2 | -------------------------------------------------------------------------------- /docs/pages/user-team-security/overview.mdx: -------------------------------------------------------------------------------- 1 | # User and Team Security 2 | -------------------------------------------------------------------------------- /docs/pages/wallet-security/hardware-wallets.mdx: -------------------------------------------------------------------------------- 1 | # Hardware Wallets 2 | -------------------------------------------------------------------------------- /docs/pages/wallet-security/software-wallets.mdx: -------------------------------------------------------------------------------- 1 | # Software Wallets 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/improvement/security-kpis.mdx: -------------------------------------------------------------------------------- 1 | # Security KPIs & Reporting 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/integration/privacy.mdx: -------------------------------------------------------------------------------- 1 | # Privacy Framework Alignment 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/monitoring/log-management.mdx: -------------------------------------------------------------------------------- 1 | # Log Management & SIEM 2 | -------------------------------------------------------------------------------- /docs/pages/user-team-security/security-training.mdx: -------------------------------------------------------------------------------- 1 | # Security Training 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/improvement/post-mortem.mdx: -------------------------------------------------------------------------------- 1 | # Post-Mortem & Lessons Learned 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/lifecycle/identify.mdx: -------------------------------------------------------------------------------- 1 | # Identify Information & Assets 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/lifecycle/threat-modeling.mdx: -------------------------------------------------------------------------------- 1 | # Threat Modeling & Analysis 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/technical/device-hardening.mdx: -------------------------------------------------------------------------------- 1 | # Device hardening 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/monitoring/alert-thresholds.mdx: -------------------------------------------------------------------------------- 1 | # Alert Thresholds & Dashboards 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/risk-management/trade-off-analysis.mdx: -------------------------------------------------------------------------------- 1 | # Trade-off analysis 2 | -------------------------------------------------------------------------------- /docs/pages/user-team-security/security-aware-culture.mdx: -------------------------------------------------------------------------------- 1 | # Security-Aware Culture 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/governance/security-policies-roles.mdx: -------------------------------------------------------------------------------- 1 | # Security policies & roles 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/lifecycle/risk-prioritization.mdx: -------------------------------------------------------------------------------- 1 | # Risk Assessment & Prioritization 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/lifecycle/vulnerability-assessment.mdx: -------------------------------------------------------------------------------- 1 | # Vulnerability Assessment 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/lifecycle/countermeasures.mdx: -------------------------------------------------------------------------------- 1 | # Countermeasure Selection & Implementation 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/organizational/supply-chain-security.mdx: -------------------------------------------------------------------------------- 1 | # Supply-chain security 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/people/insider-threat-mitigation.mdx: -------------------------------------------------------------------------------- 1 | # Insider-threat mitigation 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/people/security-training-culture.mdx: -------------------------------------------------------------------------------- 1 | # Security training & culture 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/people/social-engineering-defense.mdx: -------------------------------------------------------------------------------- 1 | # Social-engineering defense 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/digital-identity-access/overview.mdx: -------------------------------------------------------------------------------- 1 | # Digital Identity and Access Management 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/governance/third-party-vendor-governance.mdx: -------------------------------------------------------------------------------- 1 | # Third-party/vendor governance 2 | -------------------------------------------------------------------------------- /docs/pages/user-team-security/phishing-social-engineering.mdx: -------------------------------------------------------------------------------- 1 | # Phishing and Social Engineering 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/technical/encrypted-storage-backups.mdx: -------------------------------------------------------------------------------- 1 | # Encrypted storage & backups 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/incident-response/containment-recovery.mdx: -------------------------------------------------------------------------------- 1 | # Containment, Eradication & Recovery 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/physical-environmental/tamper-evidence.mdx: -------------------------------------------------------------------------------- 1 | # Tamper-evidence & "evil-maid" 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/technical/cryptocurrency-controls.mdx: -------------------------------------------------------------------------------- 1 | # Cryptocurrency-specific controls 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/risk-management/risk-assessment-prioritization.mdx: -------------------------------------------------------------------------------- 1 | # Risk assessment & prioritization 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/technical/network-communication-security.mdx: -------------------------------------------------------------------------------- 1 | # Network & communication security 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/technical/two-factor-hardware-auth.mdx: -------------------------------------------------------------------------------- 1 | # Two-factor & hardware authentication 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/organizational/compliance-regulatory-alignment.mdx: -------------------------------------------------------------------------------- 1 | # Compliance & regulatory alignment 2 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/physical-environmental/secure-workspace-travel.mdx: -------------------------------------------------------------------------------- 1 | # Secure workspace & travel security 2 | -------------------------------------------------------------------------------- /public/_redirects: -------------------------------------------------------------------------------- 1 | # Cloudflare Pages Redirects Configuration 2 | 3 | # Remove .html extension from all pages (301 permanent redirect) 4 | /*.html /:splat 301 5 | -------------------------------------------------------------------------------- /docs/pages/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Introduction" 3 | --- 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /shell.nix: -------------------------------------------------------------------------------- 1 | { pkgs ? import { } }: 2 | 3 | pkgs.mkShell { 4 | packages = with pkgs; [ 5 | pnpm 6 | nodejs_22 7 | python313 8 | python313Packages.pyyaml 9 | python313Packages.openai 10 | ]; 11 | } 12 | -------------------------------------------------------------------------------- /vercel.json: -------------------------------------------------------------------------------- 1 | { 2 | "buildCommand": "pnpm run docs:build && pnpm run postdocs:build", 3 | "outputDirectory": "docs/dist", 4 | "git": { 5 | "deploymentEnabled": { 6 | "main": false, 7 | "develop": false 8 | } 9 | } 10 | } -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: https://EditorConfig.org 2 | 3 | # top-most EditorConfig file 4 | root = true 5 | 6 | [*] 7 | indent_style = space 8 | indent_size = 2 9 | end_of_line = lf 10 | charset = utf-8 11 | trim_trailing_whitespace = true 12 | insert_final_newline = true 13 | -------------------------------------------------------------------------------- /docs/pages/opsec/mfa/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Mfa" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Mfa 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Multi-Factor Authentication](/opsec/mfa/overview) 15 | -------------------------------------------------------------------------------- /docs/pages/opsec/browser/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Browser" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Browser 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Browser Security](/opsec/browser/overview) 15 | -------------------------------------------------------------------------------- /.github/workflows/md-lint.yaml: -------------------------------------------------------------------------------- 1 | name: Markdown linter 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | - develop 8 | jobs: 9 | lint: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | - uses: DavidAnson/markdownlint-cli2-action@v20 14 | continue-on-error: true 15 | with: 16 | globs: | 17 | src/**/*.md 18 | -------------------------------------------------------------------------------- /docs/pages/opsec/endpoint/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Endpoint" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Endpoint 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Endpoint Security](/opsec/endpoint/overview) 15 | -------------------------------------------------------------------------------- /docs/pages/opsec/google/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Google" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Google 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Google Workspace Security](/opsec/google/overview) 15 | -------------------------------------------------------------------------------- /docs/pages/opsec/passwords/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Passwords" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Passwords 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Password Management](/opsec/passwords/overview) 15 | -------------------------------------------------------------------------------- /docs/pages/config/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Config" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Config 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Template](/config/template) 15 | - [Using Contributors](/config/using-contributors) 16 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/data-protection/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Data Protection" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Data Protection 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Overview](/opsec/old/data-protection/overview) 15 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/physical-security/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Physical Security" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Physical Security 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Overview](/opsec/old/physical-security/overview) 15 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/web3-specific-opsec/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Web3 Specific Opsec" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Web3 Specific Opsec 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Overview](/opsec/old/web3-specific-opsec/overview) 15 | -------------------------------------------------------------------------------- /docs/pages/contribute/spotlight-zone.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Spotlight Zone" 3 | --- 4 | import { Contributors, ContributeFooter, TagFilter, TagProvider } from '../../../components' 5 | 6 | 7 | 8 | 9 | # Spotlight Zone 10 | 11 | This is the current list of individuals who have made substantial contributions to the project and deserve recognition. 12 | 13 | 14 | --- 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /docs/pages/opsec/improvement/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Improvement" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Improvement 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Post Mortem](/opsec/improvement/post-mortem) 15 | - [Security Kpis](/opsec/improvement/security-kpis) 16 | -------------------------------------------------------------------------------- /docs/pages/monitoring/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Monitoring" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Monitoring 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Guidelines](/monitoring/guidelines) 15 | - [Monitoring](/monitoring/overview) 16 | - [Thresholds](/monitoring/thresholds) 17 | -------------------------------------------------------------------------------- /docs/pages/opsec/travel/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Travel" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Travel 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Guide](/opsec/travel/guide) 15 | - [Operational Security while traveling](/opsec/travel/overview) 16 | - [Tldr](/opsec/travel/tldr) 17 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/monitoring/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Monitoring" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Monitoring 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Alert Thresholds](/opsec/old/monitoring/alert-thresholds) 15 | - [Log Management](/opsec/old/monitoring/log-management) 16 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/cloud-third-party/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Cloud Third Party" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Cloud Third Party 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [G Suite Security](/opsec/old/cloud-third-party/g-suite-security) 15 | - [Overview](/opsec/old/cloud-third-party/overview) 16 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/incident-response/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Incident Response" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Incident Response 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Containment Recovery](/opsec/old/incident-response/containment-recovery) 15 | - [Playbooks](/opsec/old/incident-response/playbooks) 16 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/governance/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Governance" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Governance 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Security Policies Roles](/opsec/old/governance/security-policies-roles) 15 | - [Third Party Vendor Governance](/opsec/old/governance/third-party-vendor-governance) 16 | -------------------------------------------------------------------------------- /docs/pages/contribute/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Contribute" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Contribute 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Champions](/contribute/champions) 15 | - [Contribute](/contribute/contributing) 16 | - [Spotlight Zone](/contribute/spotlight-zone) 17 | - [Stewardship](/contribute/stewards) 18 | -------------------------------------------------------------------------------- /docs/pages/opsec/appendices/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Appendices" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Appendices 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Appendices](/opsec/appendices/overview) 15 | - [Case Studies](/opsec/appendices/case-studies) 16 | - [Glossary](/opsec/appendices/glossary) 17 | - [Policies](/opsec/appendices/policies) 18 | -------------------------------------------------------------------------------- /docs/pages/opsec/browser/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Browser Security" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' 9 | 10 | 11 | 12 | 13 | # Browser Security 14 | 15 | 16 | 17 | 18 | Placeholder for Browser Security content 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /docs/pages/opsec/integration/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Integration" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Integration 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Devsecops](/opsec/integration/devsecops) 15 | - [Governance](/opsec/integration/governance) 16 | - [Integration](/opsec/integration/overview) 17 | - [Privacy](/opsec/integration/privacy) 18 | -------------------------------------------------------------------------------- /docs/pages/iam/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Iam" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Iam 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Access Management](/iam/access-management) 15 | - [Identity and Access Management](/iam/overview) 16 | - [Role Based Access Control](/iam/role-based-access-control) 17 | - [Secure Authentication](/iam/secure-authentication) 18 | -------------------------------------------------------------------------------- /docs/pages/opsec/endpoint/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Endpoint Security" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' 9 | 10 | 11 | 12 | 13 | # Endpoint Security 14 | 15 | 16 | 17 | 18 | Placeholder for Endpoint Security content 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /docs/pages/opsec/passwords/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Password Management" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' 9 | 10 | 11 | 12 | 13 | # Password Management 14 | 15 | 16 | 17 | 18 | Placeholder for Password Management content 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/device-endpoint-security/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Device Endpoint Security" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Device Endpoint Security 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Overview](/opsec/old/device-endpoint-security/overview) 15 | - [Standard Operating Environment](/opsec/old/device-endpoint-security/standard-operating-environment) 16 | -------------------------------------------------------------------------------- /docs/pages/supply-chain/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Supply Chain" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Supply Chain 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Dependency Awareness](/supply-chain/dependency-awareness) 15 | - [Supply Chain Levels Software Artifacts](/supply-chain/supply-chain-levels-software-artifacts) 16 | - [Supply Chain Security](/supply-chain/overview) 17 | -------------------------------------------------------------------------------- /docs/pages/opsec/mfa/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Multi-Factor Authentication" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' 9 | 10 | 11 | 12 | 13 | # Multi-Factor Authentication 14 | 15 | 16 | 17 | 18 | Placeholder for Multi-Factor Authentication content 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /docs/pages/threat-modeling/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Threat Modeling" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Threat Modeling 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Create Maintain Threat Models](/threat-modeling/create-maintain-threat-models) 15 | - [Identity Mitigate Threats](/threat-modeling/identity-mitigate-threats) 16 | - [Threat Modeling](/threat-modeling/overview) 17 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/organizational/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Organizational" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Organizational 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Compliance Regulatory Alignment](/opsec/control-domains/organizational/compliance-regulatory-alignment) 15 | - [Supply Chain Security](/opsec/control-domains/organizational/supply-chain-security) 16 | -------------------------------------------------------------------------------- /docs/pages/opsec/core-concepts/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Core Concepts" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Core Concepts 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Implementation Process](/opsec/core-concepts/implementation-process) 15 | - [Security Fundamentals](/opsec/core-concepts/security-fundamentals) 16 | - [Web3 Considerations](/opsec/core-concepts/web3-considerations) 17 | -------------------------------------------------------------------------------- /docs/pages/opsec/principles/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Principles" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Principles 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Five Steps](/opsec/principles/five-steps) 15 | - [Principles](/opsec/principles/principles) 16 | - [Principles & Concepts Overview](/opsec/principles/overview) 17 | - [Web3 Considerations](/opsec/principles/web3-considerations) 18 | -------------------------------------------------------------------------------- /docs/pages/community-management/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Community Management" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Community Management 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Community Management](/community-management/overview) 15 | - [Discord Security](/community-management/discord) 16 | - [Telegram](/community-management/telegram) 17 | - [Twitter](/community-management/twitter) 18 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/network-communication/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Network Communication" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Network Communication 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Overview](/opsec/old/network-communication/overview) 15 | - [Telegram](/opsec/old/network-communication/telegram) 16 | - [Wireless Security](/opsec/old/network-communication/wireless-security) 17 | -------------------------------------------------------------------------------- /docs/pages/vulnerability-disclosure/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerability Disclosure" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Vulnerability Disclosure 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Bug Bounties](/vulnerability-disclosure/bug-bounties) 15 | - [Security Contact](/vulnerability-disclosure/security-contact) 16 | - [Vulnerability Disclosure](/vulnerability-disclosure/overview) 17 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/physical-environmental/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Physical Environmental" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Physical Environmental 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Secure Workspace Travel](/opsec/control-domains/physical-environmental/secure-workspace-travel) 15 | - [Tamper Evidence](/opsec/control-domains/physical-environmental/tamper-evidence) 16 | -------------------------------------------------------------------------------- /docs/pages/governance/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Governance" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Governance 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Compliance Regulatory Requirements](/governance/compliance-regulatory-requirements) 15 | - [Governance](/governance/overview) 16 | - [Risk Management](/governance/risk-management) 17 | - [Security Metrics Kpis](/governance/security-metrics-kpis) 18 | -------------------------------------------------------------------------------- /docs/pages/intro/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Intro" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Intro 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [How to Navigate the Website](/intro/how-to-navigate-the-website) 15 | - [Introduction](/intro/introduction) 16 | - [Overview Of Each Framework](/intro/overview-of-each-framework) 17 | - [What it is](/intro/what-is-it) 18 | - [What it isn't](/intro/what-it-isnt) 19 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/risk-management/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Risk Management" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Risk Management 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Risk Assessment Prioritization](/opsec/old/risk-management/risk-assessment-prioritization) 15 | - [Risk Management](/opsec/old/risk-management/overview) 16 | - [Trade Off Analysis](/opsec/old/risk-management/trade-off-analysis) 17 | -------------------------------------------------------------------------------- /docs/pages/external-security-reviews/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "External Security Reviews" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # External Security Reviews 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [External Security Reviews](/external-security-reviews/overview) 15 | - [Security Policies Procedures](/external-security-reviews/security-policies-procedures) 16 | - [Smart Contracts](/external-security-reviews/smart-contracts) 17 | -------------------------------------------------------------------------------- /components/cert/types.ts: -------------------------------------------------------------------------------- 1 | export interface Control { 2 | id: string; 3 | title: string; 4 | description: string; 5 | justification?: string; 6 | evidence?: string; 7 | } 8 | 9 | export type ControlState = "no" | "yes" | "na"; 10 | 11 | export interface ControlData { 12 | state: ControlState; 13 | justification: string; 14 | evidence: string; 15 | } 16 | 17 | export interface Section { 18 | id: string; 19 | title: string; 20 | description?: string; 21 | controls: Control[]; 22 | } 23 | 24 | export interface CertListProps { 25 | sections: Section[]; 26 | name: string; 27 | } 28 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/digital-identity-access/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Digital Identity Access" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Digital Identity Access 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Overview](/opsec/old/digital-identity-access/overview) 15 | - [Password Secrets Management](/opsec/old/digital-identity-access/password-secrets-management) 16 | - [Sim Swapping](/opsec/old/digital-identity-access/sim-swapping) 17 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/people/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "People" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # People 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Insider Threat Mitigation](/opsec/control-domains/people/insider-threat-mitigation) 15 | - [Security Training Culture](/opsec/control-domains/people/security-training-culture) 16 | - [Social Engineering Defense](/opsec/control-domains/people/social-engineering-defense) 17 | -------------------------------------------------------------------------------- /docs/pages/user-team-security/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "User Team Security" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # User Team Security 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Overview](/user-team-security/overview) 15 | - [Phishing Social Engineering](/user-team-security/phishing-social-engineering) 16 | - [Security Aware Culture](/user-team-security/security-aware-culture) 17 | - [Security Training](/user-team-security/security-training) 18 | -------------------------------------------------------------------------------- /docs/pages/security-automation/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Security Automation" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Security Automation 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Compliance Checks](/security-automation/compliance-checks) 15 | - [Infrastructure As Code](/security-automation/infrastructure-as-code) 16 | - [Security Automation](/security-automation/overview) 17 | - [Threat Detection Response](/security-automation/threat-detection-response) 18 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Control Domains" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Control Domains 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Control Domains](/opsec/control-domains/overview) 15 | - [Organizational](/opsec/control-domains/organizational) 16 | - [People](/opsec/control-domains/people) 17 | - [Physical Environmental](/opsec/control-domains/physical-environmental) 18 | - [Technical](/opsec/control-domains/technical) 19 | -------------------------------------------------------------------------------- /docs/pages/safe-harbor/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Safe Harbor" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Safe Harbor 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [On Chain Adoption Guide](/safe-harbor/on-chain-adoption-guide) 15 | - [Scope Terms](/safe-harbor/scope-terms) 16 | - [SEAL Whitehat Safe Harbor](/safe-harbor/overview) 17 | - [Self Adoption Guide](/safe-harbor/self-adoption-guide) 18 | - [Self Checklist](/safe-harbor/self-checklist) 19 | - [Whitehat](/safe-harbor/whitehat) 20 | -------------------------------------------------------------------------------- /tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "ES2020", 4 | "useDefineForClassFields": true, 5 | "lib": ["ES2020", "DOM", "DOM.Iterable"], 6 | "module": "ESNext", 7 | "skipLibCheck": true, 8 | 9 | /* Bundler mode */ 10 | "moduleResolution": "bundler", 11 | "allowImportingTsExtensions": true, 12 | "resolveJsonModule": true, 13 | "isolatedModules": true, 14 | "noEmit": true, 15 | "jsx": "react-jsx", 16 | 17 | /* Linting */ 18 | "strict": true, 19 | "noUnusedLocals": true, 20 | "noUnusedParameters": true, 21 | "noFallthroughCasesInSwitch": true 22 | }, 23 | "include": ["**/*.ts", "**/*.tsx"] 24 | } 25 | -------------------------------------------------------------------------------- /docs/pages/ens/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Ens" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Ens 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Cross Chain Compatibility](/ens/cross-chain-compatibility) 15 | - [Data Integrity Verification](/ens/data-integrity-verification) 16 | - [ENS Best Practices](/ens/overview) 17 | - [Interface Compliance](/ens/interface-compliance) 18 | - [Name Handling Normalization](/ens/name-handling-normalization) 19 | - [Smart Contract Integration](/ens/smart-contract-integration) 20 | -------------------------------------------------------------------------------- /justfile: -------------------------------------------------------------------------------- 1 | # Default recipe to display help information 2 | default: 3 | @just --list 4 | 5 | # Install dependencies 6 | install: 7 | pnpm install 8 | 9 | # Serve the Vocs site locally with hot reload 10 | serve: 11 | pnpm run docs:dev 12 | 13 | # Build the static Vocs site 14 | build: install 15 | pnpm run docs:build 16 | 17 | # Preview the built site locally 18 | preview: install 19 | pnpm run docs:preview 20 | 21 | # Run all linting checks 22 | lint: 23 | @echo "Running spell check..." 24 | npx cspell ./docs/pages/**/*.mdx 25 | @echo "Spell check complete!" 26 | @echo "" 27 | @echo "Running markdownlint..." 28 | markdownlint-cli2 ./docs/pages/**/*.mdx 29 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/identity-and-access-management.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Identity And Access Management" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Identity and Access Management 14 | 15 | 16 | 17 | 18 | Right now, this subsection has an entire category of its own. Please refer to [Incident and Access Management 19 | (IAM)](/iam/access-management) 20 | 21 | --- 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /docs/pages/incident-management/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Incident Management" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Incident Management 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Communication Strategies](/incident-management/communication-strategies) 15 | - [Incident Detection And Response](/incident-management/incident-detection-and-response) 16 | - [Incident Management](/incident-management/overview) 17 | - [Lessons Learned](/incident-management/lessons-learned) 18 | - [Playbooks](/incident-management/playbooks) 19 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/lifecycle/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Lifecycle" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Lifecycle 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Countermeasures](/opsec/old/lifecycle/countermeasures) 15 | - [Identify](/opsec/old/lifecycle/identify) 16 | - [Lifecycle](/opsec/old/lifecycle/overview) 17 | - [Risk Prioritization](/opsec/old/lifecycle/risk-prioritization) 18 | - [Threat Modeling](/opsec/old/lifecycle/threat-modeling) 19 | - [Vulnerability Assessment](/opsec/old/lifecycle/vulnerability-assessment) 20 | -------------------------------------------------------------------------------- /cspell.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "0.2", 3 | "language": "en-US", 4 | "dictionaryDefinitions": [ 5 | { 6 | "name": "project-specific-words", 7 | "path": "./wordlist.txt", 8 | "addWords": true 9 | } 10 | ], 11 | "dictionaries": [ 12 | "project-specific-words" 13 | ], 14 | "allowCompoundWords": true, 15 | "ignorePaths": [ 16 | "node_modules", 17 | "dist", 18 | ".git", 19 | ".next", 20 | "/docs/pages/config/contributors.json", 21 | "/docs/public", 22 | "./justfile" 23 | ], 24 | "ignoreRegExpList": [ 25 | "users:\\s*\\[[^\\]]*\\]", 26 | "```[a-zA-Z0-9]*[\\s\\S]*?```" 27 | ] 28 | } -------------------------------------------------------------------------------- /docs/pages/threat-modeling/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Threat Modeling" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Threat Modeling 14 | 15 | 16 | 17 | 18 | Threat modeling is a structured approach to identifying and mitigating security threats to a system. It involves 19 | understanding potential threats, vulnerabilities, and attack vectors, and developing strategies to mitigate them. 20 | 21 | --- 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /components/tags/TagList.tsx: -------------------------------------------------------------------------------- 1 | import { getTagColor, getTagId } from '../shared/constants' 2 | import './TagList.css' 3 | 4 | interface TagListProps { 5 | tags?: string[] 6 | } 7 | 8 | export function TagList({ tags = [] }: TagListProps) { 9 | if (!tags || tags.length === 0) return null 10 | 11 | return ( 12 |
13 | {tags.map((tag, index) => ( 14 | 23 | {tag} 24 | 25 | ))} 26 |
27 | ) 28 | } -------------------------------------------------------------------------------- /docs/pages/devsecops/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Devsecops" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Devsecops 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Code Signing](/devsecops/code-signing) 15 | - [Continuous Integration Continuous Deployment](/devsecops/continuous-integration-continuous-deployment) 16 | - [DevSecOps](/devsecops/overview) 17 | - [Integrated Development Environments](/devsecops/integrated-development-environments) 18 | - [Repository Hardening](/devsecops/repository-hardening) 19 | - [Security Testing](/devsecops/security-testing) 20 | -------------------------------------------------------------------------------- /docs/pages/dprk-it-workers/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Dprk It Workers" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Dprk It Workers 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Case Studies](/dprk-it-workers/case-studies) 15 | - [General Information](/dprk-it-workers/general-information) 16 | - [Insider Threats (DPRK)](/dprk-it-workers/overview) 17 | - [Mitigating DPRK IT Workers](/dprk-it-workers/mitigating-dprk-it-workers) 18 | - [Summary](/dprk-it-workers/summary) 19 | - [Techniques, Tactics, and Procedures](/dprk-it-workers/techniques-tactics-and-procedures) 20 | -------------------------------------------------------------------------------- /docs/pages/front-end-web-app/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Front End Web App" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Front End Web App 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Common Vulnerabilities](/front-end-web-app/common-vulnerabilities) 15 | - [Front-End Web Application Security Best Practices](/front-end-web-app/overview) 16 | - [Mobile Application Security](/front-end-web-app/mobile-application-security) 17 | - [Security Tools Resources](/front-end-web-app/security-tools-resources) 18 | - [Web Application Security](/front-end-web-app/web-application-security) 19 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/.DS_Store 2 | **/.DS_Store? 3 | **/.vscode 4 | **/.vscode? 5 | **/.obsidian 6 | **/.obsidian? 7 | **/.idea 8 | **/.idea? 9 | book 10 | bin 11 | *.code-workspace 12 | # Rust build artifacts 13 | **/target/ 14 | **/*.rs.bk 15 | **/*.rmeta 16 | **/*.rlib 17 | Cargo.lock 18 | 19 | # Ignore contributors index file to prevent watch loops 20 | theme/contributors/contributorsindex.js 21 | theme/tags/tagsindex.js 22 | 23 | # Ignore claude-code installation 24 | claude-code 25 | @anthropic-ai/claude-code 26 | 27 | # Node.js dependencies 28 | node_modules/ 29 | package-lock.json 30 | .pnpm-store/ 31 | 32 | # pnpm artifacts 33 | pnpm-lock.yaml 34 | .pnpm-store/ 35 | 36 | # Claude Code configuration 37 | CLAUDE.md 38 | 39 | # Build folder 40 | **/dist/ 41 | 42 | .direnv -------------------------------------------------------------------------------- /docs/pages/encryption/file-encryption.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "File Encryption" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # File Encryption 14 | 15 | 16 | 17 | 18 | File encryption protects sensitive information stored in files. 19 | 20 | Use strong encryption algorithms to encrypt sensitive files stored on local and network drives. 21 | There are multiple tools available for file encryption, use one that is regarded as trusted. 22 | 23 | --- 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /docs/pages/security-testing/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Security Testing" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Security Testing 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Formal Verification](/security-testing/formal-verification) 15 | - [Fuzz Testing](/security-testing/fuzz-testing) 16 | - [Integration Testing](/security-testing/integration-testing) 17 | - [Mutation Testing](/security-testing/mutation-testing) 18 | - [Security Testing](/security-testing/overview) 19 | - [Static Analysis](/security-testing/static-analysis) 20 | - [Unit Testing](/security-testing/unit-testing) 21 | -------------------------------------------------------------------------------- /docs/pages/external-security-reviews/smart-contracts/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Smart Contracts" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Smart Contracts 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Expectation](/external-security-reviews/smart-contracts/expectation) 15 | - [Manual Review](/external-security-reviews/smart-contracts/manual-review) 16 | - [Preparation](/external-security-reviews/smart-contracts/preparation) 17 | - [Smart Contract Security Reviews](/external-security-reviews/smart-contracts/overview) 18 | - [Vendor Selection](/external-security-reviews/smart-contracts/vendor-selection) 19 | -------------------------------------------------------------------------------- /docs/pages/privacy/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Privacy" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Privacy 15 | 16 | 17 | 18 | 19 | Privacy is a fundamental aspect of security. Protecting your personal and team's information from unauthorized access 20 | and exposure is crucial. This section provides guidelines and resources for maintaining privacy, managing your digital 21 | footprint, and utilizing privacy-focused tools and services. 22 | 23 | --- 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /docs/pages/awareness/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Awareness" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Awareness 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Awareness Framework](/awareness/overview) 15 | - [Core Awareness Principles](/awareness/core-awareness-principles) 16 | - [Cultivating A Security Aware Mindset](/awareness/cultivating-a-security-aware-mindset) 17 | - [Resources And Further Reading](/awareness/resources-and-further-reading) 18 | - [Staying Informed And Continuous Learning](/awareness/staying-informed-and-continuous-learning) 19 | - [Understanding Threat Vectors](/awareness/understanding-threat-vectors) 20 | -------------------------------------------------------------------------------- /docs/pages/opsec/control-domains/technical/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Technical" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Technical 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Cryptocurrency Controls](/opsec/control-domains/technical/cryptocurrency-controls) 15 | - [Device Hardening](/opsec/control-domains/technical/device-hardening) 16 | - [Encrypted Storage Backups](/opsec/control-domains/technical/encrypted-storage-backups) 17 | - [Network Communication Security](/opsec/control-domains/technical/network-communication-security) 18 | - [Two Factor Hardware Auth](/opsec/control-domains/technical/two-factor-hardware-auth) 19 | -------------------------------------------------------------------------------- /docs/pages/certs/certified-protocols.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Certified Protocols" 3 | tags: 4 | - SEAL/Initiative 5 | - Certifications 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter, CertifiedProtocolsWrapper } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Certified Protocols 14 | 15 | 16 | 17 | 18 | The following protocols have successfully completed SEAL certifications and received on-chain attestations via the Ethereum Attestation Service (EAS). For more details on each certification, click on the respective badges or view the relevant SFC document. 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/human-centered-security/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Human Centered Security" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Human Centered Security 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Detecting And Mitigating Insider Threats](/opsec/old/human-centered-security/detecting-and-mitigating-insider-threats) 15 | - [Overview](/opsec/old/human-centered-security/overview) 16 | - [Personal Opsec](/opsec/old/human-centered-security/personal-opsec) 17 | - [Social Engineering Defense](/opsec/old/human-centered-security/social-engineering-defense) 18 | - [Travel Security](/opsec/old/human-centered-security/travel-security) 19 | -------------------------------------------------------------------------------- /docs/pages/privacy/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Privacy" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Privacy 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Data Removal Services](/privacy/data-removal-services) 15 | - [Digital Footprint](/privacy/digital-footprint) 16 | - [Encrypted Communication Tools](/privacy/encrypted-communication-tools) 17 | - [Financial Privacy Services](/privacy/financial-privacy-services) 18 | - [Privacy](/privacy/overview) 19 | - [Privacy Focused Operating Systems Tools](/privacy/privacy-focused-operating-systems-tools) 20 | - [Secure Browsing](/privacy/secure-browsing) 21 | - [Vpn Services](/privacy/vpn-services) 22 | -------------------------------------------------------------------------------- /docs/pages/certs/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Certs" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Certs 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Certification Guidelines](/certs/certification-guidelines) 15 | - [Certified Auditors](/certs/certified-partners) 16 | - [Certified Protocols](/certs/certified-protocols) 17 | - [Contributions](/certs/contributions) 18 | - [DNS Registrar](/certs/sfc-dns-registrar) 19 | - [Incident Response](/certs/sfc-incident-response) 20 | - [Multisig Operations](/certs/sfc-multisig-ops) 21 | - [Overview](/certs/overview) 22 | - [Treasury Operations](/certs/sfc-treasury-ops) 23 | - [Workspace Security](/certs/sfc-workspace-security) 24 | -------------------------------------------------------------------------------- /.markdownlint.json: -------------------------------------------------------------------------------- 1 | { 2 | "default": true, 3 | "MD013": { 4 | "line_length": 120, 5 | "code_blocks": false, 6 | "tables": false 7 | }, 8 | "MD024": { 9 | "siblings_only": true 10 | }, 11 | "MD026": false, 12 | "MD025": false, 13 | "MD033": { 14 | "allowed_elements": [ 15 | "details", 16 | "summary", 17 | "br", 18 | "img", 19 | "sup", 20 | "sub", 21 | "kbd", 22 | "div", 23 | "p", 24 | "em", 25 | "html", 26 | "head", 27 | "meta", 28 | "body", 29 | "strong", 30 | "video", 31 | "source", 32 | "TagList", 33 | "AttributionList", 34 | "TagProvider", 35 | "TagFilter", 36 | "ContributeFooter", 37 | "Contributors" 38 | ] 39 | }, 40 | "MD037": false, 41 | "MD040": false, 42 | "MD041": false 43 | } -------------------------------------------------------------------------------- /.devcontainer/Dockerfile: -------------------------------------------------------------------------------- 1 | # Base debian build with VSCode devcontainer base 2 | FROM mcr.microsoft.com/vscode/devcontainers/base:debian 3 | 4 | # Update packages and install only essential dependencies 5 | RUN apt-get update && apt-get install -y \ 6 | build-essential \ 7 | pkg-config \ 8 | libssl-dev \ 9 | curl \ 10 | && apt-get clean \ 11 | && rm -rf /var/lib/apt/lists/* 12 | 13 | # Install Node.js 22.x (LTS) from NodeSource 14 | RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \ 15 | && apt-get install -y nodejs 16 | 17 | # Switch to vscode user 18 | USER vscode 19 | 20 | 21 | # Install markdownlint-cli2 globally via npm (need root for global install) 22 | USER root 23 | RUN npm install -g pnpm@10.15.0 markdownlint-cli2 24 | 25 | # Switch back to vscode user 26 | USER vscode 27 | 28 | # Set working directory 29 | WORKDIR /workspace 30 | -------------------------------------------------------------------------------- /docs/pages/supply-chain/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Supply Chain Security" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Supply Chain Security 15 | 16 | 17 | 18 | 19 | Supply chain security involves managing and securing all the components, dependencies, and processes involved in the 20 | development, deployment, and maintenance of software. In the context of blockchain and web3 projects, supply chain 21 | security could for example be parts of the web application stack, or external libraries used by the smart contract. 22 | 23 | --- 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /components/tags/TagList.css: -------------------------------------------------------------------------------- 1 | .tag-container { 2 | display: flex; 3 | flex-wrap: wrap; 4 | gap: 8px; 5 | margin: 16px 0; 6 | padding: 0; 7 | } 8 | 9 | .tag-item { 10 | display: inline-flex; 11 | align-items: center; 12 | padding: 4px 8px; 13 | border-radius: 12px; 14 | font-size: 12px; 15 | font-weight: 500; 16 | color: white; 17 | text-decoration: none; 18 | border: 1px solid transparent; 19 | user-select: none; 20 | white-space: nowrap; 21 | text-shadow: 2px 2px 4px rgba(0, 0, 0, 0.5); 22 | } 23 | 24 | /* Dark mode adjustments */ 25 | @media (prefers-color-scheme: dark) { 26 | .tag-item { 27 | box-shadow: 0 2px 4px rgba(0, 0, 0, 0.3); 28 | } 29 | } 30 | 31 | /* Responsive design */ 32 | @media (max-width: 768px) { 33 | .tag-container { 34 | gap: 4px; 35 | } 36 | 37 | .tag-item { 38 | padding: 3px 6px; 39 | font-size: 11px; 40 | } 41 | } -------------------------------------------------------------------------------- /docs/pages/incident-management/playbooks/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Playbooks" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Playbooks 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Decentralized Ir](/incident-management/playbooks/decentralized-ir) 15 | - [ELUSIVE COMET Attack](/incident-management/playbooks/hacked-elusive-comet) 16 | - [Malware Infection](/incident-management/playbooks/malware) 17 | - [North Korea (DPRK) Attack](/incident-management/playbooks/hacked-dprk) 18 | - [Playbooks](/incident-management/playbooks/overview) 19 | - [Seal 911 War Room Guidelines](/incident-management/playbooks/seal-911-war-room-guidelines) 20 | - [Wallet Drainer Attack](/incident-management/playbooks/hacked-drainer) 21 | -------------------------------------------------------------------------------- /docs/pages/secure-software-development/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Secure Software Development" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Secure Software Development 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Code Reviews Peer Audits](/secure-software-development/code-reviews-peer-audits) 15 | - [Secure Code Repositories Version Control](/secure-software-development/secure-code-repositories-version-control) 16 | - [Secure Coding Standards Guidelines](/secure-software-development/secure-coding-standards-guidelines) 17 | - [Secure Software Development](/secure-software-development/overview) 18 | - [Threat Modeling Secure Design Principles](/secure-software-development/threat-modeling-secure-design-principles) 19 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/domain-and-dns-security/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Domain And Dns Security" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Domain And Dns Security 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [DNS Basics & Common Attacks](/infrastructure/domain-and-dns-security/dns-basics-and-attacks) 15 | - [DNSSEC, CAA, and Email Security](/infrastructure/domain-and-dns-security/dnssec-and-email) 16 | - [Domain & DNS Security — Overview](/infrastructure/domain-and-dns-security/overview) 17 | - [Monitoring, Alerts, and Incident Response](/infrastructure/domain-and-dns-security/monitoring-and-alerting) 18 | - [Registrar Security & Registry Locks](/infrastructure/domain-and-dns-security/registrar-and-locks) 19 | -------------------------------------------------------------------------------- /docs/pages/opsec/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Opsec" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Opsec 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Appendices](/opsec/appendices) 15 | - [Browser](/opsec/browser) 16 | - [Continuous Improvement Metrics](/opsec/continuous-improvement-metrics) 17 | - [Control Domains](/opsec/control-domains) 18 | - [Core Concepts](/opsec/core-concepts) 19 | - [Endpoint](/opsec/endpoint) 20 | - [Google](/opsec/google) 21 | - [Improvement](/opsec/improvement) 22 | - [Integration](/opsec/integration) 23 | - [Mfa](/opsec/mfa) 24 | - [Old](/opsec/old) 25 | - [Operational Security](/opsec/overview) 26 | - [Passwords](/opsec/passwords) 27 | - [Principles](/opsec/principles) 28 | - [Travel](/opsec/travel) 29 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Infrastructure" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Infrastructure 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Asset Inventory](/infrastructure/asset-inventory) 15 | - [Cloud Infrastructure](/infrastructure/cloud) 16 | - [Ddos Protection](/infrastructure/ddos-protection) 17 | - [Domain And Dns Security](/infrastructure/domain-and-dns-security) 18 | - [Identity And Access Management](/infrastructure/identity-and-access-management) 19 | - [Infrastructure](/infrastructure/overview) 20 | - [Network Security](/infrastructure/network-security) 21 | - [Operating System Security](/infrastructure/operating-system-security) 22 | - [Zero Trust Principles](/infrastructure/zero-trust-principles) 23 | -------------------------------------------------------------------------------- /docs/pages/monitoring/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Monitoring" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Monitoring 14 | 15 | 16 | 17 | 18 | Monitoring is a crucial aspect of maintaining the security and integrity of a blockchain project. Effective monitoring 19 | allows you to detect anomalies and potential security breaches in real-time, enabling prompt response and mitigation. 20 | This section focuses on monitoring the on-chain security of a project, including guidelines for setting up monitoring 21 | systems, defining thresholds for alerts, and utilizing existing on-chain monitoring tools. 22 | 23 | --- 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /docs/pages/encryption/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Encryption" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Encryption 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Cloud Data Encryption](/encryption/cloud-data-encryption) 15 | - [Communication Encryption](/encryption/communication-encryption) 16 | - [Database Encryption](/encryption/database-encryption) 17 | - [Email Encryption](/encryption/email-encryption) 18 | - [Encryption](/encryption/overview) 19 | - [Encryption In Transit](/encryption/encryption-in-transit) 20 | - [File Encryption](/encryption/file-encryption) 21 | - [Full Disk Encryption](/encryption/full-disk-encryption) 22 | - [Hardware Encryption](/encryption/hardware-encryption) 23 | - [Partition Encryption](/encryption/partition-encryption) 24 | - [Volume Encryption](/encryption/volume-encryption) 25 | -------------------------------------------------------------------------------- /docs/pages/intro/what-is-it.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "What it is" 3 | --- 4 | import { ContributeFooter, TagFilter, TagProvider } from '../../../components' 5 | 6 | 7 | 8 | 9 | # What Is It 10 | 11 | This resource is a collection of best practices written in an abstract or general fashion to be applicable regardless of 12 | the specific technology. It serves as a comprehensive guide to help you secure various aspects of your Web3 projects 13 | and build resilience against potential threats. 14 | 15 | This guide aims to centralize existing information, so you might not see novel features but rather a well-organized 16 | compilation of security-related topics, from simpler ones to more complex ones. The goal is to provide a comprehensive 17 | resource that brings together diverse security insights and practices into one accessible place. 18 | 19 | Our hope is that these resources will help expand your security skill set. 20 | 21 | --- 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /components/tags/TagContext.tsx: -------------------------------------------------------------------------------- 1 | import { createContext, useContext, useState, ReactNode, Dispatch, SetStateAction } from 'react' 2 | 3 | interface TagContextType { 4 | selectedTags: string[] 5 | setSelectedTags: Dispatch> 6 | isFilterActive: boolean 7 | } 8 | 9 | const TagContext = createContext(undefined) 10 | 11 | export function TagProvider({ children }: { children: ReactNode }) { 12 | const [selectedTags, setSelectedTags] = useState([]) 13 | 14 | return ( 15 | 0 20 | }} 21 | > 22 | {children} 23 | 24 | ) 25 | } 26 | 27 | export function useTagFilter() { 28 | const context = useContext(TagContext) 29 | if (context === undefined) { 30 | throw new Error('useTagFilter must be used within a TagProvider') 31 | } 32 | return context 33 | } -------------------------------------------------------------------------------- /docs/pages/governance/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Governance" 3 | tags: 4 | - Operations & Strategy 5 | - Legal & Compliance 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Governance 14 | 15 | 16 | 17 | 18 | Good governance practices involve setting clear policies, establishing accountability, and continuously monitoring and 19 | improving security measures. This section provides some best practices and guidelines for how you could implement 20 | governance in your project. 21 | 22 | ## Contents 23 | 24 | 1. [Compliance with Regulatory Requirements](/governance/compliance-regulatory-requirements) 25 | 2. [Risk Management](/governance/risk-management) 26 | 3. [Security Metrics and KPIs](/governance/security-metrics-kpis) 27 | 28 | --- 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /docs/pages/security-automation/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Security Automation" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | - Cloud 8 | - SRE 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Security Automation 17 | 18 | 19 | 20 | 21 | Security automation involves using technology to perform security tasks with minimal human intervention. By automating 22 | repetitive and complex security processes, teams can improve efficiency, reduce the risk of human error, and respond to 23 | threats more quickly. This section covers best practices and tools for automating various aspects of security, including 24 | compliance checks, infrastructure as code, and threat detection and response. 25 | 26 | --- 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /docs/pages/secure-software-development/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Secure Software Development" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Secure Software Development 15 | 16 | 17 | 18 | 19 | Secure software development is the practice of integrating security measures throughout the entire software development 20 | lifecycle (SDLC). This approach ensures that software is designed, developed, and maintained with security in mind, 21 | protecting against vulnerabilities and threats. This section provides guidelines and best practices for secure software 22 | development, including code reviews, secure coding standards, version control, and threat modeling. 23 | 24 | --- 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /docs/pages/encryption/hardware-encryption.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Hardware Encryption" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Hardware Encryption 14 | 15 | 16 | 17 | 18 | Hardware encryption, such as HSM, uses dedicated hardware to encrypt data, providing robust security. Utilizing a HSM is 19 | a fairly specialized thing, but consumers are for example often using TPM. 20 | 21 | ## Best Practices 22 | 23 | 1. Enable TPM when available on your computer to enhance the security of hardware-based encryption. 24 | 2. Consider using self-encrypting drives (SEDs) for storage to ensure data is encrypted at the hardware level. 25 | 3. If relevant for your use case, use HSMs to securely generate, store, and manage encryption keys. 26 | 27 | --- 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /docs/pages/devsecops/security-testing.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Security Testing" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | - SRE 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 11 | 12 | 13 | 14 | 15 | # Security Testing 16 | 17 | 18 | 19 | 20 | Security testing is a crucial part of the DevSecOps process, as it helps identify vulnerabilities early on so that they 21 | can be taken care of before they become an issue in production. 22 | 23 | 1. Integrate SAST tools into the CI/CD pipeline to analyze source code for vulnerabilities. 24 | 2. Use DAST tools to test running applications for security issues. 25 | 3. Combine SAST and DAST approaches with IAST tools for comprehensive security testing. 26 | 4. Implement fuzz testing to discover security vulnerabilities by inputting random data. 27 | 28 | --- 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## Frameworks PR Checklist 2 | 3 | Thank you for contributing to the Security Frameworks! Before you open a PR, make sure to read [information for contributors](https://frameworks.securityalliance.dev/contribute/contributing) and take a look at the following checklist: 4 | 5 | - [ ] Describe your changes, substitute this text with the information 6 | - [ ] If you are touching an existing piece of content, tag current contributors from the attribution list 7 | - [ ] If there is a steward for that framework, ask the steward to review it 8 | - [ ] If you're modifying the general outline, make sure to update it in the `vocs.config.ts` adding the `dev: true` parameter 9 | - [ ] If you need feedback for your content from the wider community, share the PR in our Discord 10 | - [ ] Review changes to ensure there are no typos, see instructions below 11 | 12 | 18 | -------------------------------------------------------------------------------- /docs/pages/iam/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Identity and Access Management" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Identity and Access Management (IAM) 15 | 16 | 17 | 18 | 19 | Identity and Access Management (IAM) is defined as managing who has access to your systems and data, and ensuring that 20 | access is secure and appropriate. Effective IAM practices help prevent unauthorized access, reduce the risk of insider 21 | threats, and ensure that users have the necessary access to perform their roles efficiently. 22 | 23 | ## Contents 24 | 25 | 1. [Role-Based Access Control (RBAC)](/iam/role-based-access-control) 26 | 2. [Secure Authentication](/iam/secure-authentication) 27 | 3. [Access Management Best Practices](/iam/access-management) 28 | 29 | --- 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /docs/pages/encryption/encryption-in-transit.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Encryption In Transit" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Encryption in Transit 14 | 15 | 16 | 17 | 18 | Encryption in transit means how data is being encrypted while it flows across networks. This is important as you don't 19 | want anyone eavesdropping on your traffic, and by following best practices such as the ones below, you can reduce the 20 | risk of that: 21 | 22 | ## Best Practices 23 | 24 | 1. Ensure that all data transmitted over the internet is encrypted using TLS/SSL. 25 | 2. Use secure VPNs to encrypt data transmitted over public networks such as public WiFi. 26 | 3. Use SSH for secure remote access to servers and other infrastructure. 27 | 4. Use encryption protocols such as S/MIME or PGP for email communications. 28 | 29 | --- 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /components/cert/SectionProgress.tsx: -------------------------------------------------------------------------------- 1 | import { memo } from "react"; 2 | 3 | interface SectionProgressProps { 4 | completed: number; 5 | na: number; 6 | total: number; 7 | } 8 | 9 | export const SectionProgress = memo(function SectionProgress({ 10 | completed, 11 | na, 12 | total 13 | }: SectionProgressProps) { 14 | const completedPercentage = total > 0 ? (completed / total) * 100 : 0; 15 | const naPercentage = total > 0 ? (na / total) * 100 : 0; 16 | 17 | return ( 18 |
19 |
20 |
24 |
28 |
29 | {completed + na}/{total} 30 |
31 | ); 32 | }); 33 | 34 | SectionProgress.displayName = "SectionProgress"; 35 | -------------------------------------------------------------------------------- /docs/pages/vulnerability-disclosure/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerability Disclosure" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Vulnerability Disclosure 15 | 16 | 17 | 18 | 19 | Vulnerability disclosure is the task that is done after a vulnerability has been identified and fixed, and means to make 20 | the vulnerability known to the larger public. Often, a vulnerability disclosure will come after a 21 | [bug bounty](/vulnerability-disclosure/bug-bounties) report has been filed and the vulnerability has been corrected, 22 | or from a team member that noticed a vulnerability which was then fixed. In the event that responsible disclosure of 23 | the vulnerability is not possible because the vulnerable code is actively or will imminently be exploited, 24 | [Safe Harbor](/safe-harbor/overview) may be applicable. 25 | 26 | --- 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /components/index.ts: -------------------------------------------------------------------------------- 1 | /** 2 | * Components index - provides easy access to all components 3 | * 4 | * Usage examples: 5 | * import { TagFilter, useTagFilter } from './components' 6 | * import { AttributionList } from './components' 7 | * import { getTagColor } from './components' 8 | */ 9 | 10 | export { TagProvider, useTagFilter } from './tags/TagContext' 11 | export { TagFilter } from './tags/TagFilter' 12 | export { TagList } from './tags/TagList' 13 | export { withTagFiltering, TagFilteringLayout } from './tags/withTagFiltering' 14 | export { AttributionList } from './attribution/AttributionList' 15 | export { ContributeFooter } from './footer/ContributeFooter' 16 | export { Contributors } from './contributors/Contributors' 17 | export { BenchmarkList } from './benchmark/Benchmark' 18 | export { CertList } from './cert/CertList' 19 | export type { Control, Section, CertListProps, ControlState, ControlData } from './cert/types' 20 | export { default as MermaidRenderer } from './mermaid/MermaidRenderer'; 21 | export * from './shared/constants' 22 | export { CertifiedProtocols } from './certified-protocols/CertifiedProtocols' 23 | export { CertifiedProtocolsWrapper } from './certified-protocols/CertifiedProtocolsWrapper' -------------------------------------------------------------------------------- /components/mermaid/MermaidRenderer.tsx: -------------------------------------------------------------------------------- 1 | "use client"; 2 | 3 | import { useEffect, useRef } from "react"; 4 | import mermaid from "mermaid"; 5 | 6 | interface MermaidRendererProps { 7 | code: string; 8 | id: string; 9 | } 10 | 11 | const MermaidRenderer: React.FC = ({ code, id }) => { 12 | const containerRef = useRef(null); 13 | useEffect(() => { 14 | if (!containerRef.current) return; 15 | 16 | const renderMermaid = async () => { 17 | try { 18 | mermaid.initialize({ startOnLoad: false }); 19 | 20 | const cleanCode = code.trim(); 21 | const { svg } = await mermaid.render(id, cleanCode); 22 | 23 | if (containerRef.current) { 24 | containerRef.current.innerHTML = svg; 25 | } 26 | } catch (err: any) { 27 | if (containerRef.current) { 28 | containerRef.current.innerHTML = `
Error rendering Mermaid diagram: ${err.message}
`; 29 | } 30 | console.error(err); 31 | } 32 | }; 33 | 34 | renderMermaid(); 35 | }, [code, id]); 36 | 37 | return
; 38 | }; 39 | 40 | export default MermaidRenderer; 41 | -------------------------------------------------------------------------------- /docs/pages/encryption/full-disk-encryption.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Full Disk Encryption" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Full Disk Encryption 14 | 15 | 16 | 17 | 18 | Full disk encryption protects all data stored on a device in the event that it's stolen or lost. Today, all major 19 | Operating Systems for workstations, servers and mobile phones have full disk encryption capabilities built in, and 20 | sometimes enabled by default. Check which full disk encryption is built into your operating system, and enable it if not 21 | enabled by default. 22 | 23 | ## Best Practices 24 | 25 | 1. Ensure that full disk encryption uses strong industry-standard algorithms. 26 | 2. Enable full disk encryption by default on all devices, including laptops, desktops, and mobile devices. 27 | 3. Implement secure boot to ensure that only trusted software can be loaded during the boot process. 28 | 29 | --- 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /docs/pages/incident-management/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Incident Management" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | - Devops 7 | - SRE 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 11 | 12 | 13 | 14 | 15 | # Incident Management 16 | 17 | 18 | 19 | 20 | Incident management involves preparing for, detecting, responding to, and recovering from security incidents. By 21 | thinking about incident management prior to actually experiencing an incident, you can help increase the likelihood of a 22 | timely recovery. 23 | 24 | ## Contents 25 | 26 | 1. [Communication Strategies](/incident-management/communication-strategies) 27 | 2. [Incident Detection and Response](/incident-management/incident-detection-and-response) 28 | 3. [Lessons Learned](/incident-management/lessons-learned) 29 | 4. [Playbooks](/incident-management/playbooks/overview) 30 | 5. [SEAL 911 War Room Guidelines](/incident-management/playbooks/seal-911-war-room-guidelines) 31 | 32 | --- 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /docs/pages/devsecops/code-signing.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Code Signing" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Code Signing 15 | 16 | 17 | 18 | 19 | Code signing ensures that the code has not been tampered with, and verifies the identity of the developer. Here are some 20 | best practices that could be followed: 21 | 22 | 1. Ensure all Pull Requests (PRs) are signed with the user’s GPG key. 23 | 2. Every PR must be reviewed by another core team member before being merged into the stable/main/master branch, with 24 | github settings set to reflect this. 25 | 3. Require Multi-Factor Authentication (MFA) for all users where applicable and available. Encourage the use of hardware 26 | MFA such as Yubikeys. 27 | 4. Rotate GPG keys regularly to mitigate the risk of key compromise. 28 | 5. Maintain clear documentation on the code signing procedures for your team members. 29 | 30 | --- 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/asset-inventory.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Asset Inventory" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | - SRE 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 11 | 12 | 13 | 14 | 15 | # Asset Inventory 16 | 17 | 18 | 19 | 20 | An asset inventory means having information about everything related to your project, meaning for example contracts, 21 | hardware, software, cloud providers, dependencies and network components. This is important, as if you don't have 22 | awareness of your assets then how are you going to be able to protect them? 23 | 24 | You should at the very least document as much as you can with regards to your assets, and update this on a regular 25 | basis. It is highly recommended to also assign ownership of each asset, so that someone ensures the safety of this 26 | asset. Classifying them based on their criticality and sensitivity also helps you prioritize them with regards to 27 | security measures. 28 | 29 | --- 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /docs/pages/encryption/database-encryption.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Database Encryption" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Database Encryption 14 | 15 | 16 | 17 | 18 | Often, databases contains information that should not be publicly available. In order to protect your database, you may 19 | consider implementing the following best practices: 20 | 21 | ## Best Practices 22 | 23 | 1. Use strong encryption algorithms to encrypt database files and backups. 24 | 2. Encrypt sensitive columns within the database, such as those containing personally identifiable information (PII). 25 | 3. Use Transparent Data Encryption (TDE) to automatically encrypt and decrypt data stored in the database. 26 | 4. Implement robust key management practices, including the use of HSMs and regular key rotation depending on your use 27 | case. 28 | 5. Enforce strict access controls to prevent unauthorized access to encrypted data. 29 | 30 | --- 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /docs/pages/front-end-web-app/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Front-End Web Application Security Best Practices" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Front-End Web Application Security Best Practices 15 | 16 | 17 | 18 | 19 | Often an overlooked area, but ensuring the security of your front-end web and potential mobile applications is crucial 20 | for protecting your users. If the front-end web application is compromised, it could have severe effects on your users 21 | as they for example could start interacting with a malicious contract instead of your official contract. 22 | 23 | ## Contents 24 | 25 | 1. [Web Application Security](/front-end-web-app/web-application-security) 26 | 2. [Mobile Application Security](/front-end-web-app/mobile-application-security) 27 | 3. [Common Vulnerabilities](/front-end-web-app/common-vulnerabilities) 28 | 4. [Security Tools and Resources](/front-end-web-app/security-tools-resources) 29 | 30 | --- 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /docs/pages/encryption/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Encryption" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | - Cloud 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 11 | 12 | 13 | 14 | 15 | # Encryption 16 | 17 | 18 | 19 | 20 | Encryption is a fundamental aspect of securing data, ensuring that sensitive information remains confidential and 21 | protected from unauthorized access. This section covers various types of encryption and best practices for implementing 22 | them effectively. 23 | 24 | ## Contents 25 | 26 | 1. [Cloud Data Encryption](/encryption/cloud-data-encryption) 27 | 2. [Communication Encryption](/encryption/communication-encryption) 28 | 3. [Encryption in Transit](/encryption/encryption-in-transit) 29 | 4. [Database Encryption](/encryption/database-encryption) 30 | 5. [Email Encryption](/encryption/email-encryption) 31 | 6. [File Encryption](/encryption/file-encryption) 32 | 7. [Full Disk Encryption](/encryption/full-disk-encryption) 33 | 8. [Hardware Encryption](/encryption/hardware-encryption) 34 | 35 | --- 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /docs/pages/intro/what-it-isnt.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "What it isn't" 3 | --- 4 | import { ContributeFooter, TagFilter, TagProvider } from '../../../components' 5 | 6 | 7 | 8 | 9 | # What It Isn't 10 | 11 | This resource isn't just a compilation of existing information. While it may initially seem like a collection of curated 12 | content, its primary focus is on providing in-depth, practical guidance. 13 | 14 | Unlike other curations, compilations, or blog posts that often focus on the latest technologies, this guide delves into 15 | underlying concepts and technical aspects essential for securing Web3 projects. It’s not meant to be read like a "story" 16 | but rather used as a reference to enhance your understanding and application of security practices. 17 | 18 | The content may not always follow the latest state-of-the-art technologies, as its focus is on fundamental security 19 | principles that are broadly applicable. Our aim is to provide valuable insights and practical advice to help you secure 20 | your projects effectively. 21 | 22 | This guide is not intended to be offensive, though it might include strong examples to illustrate particular points. Our 23 | goal is to ensure clarity and effectiveness in conveying security best practices. 24 | 25 | --- 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /docs/pages/external-security-reviews/security-policies-procedures.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Security Policies Procedures" 3 | tags: 4 | - Security Specialist 5 | - Legal & Compliance 6 | - Operations & Strategy 7 | - HR 8 | contributors: 9 | - role: wrote 10 | users: [patrickalphac] 11 | --- 12 | 13 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 14 | 15 | 16 | 17 | 18 | # Security Policies and Procedures 19 | 20 | 21 | 22 | 23 | As part of the external security review, it could be beneficial to also review the internal security policies and 24 | procedures as well. 25 | Some of the things that could be relevant to review are: 26 | 27 | 1. Ensure there is a developed and maintained plan for responding to security incidents. 28 | 2. Ensure there are defined roles and responsibilities, and enforce the principle of least privilege. 29 | 3. Ensure there are processes implemented for managing changes to the codebase and infrastructure. 30 | 4. Ensure there are regular training sessions conducted for all team members on security best practices. 31 | 5. Ensure adherence to any potentially relevant regulatory and industry standards for your project. 32 | 33 | --- 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /docs/pages/multisig-for-protocols/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Multisig For Protocols" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Multisig For Protocols 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Backup Signing And Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure) 15 | - [Communication Setup](/multisig-for-protocols/communication-setup) 16 | - [Emergency Procedures](/multisig-for-protocols/emergency-procedures) 17 | - [Implementation Checklist](/multisig-for-protocols/implementation-checklist) 18 | - [Incident Reporting](/multisig-for-protocols/incident-reporting) 19 | - [Joining A Multisig](/multisig-for-protocols/joining-a-multisig) 20 | - [Offboarding](/multisig-for-protocols/offboarding) 21 | - [Overview](/multisig-for-protocols/overview) 22 | - [Personal Security Opsec](/multisig-for-protocols/personal-security-opsec) 23 | - [Planning And Classification](/multisig-for-protocols/planning-and-classification) 24 | - [Registration And Documentation](/multisig-for-protocols/registration-and-documentation) 25 | - [Setup And Configuration](/multisig-for-protocols/setup-and-configuration) 26 | - [Use Case Specific Requirements](/multisig-for-protocols/use-case-specific-requirements) 27 | -------------------------------------------------------------------------------- /docs/pages/incident-management/playbooks/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Playbooks" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' 9 | 10 | 11 | 12 | 13 | # Playbooks 14 | 15 | 16 | 17 | 18 | Generally speaking, incident response playbooks aim to provide detailed, step-by-step procedures for handling specific 19 | types of security incidents. Obviously, it's not possible to have thought about every possible scenario ahead of time, 20 | but one could create documentation for the most likely or devastating scenarios. 21 | 22 | ## Best Practices 23 | 24 | 1. Define the type of incident the playbook addresses (e.g., stolen funds, data breach, DDoS attack). 25 | 2. Outline the steps for detecting and analyzing the incident, including key indicators of compromise (IOCs) and tools 26 | to use. 27 | 3. Describe immediate actions to contain the incident and prevent further damage. 28 | 4. Provide detailed steps for eradicating the root cause of the incident. 29 | 5. Outline procedures for restoring everything affected to normal operation. 30 | 6. Detail the steps for conducting a lessons learned review. 31 | 32 | --- 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Security Frameworks DevContainer", 3 | "build": { 4 | "dockerfile": "Dockerfile" 5 | }, 6 | "features": { 7 | "ghcr.io/devcontainers/features/github-cli:1": { 8 | "installDirectlyFromGitHubRelease": true 9 | } 10 | }, 11 | "customizations": { 12 | "vscode": { 13 | "extensions": [ 14 | "yzhang.markdown-all-in-one", 15 | "bradlc.vscode-tailwindcss", 16 | "ms-vscode.vscode-typescript-next", 17 | "esbenp.prettier-vscode" 18 | ], 19 | "settings": { 20 | "terminal.integrated.defaultProfile.linux": "bash", 21 | "terminal.integrated.profiles.linux": { 22 | "bash": { 23 | "path": "/bin/bash" 24 | } 25 | } 26 | } 27 | } 28 | }, 29 | "forwardPorts": [ 30 | 5173 31 | ], 32 | "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", 33 | "workspaceFolder": "/workspace", 34 | "postCreateCommand": "pnpm install && pnpm rebuild just-install && echo 'DevContainer ready! Run \"pnpm run docs:dev\" to start the Vocs server.' && ip=$(hostname -I | awk '{print $1}'); echo \"After running 'pnpm run docs:dev', access the site at http://$ip:5173\"" 35 | } 36 | -------------------------------------------------------------------------------- /docs/pages/devsecops/integrated-development-environments.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Integrated Development Environments" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Integrated Development Environments (IDEs) 15 | 16 | 17 | 18 | 19 | Integrated Development Environments (IDEs) are essential tools for developers, but they also need to be secured. 20 | Consider implementing the following best practices: 21 | 22 | 1. Ensure IDEs are configured securely, with plugins and extensions only installed from trusted sources. Some IDEs have 23 | features that allow for automated execution of files in folders. Use restricted mode if you don't fully trust a project. 24 | 2. Keep IDEs and their plugins/extensions up-to-date to protect against vulnerabilities. 25 | 3. Integrate static code analysis tools within the IDE to catch security issues early in the development process. 26 | 4. Configure IDEs to follow the principle of least privilege, limiting access to sensitive information and systems. 27 | 5. Ensure that potential development environments are isolated from production environments. 28 | 29 | --- 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /docs/pages/certs/certified-partners.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Certified Auditors" 3 | tags: 4 | - SEAL/Initiative 5 | - Certifications 6 | auditors: 7 | 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter, CertifiedProtocols } from '../../../components' 11 | 12 | 13 | 14 | 15 | # Certified Partners 16 | 17 | 18 | 19 | 20 | ## Current Status: Request for Qualifications (RFQ) 21 | 22 | SEAL Certifications is currently in the process of establishing our certified auditor partner program. We are actively seeking qualified auditing firms to become authorized certification issuers. 23 | 24 | ### Timeline 25 | 26 | - **Now - December 31st, 2025**: RFC Phase & Auditor RFQ Period 27 | - **Q1 2026**: Begin issuing formal certifications with certified auditor partners 28 | 29 | ## Becoming a Certified Auditor 30 | 31 | SEAL will work with a select group of third-party auditing firms to provide certification audits. SEAL-certified auditors will demonstrate expertise in blockchain security and operational security practices, and will be authorized to conduct audits against the SEAL Certification Framework and issue on-chain attestations. 32 | 33 | If your firm is interested, please fill [out this form](https://securityalliance.typeform.com/CertsAuditor) 34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /docs/pages/opsec/old/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Old" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Old 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Cloud Third Party](/opsec/old/cloud-third-party) 15 | - [Core Opsec Principles](/opsec/old/core-opsec-principles) 16 | - [Data Protection](/opsec/old/data-protection) 17 | - [Device Endpoint Security](/opsec/old/device-endpoint-security) 18 | - [Digital Identity Access](/opsec/old/digital-identity-access) 19 | - [Governance](/opsec/old/governance) 20 | - [Governance Program Management](/opsec/old/governance-program-management) 21 | - [Human Centered Security](/opsec/old/human-centered-security) 22 | - [Incident Response](/opsec/old/incident-response) 23 | - [Incident Response Recovery](/opsec/old/incident-response-recovery) 24 | - [Lifecycle](/opsec/old/lifecycle) 25 | - [Monitoring](/opsec/old/monitoring) 26 | - [Monitoring Detection](/opsec/old/monitoring-detection) 27 | - [Network Communication](/opsec/old/network-communication) 28 | - [Overview](/opsec/old/overview) 29 | - [Physical Security](/opsec/old/physical-security) 30 | - [Risk Management](/opsec/old/risk-management) 31 | - [Risk Management Overview](/opsec/old/risk-management-overview) 32 | - [Threat Modeling Overview](/opsec/old/threat-modeling-overview) 33 | - [Web3 Specific Opsec](/opsec/old/web3-specific-opsec) 34 | -------------------------------------------------------------------------------- /components/shared/constants.ts: -------------------------------------------------------------------------------- 1 | /** 2 | * Shared constants for the components 3 | */ 4 | 5 | // Tag color mapping for consistent styling across components 6 | export const TAG_COLORS: Record = { 7 | 'Security Specialist': '#9F2026', 8 | 'Operations & Strategy': '#9A055D', 9 | 'Community & Marketing': '#5B2371', 10 | 'HR': '#285AD2', 11 | 'Engineer/Developer': '#B2439F', 12 | 'Devops': '#5C234A', 13 | 'SRE': '#2E51BA', 14 | 'SEAL/Initiative': '#4339db', 15 | 'Cloud': '#0873B5', 16 | 'DAO': '#5112C1', 17 | 'Legal & Compliance': '#0525B1', 18 | 'Protocol': '#495EA9', 19 | 'Whitehat': '#571A70', 20 | 'Certifications': '#EA580C', 21 | 'Multisig Security': '#2DD4BF', 22 | 'SFC': '#9333EA', 23 | 'DeFi': '#0ce66d', 24 | 'Operations': '#a1fdaa', 25 | 'Risk Management': '#933176', 26 | 'Treasury Ops': '#f00120', 27 | } 28 | 29 | /** 30 | * Get the color for a specific tag 31 | * @param tag - The tag name 32 | * @returns The hex color code for the tag, or default gray if not found 33 | */ 34 | export function getTagColor(tag: string): string { 35 | return TAG_COLORS[tag] || '#6b7280' // default gray if tag not found 36 | } 37 | 38 | /** 39 | * Generate a DOM-safe ID from a tag name 40 | * @param tag - The tag name 41 | * @returns A lowercase, hyphenated string safe for use as an ID 42 | */ 43 | export function getTagId(tag: string): string { 44 | return tag.toLowerCase().replace(/[^a-z0-9]/g, '-') 45 | } -------------------------------------------------------------------------------- /docs/pages/certs/contributions.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Contributions" 3 | tags: 4 | - SEAL/Initiative 5 | - Certifications 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Contributions 14 | 15 | 16 | 17 | 18 | Like the rest of Frameworks, SEAL Certifications are open-source and accept contributions from the community. However, due to the nature of Certifications, contributions are subject to more stringent review and approval processes managed by Isaac, the initiative lead, and the other Certifications maintainers. 19 | 20 | - If you have suggestions for improving existing Certifications, or ideas for a new Certification, please open an issue in the frameworks repo with the `certifications` tag. We're welcome to feedback and ideas from the community! 21 | - If you're a protocol interested in having your project certified, you can reach out to us through our [protocol interest form](https://securityalliance.typeform.com/CertsWaitlist). 22 | - If you're a security firm interested in becoming a SEAL-approved auditor, please reach out through our [interest form](https://securityalliance.typeform.com/CertsAuditor). 23 | 24 | For more information on contributing to SEAL Certifications, or the rest of Frameworks, please see the [Contributing Guide](/contribute/contributing). 25 | 26 | -------------------------------------------------------------------------------- /components/tags/withTagFiltering.tsx: -------------------------------------------------------------------------------- 1 | import { ReactNode } from 'react' 2 | import { TagProvider } from './TagContext' 3 | import { TagFilter } from './TagFilter' 4 | import './withTagFiltering.css' 5 | 6 | // Higher-order component that wraps page content with tag filtering 7 | export function withTagFiltering(WrappedComponent: React.ComponentType) { 8 | return function TagFilteringWrapper(props: any) { 9 | return ( 10 | 11 |
12 | {/* Tag filter in header area */} 13 |
14 | 15 |
16 | 17 | {/* Main content - no custom sidebar, just existing content */} 18 |
19 | 20 |
21 |
22 | 23 | ) 24 | } 25 | } 26 | 27 | // Simple wrapper function for easier usage 28 | export function TagFilteringLayout({ children }: { children: ReactNode }) { 29 | return ( 30 | 31 |
32 | {/* Tag filter in header area */} 33 |
34 | 35 |
36 | 37 | {/* Main content - existing Vocs sidebar will be highlighted */} 38 |
39 | {children} 40 |
41 |
42 | 43 | ) 44 | } -------------------------------------------------------------------------------- /docs/pages/multisig-for-protocols/offboarding.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | tags: 3 | - Engineer/Developer 4 | - Security Specialist 5 | - Multisig Security 6 | contributors: 7 | - role: wrote 8 | users: [isaac, geoffrey, louis, pablo, dickson] 9 | - role: reviewed 10 | users: [pinalikefruit, engn33r] 11 | --- 12 | 13 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 14 | 15 | 16 | 17 | 18 | # Offboarding 19 | 20 | 21 | 22 | 23 | When leaving a multisig, follow these steps: 24 | 25 | ## Signer removal 26 | 27 | 1. **Coordinate with team** - Notify other signers and schedule the removal transaction 28 | 2. **Execute removal** - Follow standard signer rotation procedures ([Signer Rotation](/wallet-security/secure-multisig-best-practices#signer-rotation)) 29 | 3. **Verify removal** - Confirm your address has been removed from the multisig 30 | 4. **Update documentation** - Ensure documentation reflects the change 31 | 32 | ## Clean up access 33 | 34 | - Leave all multisig communication channels (Signal, Telegram, etc.) 35 | - Remove access to any sensitive shared documents or resources 36 | - Delete any locally stored sensitive multisig information 37 | 38 | ## Handover 39 | 40 | - Share any relevant context or pending items with remaining signers 41 | - Provide contact information if needed for transition questions 42 | 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /docs/pages/incident-management/lessons-learned.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Lessons Learned" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | - Devops 7 | - SRE 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 11 | 12 | 13 | 14 | 15 | # Lessons Learned 16 | 17 | 18 | 19 | 20 | Conducting a post-incident review and identifying lessons learned will improve your project's incident response 21 | capabilities. By analyzing what went well and what could be improved, you can enhance your readiness for future 22 | incidents. 23 | 24 | ## Best Practices 25 | 26 | 1. Review the incident together with everybody involved in handling it shortly after the incident is resolved. 27 | 2. Record details about the incident, including the timeline, root cause, impact, and response efforts. 28 | 3. Assess the effectiveness of the incident response, highlighting areas where the team performed well and areas needing 29 | improvement. 30 | 4. Create action plans to address identified weaknesses and enhance strengths. Assign responsibilities and deadlines for 31 | implementing improvements. 32 | 5. Share the lessons learned with the ecosystem to promote awareness and improve overall security practices. 33 | 6. Revise incident response policies and procedures based on the lessons learned to ensure continuous improvement. 34 | 35 | --- 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /docs/pages/governance/risk-management.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Risk Management" 3 | tags: 4 | - Operations & Strategy 5 | - Legal & Compliance 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Risk Management 14 | 15 | 16 | 17 | 18 | If a project has effective risk management, it is also likely to be successful at identifying, assessing, and mitigating 19 | potential threats to the project. By utilizing risk management, you're likely to be able to prioritize security efforts 20 | and see where resources are needed. Risk management provides the capabilities to develop and implement strategies to 21 | mitigate identified risks by continuously monitoring the security landscape for new threats and vulnerabilities and then 22 | communicating risk findings and mitigation strategies to relevant people. 23 | 24 | ## Best Practices for Risk Management 25 | 26 | 1. Use established frameworks such as NIST, ISO 27001, or COBIT to help start your risk management efforts. 27 | 2. Focus on the most critical risks first, using a risk matrix to prioritize based on likelihood and impact. 28 | 3. Conduct regular risk assessments and reviews to keep up with the so very evolving threat landscape. 29 | 4. Use lessons learned from past incidents and risk assessments to continuously improve your risk management practices. 30 | 31 | --- 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /docs/pages/front-end-web-app/security-tools-resources.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Security Tools Resources" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Security Tools and Resources 14 | 15 | 16 | 17 | 18 | There is a very large amount of security tools and resources available, and sometimes it can feel overwhelming. 19 | 20 | There is a wide range of security tools to test your web & mobile applications, such as OWASP ZAP or Burp Suite to scan 21 | your application for vulnerabilities, Snyk to check your dependencies, or MobSF for security analysis on Android/iOS 22 | applications. 23 | 24 | For web3, there is also a wide range of tools. Rather than listing specific tools, we are providing links to 25 | repositories listing many of these tools: 26 | 27 | - [https://github.com/safful/Web3-Security-Tools](https://github.com/safful/Web3-Security-Tools) 28 | - [https://github.com/OffcierCia/On-Chain-Investigations-Tools-List](https://github.com/OffcierCia/On-Chain-Investigations-Tools-List) 29 | - [https://github.com/shanzson/Smart-Contract-Auditor-Tools-and-Techniques](https://github.com/shanzson/Smart-Contract-Auditor-Tools-and-Techniques) 30 | - [https://github.com/Anugrahsr/Awesome-web3-Security](https://github.com/Anugrahsr/Awesome-web3-Security) 31 | 32 | --- 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /components/footer/ContributeFooter.tsx: -------------------------------------------------------------------------------- 1 | import { useEffect, useState } from 'react'; 2 | import './ContributeFooter.css' 3 | 4 | interface ContributeFooterProps { 5 | learnMoreUrl?: string; 6 | contributeUrl?: string; 7 | } 8 | 9 | export function ContributeFooter({ 10 | learnMoreUrl = "/contribute/contributing", 11 | contributeUrl = "https://github.com/security-alliance/frameworks/blob/develop/docs/pages/" 12 | }: ContributeFooterProps) { 13 | const [currentPath, setCurrentPath] = useState(""); 14 | 15 | useEffect(() => { 16 | const pathname = window.location.pathname; 17 | const filePath = `${pathname.slice(1)}.mdx`; 18 | 19 | setCurrentPath(filePath); 20 | }, []); 21 | 22 | return ( 23 |
24 |
25 |

Help us improve!

26 |

27 | Spotted an error or have ideas to enhance this content? 28 |

29 |

30 | Your contributions are valuable to us.{' '} 31 | 32 | Learn more 33 | 34 |

35 | 41 | ✏️ Contribute today! 42 | 43 |
44 |
45 | ); 46 | } 47 | 48 | -------------------------------------------------------------------------------- /docs/pages/devsecops/continuous-integration-continuous-deployment.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Continuous Integration Continuous Deployment" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | - SRE 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 11 | 12 | 13 | 14 | 15 | # Continuous Integration and Continuous Deployment (CI/CD) 16 | 17 | 18 | 19 | 20 | Continuous Integration and Continuous Deployment are there to ensure good code quality and create rapid and secure 21 | deployments. Some best practices are: 22 | 23 | 1. Ensure every PR undergoes CI testing (e.g., GitHub Actions) that must pass before merging. CI tests should at least 24 | include unit tests, integration tests, and checks for known vulnerabilities in dependencies. 25 | 2. The CI/CD pipeline should check for misconfigurations and leaked credentials. 26 | 3. Produce deterministic builds with a strict set of dependencies and/or a build container that can reliably produce the 27 | same results on different machines. 28 | 4. Integrate security scanning tools to detect vulnerabilities in code and dependencies during the CI process. 29 | 5. Use isolated environments for building and testing to prevent contamination between different stages of the pipeline. 30 | 6. Implement strict access controls for CI/CD pipelines to limit who can modify the pipeline configurations. 31 | 32 | --- 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /docs/pages/intro/how-to-navigate-the-website.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "How to Navigate the Website" 3 | --- 4 | import { ContributeFooter, TagFilter, TagProvider } from '../../../components' 5 | 6 | 7 | 8 | 9 | # How to Navigate the Website 10 | 11 | Navigating the Security Frameworks by SEAL will be designed, in time, to be intuitive and 12 | user-friendly. We currently allow users to filter contents by role, but we're not quite there yet. 13 | Any feedback on how to improve the usage of frameworks in the future is appreciated. 14 | 15 | ## Categories 16 | 17 | The content is organized into different categories, each focusing on a specific aspect of security. 18 | Currently, we are under the introduction section, but you can explore the broader category of 19 | "Frameworks" below. Each framework is categorized to help you find relevant information quickly. 20 | 21 | ## Filtering by Profile 22 | 23 | This is currently being implemented, and we're currently looking for volunteers and collaborators 24 | for this specific task. The main objective is to allow users to filter the content by profile 25 | to focus on information relevant to their role within the organization. This feature allows them to 26 | bypass unnecessary reading and concentrate on what matters most. 27 | 28 | Example roles: 29 | 30 | - Developer 31 | - Executive 32 | - Security 33 | - Finance 34 | - Crypto 35 | - Management 36 | - Community 37 | - Non-Technical 38 | 39 | This targeted approach will ensure you get the most relevant information efficiently. 40 | 41 | --- 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /docs/pages/iam/role-based-access-control.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Role Based Access Control" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | - Devops 8 | - HR 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Role-Based Access Control (RBAC) 17 | 18 | 19 | 20 | 21 | Role-Based Access Control (RBAC) is a method of regulating access to systems and data based on the roles assigned to 22 | individual users within an project. RBAC ensures that users have the minimum access necessary to perform their job 23 | functions, reducing the risk of unauthorized access. 24 | 25 | ## Key Principles of RBAC 26 | 27 | - **Role Definition**: Clearly define roles within the project based on the team member's job responsibility. Each role 28 | should have a specific set of permissions, for example a community manager could potentially not require administrative 29 | permissions to the project's github repository. 30 | - **Role Assignment**: Assign roles to team members based on their job responsibilities. Ensure that users only have 31 | access to the resources they need. 32 | - **Permission Management**: Regularly review and update role permissions to ensure they are aligned with current team 33 | functions and security requirements. 34 | - **Separation of Duties**: Implement separation of duties to prevent conflicts of interest and reduce the risk of 35 | threats. 36 | 37 | --- 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /docs/pages/front-end-web-app/mobile-application-security.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Mobile Application Security" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Mobile Application Security 14 | 15 | 16 | 17 | 18 | Mobile applications are increasingly used as front-ends for web3 protocols. As more projects are using mobile 19 | applications, it also becomes an increasing target for threat actors. Below, you can find some suggestions to help 20 | protect your mobile application: 21 | 22 | ## Best Practices 23 | 24 | 1. Follow secure coding practices to prevent common vulnerabilities such as: 25 | - Insecure Data Storage 26 | - Insufficient Transport Layer Protection 27 | - Insecure Authentication 28 | - Insecure Authorization 29 | 2. Use the trusted execution environment available in the device for secret management. 30 | 3. Ensure that APIs used by the mobile application are secure and follow best practices for authentication and 31 | authorization by implementing certificate pinning to help prevent man-in-the-middle attacks. 32 | 4. Encrypt sensitive data stored on the device and during transmission. 33 | 5. Keep the mobile application and its dependencies updated to protect against known vulnerabilities. 34 | 6. Leverage security libraries and frameworks designed for mobile application security, such as OWASP Mobile Security 35 | Project. 36 | 37 | --- 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /docs/pages/devsecops/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "DevSecOps" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | - SRE 8 | --- 9 | 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 11 | 12 | 13 | 14 | 15 | # DevSecOps 16 | 17 | 18 | 19 | 20 | Traditionally, rapid development and deployment is often prioritized at the expense of security considerations. This is 21 | generally speaking no different in web3, but it is important to take integrity, confidentiality, and availability into 22 | consideration too. To effectively address this without compromising on rapid development and deployment, it is essential 23 | to integrate security into the process, which is where devsecops comes into play. By implementing devsecops, projects 24 | can not only deploy faster, but also be more secure. 25 | 26 | When operating in a devsecops mindset, projects prioritizes automation and collaboration between the development, 27 | operations and security teams. 28 | 29 | Some of the key areas to consider are: 30 | 31 | 1. Integrate security measures early in the development process, such as by utilizing security tools such as fuzzing, 32 | static and dynamic analysis tools in your CI/CD process, to identify and mitigate vulnerabilities before they turn into 33 | critical issues. 34 | 2. Implement automated security testing and monitoring. 35 | 3. Development, Operations and Security teams should be aligned and work closely together. 36 | 37 | --- 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /docs/pages/multisig-for-protocols/communication-setup.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | tags: 3 | - Engineer/Developer 4 | - Security Specialist 5 | - Multisig Security 6 | contributors: 7 | - role: wrote 8 | users: [isaac, geoffrey, louis, pablo, dickson] 9 | - role: reviewed 10 | users: [pinalikefruit, engn33r] 11 | --- 12 | 13 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 14 | 15 | 16 | 17 | 18 | # Communication Setup 19 | 20 | 21 | 22 | 23 | ## Primary channel 24 | 25 | Set up dedicated communication channel for multisig operations: 26 | - **Platform**: Signal recommended (end-to-end encryption) 27 | - **Membership**: Multisig signers + authorized management only 28 | - **Configuration**: Notifications enabled, disappearing messages for sensitive discussions 29 | - **Naming**: Clear channel naming convention (e.g., "X-Treasury-Multisig") 30 | 31 | ## Backup channels 32 | 33 | Configure backup communication on different platform: 34 | - **Platform**: Different from primary (if Signal primary, use Telegram/Discord/Slack) 35 | - **Same membership restrictions** as primary 36 | - **Document access procedures** for all signers 37 | 38 | ## Paging system (Critical/Emergency Multisigs) 39 | 40 | For multisigs requiring rapid response: 41 | - Configure alerts that can reach signers 24/7 42 | - Include essential info in page: multisig name, urgency level, primary action needed 43 | - Link to emergency runbooks in notification message 44 | - Test quarterly to ensure reliability 45 | 46 | 47 | -------------------------------------------------------------------------------- /docs/pages/multisig-for-protocols/hardware-wallet-setup.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | tags: 3 | - Engineer/Developer 4 | - Security Specialist 5 | - Multisig Security 6 | contributors: 7 | - role: wrote 8 | users: [isaac, geoffrey, louis, pablo, dickson] 9 | - role: reviewed 10 | users: [pinalikefruit, engn33r] 11 | --- 12 | 13 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 14 | 15 | 16 | 17 | 18 | # Hardware Wallet Setup 19 | 20 | 21 | 22 | 23 | ## Recommended devices 24 | 25 | **Ledger:** 26 | - Ledger Stax 27 | - Ledger Nano S Plus 28 | 29 | **Trezor:** 30 | - Trezor Model One 31 | - Trezor Safe 3 32 | 33 | ## Initial setup 34 | 35 | ### Purchase & Verification 36 | - Purchase only from manufacturer or authorized resellers 37 | - Verify tamper-resistant packaging is untouched 38 | - Check for authenticity indicators on packaging 39 | 40 | ### Device configuration 41 | - Update firmware to latest version before creating accounts 42 | - Configure PIN - Use unique, strong PIN (different from other devices) 43 | - Generate seed following device instructions 44 | - Create accounts as needed 45 | 46 | ## Backup device 47 | 48 | Every signer MUST maintain a backup device. If the first device fails it is better to have a second one ready to go without having to access the seed phrase. 49 | - Second hardware wallet with same seed phrase 50 | - Test both devices can create valid signatures 51 | - Store backup securely 52 | - Monthly verification that backup device functions correctly 53 | 54 | 55 | -------------------------------------------------------------------------------- /docs/pages/devsecops/repository-hardening.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Repository Hardening" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Repository Hardening 15 | 16 | 17 | 18 | 19 | If a threat actor obtains access to your repository, it could have very severe consequences. In order to help avoid 20 | this, you could consider implementing the following best practices: 21 | 22 | 1. Require Multi-Factor Authentication (MFA) for all repository members. 23 | 2. Enable protected branches to prevent unauthorized changes to critical branches. [Learn more about protected 24 | branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches). 25 | 3. Follow the [Security hardening for GitHub 26 | Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) to avoid token 27 | stealing and other vulnerabilities. 28 | 4. Implement strict access controls to limit who can push to critical branches and repositories. 29 | 5. Conduct regular security audits of the repository to identify and mitigate potential vulnerabilities. 30 | 6. Require all commits to be signed to verify the identity of contributors and ensure the integrity of the code. 31 | 7. Regularly update dependencies and use tools to check for and manage vulnerabilities in dependencies. 32 | 33 | --- 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/zero-trust-principles.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Zero Trust Principles" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Zero-Trust Principles 15 | 16 | 17 | 18 | 19 | The Zero-Trust security model assumes that threats can exist both inside and outside the network. It requires strict 20 | verification for every user and device attempting to access resources, regardless of their location. 21 | 22 | ## Key Principles 23 | 24 | 1. Always authenticate and authorize based on all available data points, including user identity, location, device 25 | health, and service or workload. 26 | 2. Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data 27 | protection. 28 | 3. Segment networks and use encryption to limit the potential impact of a breach. 29 | 30 | ## Implementation Strategies 31 | 32 | 1. Implement strong IAM practices, including multi-factor authentication (MFA) and conditional access policies. 33 | 2. Use micro-segmentation to create secure zones in data centers and cloud environments. 34 | 3. Ensure all endpoints (e.g., devices, servers) comply with security policies before granting access. 35 | 4. Implement continuous monitoring and analytics to detect and respond to anomalies in real-time. 36 | 5. Use automation to enforce security policies consistently across the network. 37 | 38 | --- 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /docs/pages/wallet-security/index.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Wallet Security" 3 | --- 4 | 5 | {/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} 6 | 7 | # Wallet Security 8 | 9 | > _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of 10 | > navigating directory paths directly. 11 | 12 | ## Pages 13 | 14 | - [Account Abstraction](/wallet-security/account-abstraction) 15 | - [Cold Vs Hot Wallet](/wallet-security/cold-vs-hot-wallet) 16 | - [Custodial Vs Non Custodial](/wallet-security/custodial-vs-non-custodial) 17 | - [For Beginners & Small Balances](/wallet-security/for-beginners-&-small-balances) 18 | - [Hardware Wallets](/wallet-security/hardware-wallets) 19 | - [Intermediates & Medium Funds](/wallet-security/intermediates-&-medium-funds) 20 | - [Safe Multisig: Step-by-Step Verification](/wallet-security/secure-multisig-safe-verification) 21 | - [Secure Multisig Best Practices](/wallet-security/secure-multisig-best-practices) 22 | - [Secure Multisig Signing Process](/wallet-security/secure-multisig-signing-process) 23 | - [Seed Phrase Management](/wallet-security/seed-phrase-management) 24 | - [Signing Schemes](/wallet-security/signing-schemes) 25 | - [Signing Verification](/wallet-security/signing-verification) 26 | - [Software Wallets](/wallet-security/software-wallets) 27 | - [Squads Multisig: Step-by-Step Verification](/wallet-security/secure-multisig-squads-verification) 28 | - [TEE-based Encumbered Wallets](/wallet-security/encumbered-wallets) 29 | - [Tools & Resources](/wallet-security/tools-&-resources) 30 | - [Verifying 7702](/wallet-security/verifying-7702) 31 | - [Verifying Standard Transactions](/wallet-security/verifying-standard-transactions) 32 | - [Wallet Security](/wallet-security/overview) 33 | -------------------------------------------------------------------------------- /docs/pages/front-end-web-app/web-application-security.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Web Application Security" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Web Application Security 14 | 15 | 16 | 17 | 18 | Providing a secure front-end (web application) for users to interact with your web3 protocol is often essential. Web 19 | application vulnerabilities have however been exploited in the past to steal user funds, and as such it's important to 20 | take web application security into consideration for your project. 21 | 22 | ## Best Practices 23 | 24 | 1. Utilize popular and well-maintained web application frameworks when developing your application. 25 | 2. Familiarize yourself with common web application vulnerabilities that may affect your decentralized application such 26 | as Cross-Site Scripting (XSS). 27 | Refer to the [OWASP Top 10](https://owasp.org/www-project-top-ten/) for a comprehensive list. 28 | 3. Minimize the introduction of custom components in your framework. Ensure that any custom code undergoes thorough 29 | internal and external security testing. 30 | 4. Refer to the [Infrastructure/DDoS Protection](/infrastructure/ddos-protection) section for insights on ensuring high 31 | availability of your protocol’s front-end. 32 | 5. Lock down access to associated back-end services, such as S3 buckets, to prevent unauthorized access. 33 | 6. Consider deploying additional versions of your front-end on IPFS to ensure availability and resilience. 34 | 35 | --- 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/operating-system-security.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Operating System Security" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | - Devops 8 | - SRE 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Operating System Security 17 | 18 | 19 | 20 | 21 | This document outlines some general best practices one should follow with regards to operating system security, however 22 | if you're interested in a much more comprehensive guide you could look at [NIST 23 | 800-123](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf). 24 | 25 | ## Best Practices 26 | 27 | 1. Keep your operating systems updated with the latest security patches and updates. 28 | 2. Block the remote shell port from all but required IPs. 29 | 3. Block all ports except absolutely required ones from public. 30 | 4. Use tools such as fail2ban to protect against attacks. 31 | 5. Enforce personal account and SSH key login 32 | 6. Enable multi factor authentication. 33 | 7. Implement strict access controls to limit administrative privileges and use role-based access control (RBAC). 34 | 8. Use antivirus and anti-malware software to detect and prevent malicious activities on systems where relevant 35 | 9. Configure host-based firewalls to control incoming and outgoing network traffic. 36 | 10. Implement host-based intrusion detection and prevention systems (HIDS/HIPS). 37 | 11. Follow secure configuration guides, such as the NIST 800-123 guidelines, to harden your operating systems. 38 | 39 | --- 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/network-security.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Network Security" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | - Devops 8 | - Cloud 9 | - SRE 10 | --- 11 | 12 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 13 | 14 | 15 | 16 | 17 | # Network Security 18 | 19 | 20 | 21 | 22 | Network security is a very wide subject, and the steps you take are significantly dependent on if you're managing your 23 | own network, if you're utilizing a cloud provider, or if you're using a service provider. With that said, there are some 24 | general best practices to consider: 25 | 26 | ## Best Practices 27 | 28 | 1. Infrastructure should deny all incoming traffic by default. When opening ports, consideration should be made as to 29 | which ports and incoming IPs are needed. SSH, RDP, and Database ports should not be open to the entire Internet. 30 | 2. Divide your network into segments to limit the impact of a potential breach. 31 | 3. Implement firewalls to control and monitor incoming and outgoing network traffic based on predetermined security 32 | rules. 33 | 4. Use IDPS to detect and prevent potential security breaches. 34 | 5. Use VPNs to provide secure remote access to your network. 35 | 6. Encrypt sensitive data in transit using secure protocols. 36 | 7. Use ACLs to define and control which systems or users can access network resources. 37 | 8. Conduct regular network security audits to identify and address vulnerabilities. 38 | 9. Keep any potential network devices and software updated with the latest security patches. 39 | 40 | --- 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /docs/pages/governance/security-metrics-kpis.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Security Metrics Kpis" 3 | tags: 4 | - Operations & Strategy 5 | - Legal & Compliance 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Security Metrics and KPIs 14 | 15 | 16 | 17 | 18 | Measuring security performance through metrics and Key Performance Indicators (KPIs) can be very useful for assessing 19 | the effectiveness of your security program, and can allow you to make informed decisions on what actions to take with 20 | regards to security. 21 | 22 | Some examples of what could be worth recording are: 23 | 24 | ## Key Security Metrics 25 | 26 | 1. Measure the time taken to detect, respond to, and resolve security incidents. 27 | 2. Track the total number of security incidents over a specified period. 28 | 3. Measure the time taken to fix identified vulnerabilities. 29 | 4. Monitor the rate of false positives generated by security tools to assess their accuracy and efficiency. 30 | 31 | ## Key Performance Indicators (KPIs) 32 | 33 | - **Mean Time to Detect (MTTD)**: The average time taken to detect a security incident. 34 | - **Mean Time to Respond (MTTR)**: The average time taken to respond to a security incident. 35 | - **Patch Management Effectiveness**: Percentage of code/systems patched within a defined timeframe. 36 | - **User Training Completion Rate**: Percentage of project team members who have completed required security training. 37 | - **Security Audit Findings**: Number of findings from security audits and the percentage of findings resolved within a 38 | specified period. 39 | 40 | --- 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /docs/pages/incident-management/incident-detection-and-response.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Incident Detection And Response" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Incident Detection and Response 14 | 15 | 16 | 17 | 18 | You don't want to be that project which has funds stolen, and then don't notice it for multiple days. Early detection 19 | and effective response to security incidents will help minimize damage. 20 | 21 | ## Key Components of Incident Detection 22 | 23 | - **Monitoring and Logging**: Implement continuous monitoring and logging of on-chain activity for your project to 24 | understand when something is behaving out of the ordinary. Also implement monitoring of system events, and user behavior 25 | to detect anomalies and potential security incidents in non-on-chain systems such as web applications or cloud 26 | environments. 27 | 28 | ## Key Components of Incident Response 29 | 30 | - **Incident Response Team (IRT)**: Establish a dedicated IRT with clearly defined roles and responsibilities. 31 | - **Incident Response Plan (IRP)**: Develop and maintain an IRP that outlines the procedures for detecting, responding 32 | to, and recovering from security incidents. 33 | - **Containment**: Implement strategies to contain the incident. 34 | - **Recovery and Remediation**: Ensure that everything is restored to normal operation and take steps to prevent future 35 | incidents. 36 | - **Post-Incident Review**: Conduct a thorough review of the incident to identify lessons learned and improve future 37 | response efforts. 38 | 39 | --- 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /docs/pages/monitoring/guidelines.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Guidelines" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Guidelines for On-Chain Monitoring 14 | 15 | 16 | 17 | 18 | Effective on-chain monitoring is complex, and involves setting up systems and processes to continuously observe 19 | blockchain activities and detect any anomalies. 20 | 21 | ## Best Practices 22 | 23 | ### Define Monitoring Objectives 24 | 25 | 1. Determine the critical metrics to monitor, such as large fund transfers, token minting events, and changes in 26 | contract ownership. 27 | 28 | ### Implement Monitoring Tools 29 | 30 | 1. Use automated monitoring tools that can continuously track blockchain activities and generate alerts for anomalies. 31 | 2. Supplement automated tools with periodic manual reviews. 32 | 33 | ### Establish Alerting Mechanisms 34 | 35 | 1. Set up real-time alerts to notify relevant project members of any suspicious activities or threshold breaches. 36 | 2. Use multiple channels for alerts, such as email, SMS, and messaging apps where available, to ensure timely response. 37 | 38 | ### Regular Reviews and Updates 39 | 40 | 1. Conduct regular reviews of your monitoring systems to ensure they are functioning correctly and covering all 41 | necessary metrics. 42 | 2. Regularly update thresholds and alert configurations to reflect your current needs. 43 | 44 | ### Incident Response 45 | 46 | 1. Develop and maintain an [incident response plan](/incident-management/overview) to handle alerts and anomalies as 47 | soon as possible. 48 | 49 | --- 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /docs/pages/infrastructure/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Infrastructure" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | - Cloud 8 | - SRE 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Infrastructure 17 | 18 | 19 | 20 | 21 | Infrastructure can often be overlooked in web3, but it's often a very important area given that most front-end web 22 | applications are running on centralized infrastructure. This section focuses on Infrastructure Security, encompassing 23 | critical aspects such as cloud infrastructure, DNS providers, domain registrars, and DDoS (Distributed Denial of 24 | Service) protection. 25 | 26 | When designing your architecture, it may be worth considering how many different providers you rely on. Are you going to 27 | use different providers for infrastructure, DDoS protection, domain registration, and DNS, or will you choose a 28 | provider that provides all of these? On one hand, putting all eggs in one basket means a failure on said service would 29 | cause downtime, however by using a single service and ensuring it’s following all best practices with regards to 30 | security measures means a lower risk surface. 31 | 32 | ## Contents 33 | 34 | 1. [Asset Inventory](/infrastructure/asset-inventory) 35 | 2. [Cloud Infrastructure](/infrastructure/cloud) 36 | 3. [DDoS Protection](/infrastructure/ddos-protection) 37 | 4. [DNS and Domain Registration](/infrastructure/domain-and-dns-security/overview) 38 | 5. [Network Security](/infrastructure/network-security) 39 | 6. [Operating System Security](/infrastructure/operating-system-security) 40 | 7. [Zero-Trust Principles](/infrastructure/zero-trust-principles) 41 | 42 | --- 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "workspace", 3 | "version": "1.0.0", 4 | "description": "Official repository to the Security Frameworks by SEAL. This repository contains the entire structure and contents of the frameworks. Feel free to suggest from new categories to grammar corrections. Collaboration is open to everyone. **This is a work in progress.**", 5 | "main": "index.js", 6 | "devDependencies": { 7 | "@types/exceljs": "^1.3.2", 8 | "@types/react": "^19.2.7", 9 | "@types/react-dom": "^19.2.3", 10 | "cspell": "^9.4.0", 11 | "tailwindcss": "4.0.7", 12 | "vocs": "^1.2.1" 13 | }, 14 | "scripts": { 15 | "test": "echo \"Error: no test specified\" && exit 1", 16 | "docs:dev": "pnpm run generate-tags && pnpm run generate-indexes && pnpm run mermaid-wrapper && vocs dev --host 0.0.0.0 --port 5173", 17 | "docs:build": "pnpm run generate-tags && pnpm run generate-indexes && pnpm run mermaid-wrapper && vocs build", 18 | "postdocs:build": "node utils/searchbar-indexing.js", 19 | "docs:preview": "vocs preview", 20 | "generate-tags": "node utils/tags-fetcher.js", 21 | "mermaid-wrapper": "node utils/mermaid-block-wrapper.js", 22 | "generate-indexes": "node utils/generate-folder-indexes.js" 23 | }, 24 | "keywords": [], 25 | "author": "", 26 | "license": "ISC", 27 | "pnpm": { 28 | "trustedDependencies": [ 29 | "esbuild", 30 | "just-install" 31 | ], 32 | "ignoredBuiltDependencies": [ 33 | "just-install" 34 | ], 35 | "onlyBuiltDependencies": [ 36 | "esbuild" 37 | ] 38 | }, 39 | "packageManager": "pnpm@10.15.0", 40 | "dependencies": { 41 | "exceljs": "^4.4.0", 42 | "gray-matter": "^4.0.3", 43 | "just-install": "^2.0.2", 44 | "mermaid": "^11.12.2", 45 | "minisearch": "^6.3.0", 46 | "playwright": "^1.57.0", 47 | "react": "^19.2.1", 48 | "react-dom": "^19.2.1", 49 | "react-router-dom": "^7.10.0" 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /components/tags/withTagFiltering.css: -------------------------------------------------------------------------------- 1 | /* Tag Filtering Layout Component Styling */ 2 | .frameworks-page-wrapper { 3 | position: relative; 4 | } 5 | 6 | .frameworks-header-controls { 7 | position: fixed; 8 | top: 16px; 9 | right: 280px; /* Position near search bar */ 10 | z-index: 1000; 11 | background: transparent; 12 | padding: 0; 13 | border-radius: 6px; 14 | } 15 | 16 | /* Add styles for highlighted sidebar links - broader selectors */ 17 | :global(aside.filtered a:not(.selected), 18 | nav.filtered a:not(.selected), 19 | .sidebar.filtered a:not(.selected), 20 | #sidebar.filtered a:not(.selected)) { 21 | opacity: 0.5; 22 | transition: opacity 0.2s ease; 23 | } 24 | 25 | :global(aside a.selected, 26 | nav a.selected, 27 | .sidebar a.selected, 28 | #sidebar a.selected, 29 | a.selected) { 30 | background-color: rgba(96, 165, 250, 0.15) !important; 31 | border-left: 4px solid #60a5fa !important; 32 | padding-left: 12px !important; 33 | font-weight: 600 !important; 34 | transition: all 0.2s ease; 35 | } 36 | 37 | /* Light mode adjustments */ 38 | @media (prefers-color-scheme: light) { 39 | 40 | :global(aside a.selected, 41 | nav a.selected, 42 | .sidebar a.selected, 43 | #sidebar a.selected, 44 | a.selected) { 45 | background-color: rgba(37, 99, 235, 0.15) !important; 46 | border-left-color: #2563eb !important; 47 | } 48 | } 49 | 50 | /* Responsive positioning for different screen sizes */ 51 | @media (max-width: 1200px) { 52 | .frameworks-header-controls { 53 | right: 200px; 54 | } 55 | } 56 | 57 | @media (max-width: 900px) { 58 | .frameworks-header-controls { 59 | right: 60px; 60 | top: 12px; 61 | } 62 | } 63 | 64 | /* Mobile adjustments */ 65 | @media (max-width: 768px) { 66 | .frameworks-header-controls { 67 | position: fixed; 68 | top: 8px; 69 | right: 50px; 70 | left: auto; 71 | } 72 | } -------------------------------------------------------------------------------- /components/certified-protocols/CertifiedProtocols.tsx: -------------------------------------------------------------------------------- 1 | import React from 'react'; 2 | import './CertifiedProtocols.css'; 3 | 4 | export interface Certification { 5 | type: string; 6 | attestationUrl: string; 7 | } 8 | 9 | export interface CertifiedProtocol { 10 | name: string; 11 | logo: string; 12 | website: string; 13 | certifications: Certification[]; 14 | } 15 | 16 | export interface CertifiedProtocolsProps { 17 | protocols: CertifiedProtocol[]; 18 | } 19 | 20 | interface ProtocolCardProps { 21 | protocol: CertifiedProtocol; 22 | } 23 | 24 | const certTypeToName: Record = { 25 | 'sfc-ir': 'Incident Response', 26 | 'sfc-ms': 'Multisig Operations', 27 | 'sfc-dns': 'DNS Registrar', 28 | 'sfc-tro': "Treasury Operations", 29 | 'sfc-ws': "Workspace Security", 30 | }; 31 | 32 | function ProtocolCard({ protocol }: ProtocolCardProps) { 33 | return ( 34 |
35 | 36 | {`${protocol.name} 37 |

{protocol.name}

38 | 39 |
40 | {protocol.certifications.map((cert, index) => ( 41 | 49 | {cert.type.charAt(4)} 50 | 51 | ))} 52 |
53 |
54 | ); 55 | } 56 | 57 | export function CertifiedProtocols({ protocols }: CertifiedProtocolsProps) { 58 | if (!protocols || protocols.length === 0) { 59 | return 60 | } 61 | 62 | return ( 63 |
64 | {protocols.map((protocol) => ( 65 | 66 | ))} 67 |
68 | ); 69 | } 70 | -------------------------------------------------------------------------------- /docs/pages/iam/access-management.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Access Management" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | - Devops 8 | - HR 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Access Management Best Practices 17 | 18 | 19 | 20 | 21 | Effective access management involves ensuring that users have the right access, at the right time, and that access is 22 | promptly revoked when no longer needed. Implementing access management practices helps prevent unauthorized access, and 23 | reduces the risk of insider threats. 24 | 25 | ## Practices for Access Management 26 | 27 | - **Just-In-Time Access**: Implement just-in-time (JIT) access to provide users with temporary access when needed. This 28 | minimizes the risk of long-term access being misused. 29 | - **Timely Access Revocation**: Ensure that access is revoked in a timely manner for users who are no longer part of the 30 | organization or whose roles within the project have changed. 31 | - **Access Reviews**: Conduct regular access reviews to ensure that team members have appropriate access based on their 32 | current functions. 33 | - **On-boarding and Off-boarding Processes**: Establish clear processes for on-boarding new team members and 34 | off-boarding departing team members to ensure that access is granted and revoked as appropriate. 35 | - **Access Logging and Monitoring**: Implement logging and monitoring of access to critical services to detect and 36 | respond to unauthorized access attempts. 37 | 38 | ## Best Practices for Access Management 39 | 40 | 1. Grant users the minimum access necessary to perform their job functions. 41 | 2. Ensure that critical tasks require multiple users to perform, reducing the risk of misuse. 42 | 3. When possible, use automated tools to manage access provisioning and revocation based on user lifecycle events. 43 | 44 | --- 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /docs/pages/iam/secure-authentication.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Secure Authentication" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | - Devops 8 | - HR 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Secure Authentication 17 | 18 | 19 | 20 | 21 | Secure authentication is essential for verifying the identity of team members and ensuring that only authorized 22 | individuals have access. By implementing strong authentication mechanisms you can protect your project against 23 | unauthorized access and lower the risk for potential security breaches. 24 | 25 | ## Key Authentication Methods 26 | 27 | - **Multi-Factor Authentication (MFA)**: Require multiple forms of verification (e.g., something you know, something you 28 | have, something you are) to enhance security. It is strongly suggested that one does not use SMS as a form of 29 | multi-factor authentication, but instead utilizes hardware tokens such as Yubikeys. 30 | - **Single Sign-On (SSO)**: Enable SSO in services you use to allow team members to authenticate once and gain access to 31 | multiple systems without re-entering credentials, but make sure that the account connected to SSO is secured by strong 32 | Multi-Factor Authentication. 33 | - **Password Management**: Enforce strong password policies and encourage the use of password managers to generate and 34 | store complex passwords. 35 | 36 | ## Best Practices for Secure Authentication 37 | 38 | 1. Require MFA for all team members, especially for accessing sensitive systems and data. Encourage the use of hardware 39 | tokens (e.g., Yubikeys) over SMS-based MFA. 40 | 2. Implement monitoring and alerting for suspicious authentication attempts, such as repeated failed logins or logins 41 | from unusual locations. 42 | 3. Provide training on secure authentication practices and the importance of protecting authentication credentials. 43 | 44 | --- 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /docs/pages/incident-management/communication-strategies.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Communication Strategies" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Communication Strategies 14 | 15 | 16 | 17 | 18 | Communication during an incident can be very hard, as people are often scrambling to fix the issue at hand. Nonetheless, 19 | from aa team member, outsider or observer's point of view, communication is very important to be able to understand 20 | what's happening, and it also provide some time to reflect and think about what is going on. With that said, providing 21 | information before confirming that it's accurate, can often be very negative and cause uncertainty. It is recommended to 22 | have a person designated for communication during an incident, and that updates are sent out on a fixed schedule, and 23 | it can often be that the update is that there is currently no new information available. 24 | 25 | ## Best Practices 26 | 27 | 1. Define and establish secure communication channels for incident response teams. 28 | Use [encrypted messaging apps](/encryption/communication-encryption) 29 | 2. Appoint primary and backup spokespersons to handle internal and external communications during an incident. 30 | 3. Develop pre-approved templates for incident notifications, updates, and press releases to ensure consistency and 31 | speed. 32 | 4. Provide regular updates to all stakeholders, including employees, customers, partners, and regulatory authorities, to 33 | keep them informed of the situation and response efforts. 34 | 5. Maintain clear communication within the incident response team to ensure that everyone is aware of their roles and 35 | responsibilities. 36 | 6. Be transparent with external stakeholders about the incident, the impact, and the steps being taken to address it. 37 | Avoid speculation and provide factual information. 38 | 39 | --- 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /docs/pages/incident-management/playbooks/hacked-drainer.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Wallet Drainer Attack" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | contributors: 7 | - role: wrote 8 | users: [SEAL] 9 | --- 10 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' 11 | 12 | 13 | 14 | 15 | # Wallet Drainer Attack 16 | 17 | 18 | 19 | 20 | If you’ve been sent this document, then we believe that your funds have been stolen by a wallet drainer. This document 21 | will give you some information about drainers, how they work, and how you can protect yourself going forward. 22 | 23 | In general, when we refer to a drainer, we’re referring to one of a small number of popular drainer software available. 24 | A drainer customer (or “affiliate”) will purchase access to the drainer software from the drainer developer. From there, 25 | the affiliate will upload it to phishing websites and promote it via social media, such as Twitter. You can think of 26 | drainers like how a franchised restaurant owner will buy the rights to use the logo from the corporation and then pay 27 | royalties for every sale. 28 | 29 |
30 |
31 | Example 5 33 |
34 |
35 | 36 | Drainers use a variety of different tactics to gain control over your wallet and tokens. For example, drainers have been 37 | known to: 38 | 39 | - Request approval to spend your tokens directly 40 | - Request signatures to buy your tokens via a DEX that you’ve already approved 41 | - Request permission to upgrade your wallet to a 7702 wallet, which gives them full control 42 | - Request your private key or seed phrase directly, which gives them full control 43 | 44 | Depending which type of drainer you were impacted on, you might need to take different actions to recover control of 45 | your wallet. 46 | 47 | --- 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /docs/pages/front-end-web-app/common-vulnerabilities.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Common Vulnerabilities" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Common Vulnerabilities 15 | 16 | 17 | 18 | 19 | Understanding and mitigating common vulnerabilities is crucial for securing your web and mobile applications. Here are 20 | some frequently encountered vulnerabilities: 21 | 22 | ## General Vulnerabilities 23 | 24 | - **Account Takeovers**: Having the administrator accounts for your services (DNS, Cloud, Domain Registrar, Email, 25 | Github, etc.) is likely to be devastating to your project, as a threat actor can then make malicious changes. To protect 26 | against this, it is recommended to follow best practices with regards to account security and use hardware 2FA 27 | solutions to secure the accounts. 28 | 29 | ## Web Application Vulnerabilities 30 | 31 | - **Cross-Site Scripting (XSS)**: Malicious scripts injected into trusted websites, leading to data theft or session 32 | hijacking. 33 | - **Cross-Site Request Forgery (CSRF)**: Unauthorized commands transmitted from a user trusted by the web application. 34 | - **Insecure Direct Object Reference (IDOR)**: Unauthorized access to data by manipulating input parameters. 35 | 36 | ## Mobile Application Vulnerabilities 37 | 38 | - **Insecure Data Storage**: Sensitive data stored in an insecure manner on the device. 39 | - **Insufficient Transport Layer Protection**: Lack of encryption for data transmitted over the network. 40 | - **Insecure Authentication and Authorization**: Weak authentication mechanisms and improper authorization checks. 41 | - **Code Tampering**: Modifications to the application code by attackers. 42 | 43 | Refer to the [OWASP Top 10](https://owasp.org/www-project-top-ten/) and [OWASP Mobile Security 44 | Project](https://owasp.org/www-project-mobile-top-10/) for more details on common vulnerabilities and mitigation 45 | strategies. 46 | 47 | --- 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /docs/pages/intro/introduction.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Introduction" 3 | tags: 4 | - SEAL/Initiative 5 | --- 6 | 7 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter, BenchmarkList } from '../../../components' 8 | 9 | 10 | 11 | 12 | # Introduction to Frameworks 13 | 14 | 15 | 16 | Welcome to the Security Frameworks by Security Alliance (SEAL), a curated resource for those seeking knowledge in the 17 | realm of blockchain security. Our organization, a collective of dedicated security specialists, is on a mission to 18 | spread awareness and educate the community about best practices and potential pitfalls in Web3 security. 19 | 20 | ## Why We Created This Resource 21 | 22 | We have noticed a growing need to address the various challenges and issues facing our field, some of which include 23 | security threats not specifically aimed at Web3 infrastructure. Recognizing that information is abundant but not always 24 | easily accessible, we've compiled and organized existing resources from around the internet and generated new content 25 | specifically with this purpose in mind. 26 | 27 | ## Who Can Benefit 28 | 29 | Regardless of your background—whether in Web2, Web3, or beyond—these guidelines are open to all who seek to learn and 30 | contribute. We aim to establish a comprehensive, high-level security framework for Web3 projects, providing best 31 | practices to development teams throughout the lifecycle of their projects. Consider this a one-stop shop for everything 32 | related to Web3 security. 33 | 34 | ## How to Contribute 35 | 36 | Read our [Contribution Guide](/contribute/contributing) to learn how you can contribute to this project. 37 | 38 | ## Who We Are 39 | 40 | SEAL is a not-for-profit organization committed to enhancing security awareness, education, and specialized work as a 41 | public good for the Web3 ecosystem, its supporting technologies, and communities. Our efforts are driven by a shared 42 | desire to foster a safer, more informed digital landscape. We do this by designing innovative projects, engaging elite 43 | technologists, and coordinating on the social layer to ensure meaningful adoption. 44 | 45 | --- 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /docs/pages/privacy/financial-privacy-services.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Financial Privacy Services" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Financial Privacy Services 14 | 15 | 16 | 17 | 18 | Maintaining financial privacy is often seen by an important thing for people inside the web3 ecosystem, and it can help 19 | prevent personal and financial information from unauthorized access and fraud. 20 | 21 | ## Tools for Financial Privacy 22 | 23 | 1. **Cash** 24 | - Using cash for transactions can help maintain privacy by avoiding digital records. 25 | - Pros: Anonymous, widely accepted. 26 | - Cons: Not practical for online transactions, physical security risks. 27 | 28 | 2. **Prepaid Cards** 29 | - Use prepaid debit cards for purchases to avoid linking transactions to your bank account. 30 | - Pros: Anonymity, control over spending. 31 | - Cons: Fees, limited acceptance. 32 | 33 | 3. **Privacy.com** 34 | - A service that allows you to create virtual credit cards for online purchases. 35 | - Pros: Protects your real credit card information, easy to use. 36 | - Cons: Limited to US users. 37 | 38 | ## Strategies for Financial Privacy 39 | 40 | 1. **Limit Data Sharing** 41 | - Be cautious about sharing financial information online. 42 | - Use secure methods for sharing sensitive information, such as encrypted emails. 43 | 44 | 2. **Monitor Your Accounts** 45 | - Regularly review your cryptocurrency wallets, bank and credit card statements for unauthorized transactions. 46 | - Set up alerts for suspicious activity. 47 | 48 | 3. **Use Secure Connections** 49 | - Ensure that your internet connection is secure when conducting financial transactions. 50 | - Use a VPN to encrypt your internet traffic. 51 | 52 | 4. **Shred Financial Documents** 53 | - Shred any physical documents containing financial information before disposing of them. 54 | - Store important documents in a secure location. 55 | 56 | --- 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /docs/pages/ens/data-integrity-verification.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Data Integrity Verification" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | contributors: 7 | - role: wrote 8 | users: [ghadi8] 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Data Integrity & Verification 17 | 18 | 19 | 20 | 21 | ## Use On-chain Resolution for Financial Transactions 22 | 23 | - Always resolve fresh data directly from Ethereum mainnet whenever conducting financial transactions 24 | - Do not rely on indexer or API data when moving or managing funds 25 | - Preferably run an Ethereum node for high-value transactions, or if not feasible, use reputable L1 RPC providers while 26 | still verifying the integrity and audit status of all software involved in the resolution process 27 | 28 | **Rationale**: Indexers and third-party APIs may have delayed updates or inconsistencies that could lead to payments 29 | being sent to outdated or incorrect addresses. By querying L1 directly, applications work with the most current and 30 | authoritative ENS data, dramatically reducing the risk of misdirected funds. This is particularly crucial for high-value 31 | transactions where the consequences of using stale data could be severe. 32 | 33 | ## Verify Forward Resolution on [Reverse Records](https://docs.ens.domains/ensip/3) 34 | 35 | - Always perform forward resolution on reverse records to verify address matches 36 | - Check that name → address → name completes a valid loop 37 | - Clearly indicate to users when there's a mismatch 38 | 39 | **Rationale**: ENS supports both forward resolution (name → address) and reverse resolution (address → name). However, 40 | reverse records can be set independently, creating the possibility for spoofing or impersonation if not properly 41 | verified. By performing forward resolution on the result of a reverse lookup and comparing it to the original address, 42 | applications can ensure the bidirectional integrity of the ENS data, preventing potential phishing or impersonation 43 | attacks. 44 | 45 | --- 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /components/benchmark/Benchmark.css: -------------------------------------------------------------------------------- 1 | .benchmark-list { 2 | --card-bg: rgba(255, 255, 255, 0.05); 3 | --card-border: rgba(255, 255, 255, 0.1); 4 | --card-text: #e5e7eb; 5 | --card-muted: #9ca3af; 6 | --card-strong: #ffffff; 7 | --popup-bg: #374151; 8 | --popup-border: rgba(255, 255, 255, 0.1); 9 | --popup-shadow: 0 2px 6px rgba(0, 0, 0, 0.3); 10 | --popup-text: #e5e7eb; 11 | 12 | :root:not(.dark) & { 13 | --card-bg: rgba(0, 0, 0, 0.02); 14 | --card-border: rgba(0, 0, 0, 0.08); 15 | --card-text: #1f2937; 16 | --card-muted: #6b7280; 17 | --card-strong: #202020; 18 | --popup-bg: #ffffff; 19 | --popup-border: rgba(0, 0, 0, 0.1); 20 | --popup-shadow: 0 2px 6px rgba(0, 0, 0, 0.2); 21 | --popup-text: #1f2937; 22 | } 23 | 24 | .benchmark-card { 25 | background: var(--card-bg); 26 | border-color: var(--card-border); 27 | display: block; 28 | } 29 | 30 | .benchmark-title { 31 | color: var(--card-strong); 32 | } 33 | 34 | .benchmark-description { 35 | color: var(--card-muted); 36 | } 37 | 38 | .benchmark-info-btn { 39 | border-color: var(--card-border); 40 | color: var(--card-text); 41 | } 42 | 43 | .benchmark-popup { 44 | position: absolute; 45 | top: 30px; 46 | right: 0; 47 | background: var(--popup-bg); 48 | border: 1px solid var(--popup-border); 49 | border-radius: 6px; 50 | padding: 10px; 51 | width: 250px; 52 | font-size: 13px; 53 | box-shadow: var(--popup-shadow); 54 | z-index: 10; 55 | color: var(--popup-text); 56 | } 57 | 58 | .benchmark-popup-strong { 59 | color: var(--card-strong); 60 | } 61 | 62 | .benchmark-expanded-content { 63 | max-height: 0; 64 | overflow: hidden; 65 | transition: max-height 0.3s ease-out; 66 | } 67 | 68 | .benchmark-expanded-content.expanded { 69 | max-height: 500px; 70 | transition: max-height 0.3s ease-in; 71 | } 72 | 73 | .benchmark-expanded-inner { 74 | border-color: var(--card-border); 75 | color: var(--card-muted); 76 | margin-left: 24px; 77 | } 78 | 79 | .benchmark-expanded-inner ul { 80 | list-style-type: disc; 81 | list-style-position: outside; 82 | padding-left: 20px; 83 | margin: 4px 0; 84 | } 85 | 86 | .benchmark-expanded-inner li { 87 | margin-bottom: 2px; 88 | } 89 | } -------------------------------------------------------------------------------- /docs/pages/infrastructure/ddos-protection.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Ddos Protection" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | - Devops 8 | - Cloud 9 | - SRE 10 | --- 11 | 12 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 13 | 14 | 15 | 16 | 17 | # DDoS Protection 18 | 19 | 20 | 21 | 22 | Distributed Denial of Service (DDoS) attacks are a pervasive threat that can disrupt your services by overwhelming them 23 | with excessive traffic. 24 | 25 | ## Best Practices 26 | 27 | - **Use Cloud Provider Solutions**: Utilize DDoS protection services offered by your cloud provider: 28 | 29 | ### AWS 30 | 31 | - **AWS Shield Standard and Advanced**: 32 | - *Shield Standard*: Basic DDoS protection at no extra cost. 33 | - *Shield Advanced*: Enhanced protection with real-time visibility and access to AWS DDoS Response Team (DRT). 34 | - **Amazon CloudFront and AWS WAF**: 35 | - *CloudFront*: Distributes traffic globally to mitigate DDoS attacks. 36 | - *AWS WAF*: Protects against application layer attacks. 37 | 38 | ### Azure 39 | 40 | - **Azure DDoS Protection Basic and Standard**: 41 | - *DDoS Protection Basic*: Automatic protection against common attacks. 42 | - *DDoS Protection Standard*: Advanced protection with real-time monitoring. 43 | - **Azure Front Door and Azure Application Gateway with WAF**: 44 | - *Front Door*: Global application delivery with DDoS mitigation. 45 | - *Application Gateway with WAF*: Protects against various attacks. 46 | 47 | ### GCP 48 | 49 | - **Google Cloud Armor**: Provides DDoS protection and WAF capabilities. 50 | - **Load Balancing**: Distributes traffic to mitigate DDoS attacks. 51 | - **VPC Flow Logs and Stackdriver Logging**: Monitors and logs traffic patterns for effective response. 52 | 53 | ## External DDoS Protection Providers 54 | 55 | In addition to cloud provider solutions, consider external DDoS protection services: 56 | 57 | - **Cloudflare**: Offers comprehensive DDoS protection and mitigation services. 58 | - **Akamai**: Provides scalable DDoS protection solutions. 59 | - **Imperva**: Specializes in DDoS protection and mitigation. 60 | 61 | --- 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /docs/pages/secure-software-development/secure-code-repositories-version-control.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Secure Code Repositories Version Control" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Devops 7 | --- 8 | 9 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 10 | 11 | 12 | 13 | 14 | # Secure Code Repositories and Version Control 15 | 16 | 17 | 18 | 19 | Managing secure code repositories and having version control practices helps protect your project from unauthorized 20 | access and ensuring the integrity of your project. 21 | 22 | ## Best Practices for Secure Code Repositories 23 | 24 | 1. **Access Control** 25 | - Implement strict access controls to limit who can view, modify, and commit code. 26 | - Use role-based access control (RBAC) to grant permissions based on the user's role within the organization. 27 | 28 | 2. **Multi-Factor Authentication (MFA)** 29 | - Require MFA for all users accessing the code repository to add an extra layer of security. 30 | - Use hardware tokens or authentication apps for stronger security. 31 | 32 | 3. **Branch Protection** 33 | - Enable branch protection rules to prevent unauthorized changes to critical branches such as main/master. 34 | - Require code reviews and approvals by another person before changes can be merged into the main/master branch. 35 | 36 | 4. **Audit Logs** 37 | - Enable audit logging to track all activities within the repository. 38 | - Regularly review logs to detect any suspicious activities or unauthorized access attempts. 39 | 40 | ## Secure Version Control Practices 41 | 42 | 1. **Commit Signing** 43 | - Require developers to sign their commits with GPG keys to verify the authenticity of the code changes. 44 | - Enforce commit signing policies in the version control system. 45 | 46 | 2. **Regular Backups** 47 | - Regularly back up the code repository to prevent data loss. 48 | - Store backups in a secure, offsite location. 49 | 50 | 3. **Continuous Integration/Continuous Deployment (CI/CD)** 51 | - Integrate security checks into the CI/CD pipeline to automatically scan code for vulnerabilities. 52 | - Ensure that only tested and approved code is deployed to production. 53 | 54 | --- 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /docs/pages/opsec/travel/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Operational Security while traveling" 3 | tags: 4 | - Security Specialist 5 | - Operations & Strategy 6 | - Engineer/Developer 7 | - Security Specialist 8 | - Devops 9 | - SRE 10 | contributors: 11 | - role: wrote 12 | users: [mattaereal] 13 | - role: reviewed 14 | users: [] 15 | - role: fact-checked 16 | users: [] 17 | --- 18 | 19 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' 20 | 21 | 22 | 23 | 24 | # Operational Security while traveling 25 | 26 | 27 | 28 | 29 | > 🔑 **Key Takeaway**: Travel introduces unique security risks to your digital assets and sensitive information. Proper 30 | > preparation before, vigilance during, and careful review after travel creates a comprehensive defense strategy that 31 | > balances security with practical usability. 32 | 33 | When we travel, our normal security routines are disrupted, and we face elevated risks from physical theft, digital 34 | surveillance, border inspections, and social engineering. Web3 professionals face additional challenges when traveling 35 | with crypto assets or access to treasury funds. 36 | 37 | The resources in this section provide practical guidance for maintaining operational security while traveling: 38 | 39 | - [OpSec Travel Guide](/opsec/travel/guide) - A comprehensive resource covering all aspects of travel security with 40 | in-depth explanations and implementation details 41 | - [Too Long; Did not Read version](/opsec/travel/tldr) - A condensed checklist format for quick security planning before 42 | and during travel 43 | 44 | ## Three-phase Security Approach 45 | 46 | Our travel security framework is organized into three critical phases: 47 | 48 | 1. **Pre-travel preparation**: Risk assessment, device hardening, backup creation, and contingency planning 49 | 2. **On-trip vigilance**: Network security, physical device protection, social engineering awareness, and maintaining 50 | operational security 51 | 3. **Post-travel review**: Device inspection, account security verification, and lessons learned documentation 52 | 53 | Additional considerations are provided for high-risk travelers who may face targeted threats due to their role or access 54 | to valuable assets. 55 | 56 | --- 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /docs/pages/privacy/privacy-focused-operating-systems-tools.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Privacy Focused Operating Systems Tools" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Privacy-Focused Operating Systems and Tools 14 | 15 | 16 | 17 | 18 | Using privacy-focused operating systems and tools can significantly enhance your digital privacy. These systems and 19 | tools are designed to protect your data and minimize your digital footprint. 20 | 21 | ## Privacy-Focused Operating Systems 22 | 23 | 1. **Tails** 24 | - A live operating system that you can start on any computer from a USB stick or DVD. 25 | - Pros: Leaves no trace on the computer, comes with built-in privacy tools. 26 | - Cons: Requires a USB stick or DVD, limited software availability. 27 | 28 | 2. **Qubes OS** 29 | - An open-source operating system designed for security through isolation. 30 | - Pros: Strong isolation, supports running multiple virtual machines. 31 | - Cons: Requires fairly powerful hardware, steep learning curve. 32 | 33 | 3. **Whonix** 34 | - A security-focused operating system that runs in a virtual machine and uses Tor to anonymize internet traffic. 35 | - Pros: Strong anonymity, easy to use. 36 | - Cons: Slower internet speeds due to Tor, requires a virtual machine. 37 | 38 | ## Privacy-Focused Tools 39 | 40 | 1. **Tor Browser** 41 | - A web browser designed for anonymous browsing using the Tor network. 42 | - Pros: Strong anonymity, easy to use. 43 | - Cons: Slower browsing speeds, some websites block Tor traffic. 44 | 45 | 2. **Signal** 46 | - An encrypted messaging app for secure communication. 47 | - Pros: End-to-end encryption, open source. 48 | - Cons: Requires a phone number for registration. 49 | 50 | 3. **KeePass** 51 | - An open-source password manager for securely storing and managing passwords. 52 | - Pros: Strong encryption, no cloud storage. 53 | - Cons: Requires manual setup, less user-friendly than some alternatives. 54 | 55 | 4. **VeraCrypt** 56 | - A disk encryption software for creating secure, encrypted volumes. 57 | - Pros: Strong encryption, supports hidden volumes. 58 | 59 | --- 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/non-content-request.yml: -------------------------------------------------------------------------------- 1 | name: Non Content Request 2 | description: Strategy, tech, or other non-content related issues and ideas. 3 | body: 4 | - type: markdown 5 | attributes: 6 | value: | 7 | Thank you for taking the time to share your feedback or idea for Frameworks. 8 | 9 | _Please be as detailed as possible so we understand the issue or opportunity — and so we and other contributors 10 | can provide feedback._ 11 | 12 | - type: checkboxes 13 | id: type_of_request 14 | attributes: 15 | label: "Type of request" 16 | description: "Select the category that best fits this issue:" 17 | options: 18 | - label: "Strategy (planning, high-level discussions, roadmap)" 19 | - label: "Tech (infrastructure, tooling, tech stack)" 20 | - label: "Other" 21 | validations: 22 | required: true 23 | 24 | - type: textarea 25 | id: description 26 | attributes: 27 | label: "Why are you raising this issue?" 28 | description: "Describe the problem, suggestion, or idea in detail (e.g., something isn’t working as expected, a feature could be improved, a new tool might be helpful, or you have a strategic idea to share)." 29 | placeholder: "Explain the issue, improvement, or idea you're proposing." 30 | validations: 31 | required: true 32 | 33 | - type: textarea 34 | id: why_needed 35 | attributes: 36 | label: "Why do you think it is important?" 37 | description: "If it is not self-explanatory, or relatively clear, add a few sentences explaining how it matters to Frameworks." 38 | placeholder: "Add reasoning or context here." 39 | validations: 40 | required: false 41 | 42 | - type: textarea 43 | id: justification 44 | attributes: 45 | label: "Can you justify your argument or provide additional resources?" 46 | description: "Add any resources or references that support your idea or help explain your reasoning." 47 | placeholder: "Add any helpful resources or evidence here." 48 | validations: 49 | required: false 50 | 51 | - type: checkboxes 52 | id: contribution_intent 53 | attributes: 54 | label: "Contribution intent" 55 | description: "Tell us how you’d like to contribute." 56 | options: 57 | - label: "I can work on implementing this" 58 | - label: "I'm raising this for discussion/someone else to handle" 59 | validations: 60 | required: true -------------------------------------------------------------------------------- /docs/pages/monitoring/thresholds.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Thresholds" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Defining Thresholds for On-Chain Monitoring 14 | 15 | 16 | 17 | 18 | Setting appropriate thresholds for on-chain monitoring is hard when taking into account you want to detect unusual 19 | activities, without generating excessive false positives. Here are some guidelines for defining and configuring 20 | thresholds. 21 | 22 | ## Generic Guidelines 23 | 24 | ### Understand Normal Activity Patterns 25 | 26 | 1. Establish baseline metrics for normal activities, such as average transaction volumes and typical token minting rates 27 | (if any). 28 | 2. Use historical data to understand activity patterns and identify deviations from the norm. 29 | 30 | ### Set Thresholds for Alerts 31 | 32 | 1. Define thresholds for large fund transfers from project wallets, considering both absolute amounts and relative 33 | percentages. 34 | 2. Set thresholds for token minting events, including the number of tokens minted and the frequency of minting. 35 | 3. Establish thresholds for changes in contract ownership or significant modifications to contract code. 36 | 37 | ### Adjust Thresholds Over Time 38 | 39 | 1. Implement adaptive thresholds that can adjust based on changing activity patterns and emerging threats. 40 | 2. Periodically review and update thresholds to ensure they remain relevant and effective. 41 | 42 | ### Multi-Layered Thresholds 43 | 44 | 1. Use primary thresholds for critical alerts and secondary thresholds for less urgent notifications. 45 | 2. Define thresholds based on a combination of metrics to reduce false positives and improve accuracy. 46 | 47 | ### Anomaly Detection 48 | 49 | It is hard, if not impossible, to predict every type of alert one should setup for their project. As such, implementing 50 | an anomaly detection system can be of great value as it will monitor the project and its transactions in real time, and 51 | compare it to its previous behavior. If for example it is common that 4% of tokens change owner each day and there's a 52 | day with 20% of tokens changing owner in the past 10 minutes, then that could be detected as an anomaly cause for 53 | investigation. 54 | 55 | --- 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /docs/pages/supply-chain/dependency-awareness.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Dependency Awareness" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Dependency Awareness 14 | 15 | 16 | 17 | 18 | Dependency awareness is the practice of understanding and managing all the external libraries, frameworks, and 19 | components that a software project relies on. Dependencies can introduce vulnerabilities and risks, which means it's 20 | important to keep track of them and ensure they are secure. 21 | 22 | ## Importance of Dependency Awareness 23 | 24 | 1. **Security Risks** 25 | - Dependencies can contain vulnerabilities that may be exploited by threat actors. 26 | 27 | 2. **Compliance** 28 | - Ensuring that dependencies comply with licensing and regulatory requirements is essential to avoid legal issues. 29 | 30 | 3. **Maintainability** 31 | - Understanding dependencies and their impact on the project will help understand if it's possible to update a 32 | dependency used by your application. 33 | 34 | ## Best Practices for Dependency Awareness 35 | 36 | 1. **Use Dependency Management Tools** 37 | - Leverage tools that can automatically track and manage dependencies. Examples include: 38 | - **Web2:** 39 | - **Snyk:** Monitors and fixes vulnerabilities in dependencies. 40 | - **Dependabot:** Automatically updates dependencies in GitHub projects. 41 | - **Solidity:** 42 | - **Ethlint:** Analyzes and lints Solidity code, including dependencies. 43 | - **MythX:** Scans for vulnerabilities in smart contract dependencies. 44 | 45 | 2. **Regularly Update Dependencies** 46 | - Regularly update dependencies to the latest secure versions after verifying them. 47 | 48 | 3. **Monitor for Vulnerabilities** 49 | - Continuously monitor dependencies for known vulnerabilities using tools like Snyk, npm audit, and GitHub Security 50 | Alerts. 51 | 52 | 4. **Audit Dependencies** 53 | - Perform regular audits of dependencies to ensure they are necessary and secure. Remove unused or outdated 54 | dependencies. 55 | 56 | 5. **Use Trusted Sources** 57 | - Only use dependencies from trusted and reputable sources. Avoid using unverified or poorly maintained libraries. 58 | 59 | --- 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /docs/pages/ens/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "ENS Best Practices" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | contributors: 7 | - role: wrote 8 | users: [ghadi8] 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # ENS Best Practices 17 | 18 | 19 | 20 | 21 | > 🔑 **Key Takeaway**: To securely implement ENS in your applications, prioritize direct L1 data verification, enforce 22 | > proper name normalization, and validate bidirectional resolution. Always verify interface support before interaction, 23 | > respect chain-specific cointype parameters, and implement [CCIP-Read](https://eips.ethereum.org/EIPS/eip-3668) 24 | > functionality correctly. These practices prevent address spoofing, ensure cross-chain compatibility, and maintain data 25 | > integrity throughout the ENS ecosystem. 26 | 27 | The Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. 28 | 29 | ENS maps human-readable names like 'alice.eth' to machine-readable identifiers such as Ethereum addresses, other 30 | cryptocurrency addresses, content hashes, metadata, and more. ENS also supports 'reverse resolution', making it possible 31 | to associate metadata such as primary names or interface descriptions with Ethereum addresses. 32 | 33 | ## What This Framework Covers 34 | 35 | This best practices framework includes guidance on: 36 | 37 | * **[Data Integrity & Verification](/ens/data-integrity-verification)** - Ensuring reliable and secure name resolution 38 | * **[Cross-Chain Compatibility](/ens/cross-chain-compatibility)** - Supporting ENS across multiple blockchain networks 39 | * **[Smart Contract Integration](/ens/smart-contract-integration)** - Leveraging ENS in smart contract systems 40 | * **[Interface Compliance](/ens/interface-compliance)** - Correctly implementing and [verifying ENS 41 | interfaces](https://eips.ethereum.org/EIPS/eip-165) 42 | * **[Name Handling & Normalization](/ens/name-handling-normalization)** - Properly processing and displaying ENS names 43 | 44 | These recommendations are designed for developers integrating ENS into applications, wallets, smart contracts, or other 45 | blockchain systems. Following these practices will help create more secure, reliable, and user-friendly ENS 46 | implementations. 47 | 48 | --- 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /docs/pages/privacy/data-removal-services.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Data Removal Services" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Data Removal Services 14 | 15 | 16 | 17 | 18 | Removing your personal data from online platforms can help protect your privacy and reduce the risk of identity theft. 19 | Here are some steps and services to help you remove your data from the internet. 20 | 21 | ## Steps to Remove Your Data 22 | 23 | 1. **Identify Where Your Data Is** 24 | - Conduct a search of your name and information on search engines to identify where your data is located. 25 | - Review your social media accounts, online forums, and public records for any personal information. 26 | 27 | 2. **Request Data Removal** 28 | - Contact websites directly to request the removal of your data. Most sites have a contact form or email for privacy 29 | concerns. 30 | - Use online tools and forms provided by search engines like Google to remove specific results. 31 | 32 | 3. **Opt-Out of Data Brokers** 33 | - Data brokers collect and sell personal information. Opt-out of their databases using their online forms. 34 | - Some common data brokers include Spokeo, Whitepages, and PeopleFinder. 35 | 36 | ## Data Removal Services 37 | 38 | 1. **DeleteMe** 39 | - A subscription service that removes your data from data brokers and online databases. 40 | - Pros: Comprehensive removal, regular monitoring. 41 | - Cons: Costly subscription model. 42 | 43 | 2. **PrivacyDuck** 44 | - Offers manual removal services from various websites and databases. 45 | - Pros: Thorough and personalized service. 46 | - Cons: Expensive, manual process. 47 | 48 | 3. **OneRep** 49 | - Automated removal service that targets over 100 data broker sites. 50 | - Pros: Automated process, extensive reach. 51 | - Cons: Subscription fee required. 52 | 53 | 4. **JustDeleteMe** 54 | - A directory of direct links to delete your account from web services. 55 | - Pros: Free, easy to use. 56 | - Cons: Requires manual effort. 57 | 58 | ## Best Practices 59 | 60 | 1. Regularly check and update the privacy settings on your online accounts. 61 | 2. Be mindful of the information you share online and with whom. 62 | 3. Use pseudonyms for accounts that don't require your real name. 63 | 64 | --- 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /docs/pages/treasury-operations/overview.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Treasury Operations Security" 3 | tags: 4 | - Treasury Ops 5 | - Operations 6 | - Risk Management 7 | contributors: 8 | - role: wrote 9 | users: [dickson] 10 | --- 11 | 12 | import { 13 | TagList, 14 | AttributionList, 15 | TagProvider, 16 | TagFilter, 17 | ContributeFooter, 18 | } from "../../../components"; 19 | 20 | 21 | 22 | 23 | # Treasury Operations Security 24 | 25 | 26 | 27 | 28 | > 💡 Institutional-grade security frameworks for managing custodial treasury accounts and large cryptocurrency transfers 29 | 30 | ## What is Treasury Operations Security? 31 | 32 | Treasury operations security provides protocols and frameworks for organizations managing significant cryptocurrency holdings through custodial accounts. These guides help you classify accounts by risk, implement appropriate security controls, maintain proper documentation, and execute large transfers safely. 33 | 34 | ## Core Components 35 | 36 | ### [Classification Framework](./classification) 37 | 38 | Assess and classify custodial accounts based on financial impact and operational requirements. Determine appropriate security controls, approval thresholds, and monitoring levels for each account. 39 | 40 | ### [Registration Documents](./registration-documents) 41 | 42 | Standardized templates for registering custodial accounts, tracking access changes, documenting security configurations, and performing quarterly reviews. 43 | 44 | ### [Enhanced Controls](./enhanced-controls) 45 | 46 | Additional security measures for high-risk and critical accounts, including MPC recommendations, zero-trust architecture, and advanced monitoring. 47 | 48 | ### [Transaction Verification](./transaction-verification) 49 | 50 | Step-by-step protocols for receiving and sending large cryptocurrency transfers, including address verification, test transactions, and multi-party confirmation requirements. 51 | 52 | ## Getting Started 53 | 54 | 1. **Classify your accounts** using the [Classification Framework](./classification) to determine risk levels 55 | 2. **Register each account** using the [Registration Documents](./registration-documents) templates 56 | 3. **Implement controls** based on classification, with [Enhanced Controls](./enhanced-controls) for high-risk accounts 57 | 4. **Follow verification protocols** from [Transaction Verification](./transaction-verification) for all large transfers 58 | 59 | --- 60 | 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /docs/pages/security-testing/integration-testing.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Integration Testing" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | - Operations & Strategy 7 | - Devops 8 | - SRE 9 | contributors: 10 | - role: wrote 11 | users: [patrickalphac] 12 | --- 13 | 14 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 15 | 16 | 17 | 18 | 19 | # Integration Testing 20 | 21 | 22 | 23 | 24 | While unit tests verify individual functions work in isolation (often with mocked dependencies), integration tests 25 | verify that your smart contracts work correctly with real external systems. In Web3, this primarily means testing with 26 | **fork tests** - running your contracts against real blockchain state. With out unit tests, we `mocked` working with 27 | external systems, integration tests however will actually work with those systems, by running as: 28 | 29 | - Fork tests 30 | - Testnet Tests 31 | - Inexpensive Mainnet Tests (Be careful here!) 32 | 33 | In smart contract development, this means testing your contracts against real protocols, oracles, and blockchain state 34 | rather than mocked versions. 35 | 36 | ## What are Fork Tests? 37 | 38 | Fork tests involve creating a local copy of the blockchain state at a specific block height, allowing you to run your 39 | smart contracts against real data and interactions. This is crucial for testing how your contracts will behave in 40 | production conditions, especially when they rely on external systems like oracles or other protocols. 41 | 42 | In foundry, you can run a fork test just by passing in a URL to fork: 43 | 44 | ```bash 45 | forge test --fork-url 46 | ``` 47 | 48 | ## Why Fork Testing Matters 49 | 50 | Most smart contract security issues arise from unexpected interactions with external systems. Fork testing helps you 51 | catch these issues before deployment by testing against real-world conditions. 52 | 53 | ## How to Implement Fork Tests 54 | 55 | Running a fork test can be as straightforward as pointing to contract addresses on a forked network. You can see a full 56 | example from the 57 | [Cyfrin Updraft foundry-fund-me curriculum.](https://github.com/Cyfrin/foundry-fund-me-cu/blob/main/test/integration/InteractionsTest.t.sol) 58 | 59 | ## References 60 | 61 | This document incorporates knowledge from: 62 | 63 | - [Cyfrin Updraft Security Testing Curriculum](https://updraft.cyfrin.io) 64 | 65 | --- 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /docs/pages/ens/smart-contract-integration.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Smart Contract Integration" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | contributors: 7 | - role: wrote 8 | users: [ghadi8] 9 | --- 10 | 11 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 12 | 13 | 14 | 15 | 16 | # Smart Contract Integration 17 | 18 | 19 | 20 | 21 | ## Name Your Smart Contracts 22 | 23 | - Register ENS names for core contracts in your project's ecosystem 24 | - Set appropriate reverse records for your contracts 25 | - Document contract ENS names in project documentation 26 | - Consider naming contracts at deployment time to ensure immediate resolvability 27 | - Use a standard pattern for contract naming to improve discoverability 28 | 29 | **Rationale**: Smart contracts typically have complex hexadecimal addresses that are error-prone when shared or 30 | referenced. By assigning ENS names to smart contracts, developers can significantly improve user experience, make 31 | documentation more approachable, and reduce the risk of address errors. This practice is especially important for 32 | contracts that interact directly with users or serve as key infrastructure components. Human-readable names also aid in 33 | contract verification, as users can more easily confirm they're interacting with official protocol contracts rather than 34 | potential phishing imitations. 35 | 36 | ## Leverage ENS as an Infrastructure Component 37 | 38 | - Use ENS for service discovery between contract components 39 | - Build upgradeability mechanisms that leverage ENS for implementation pointers 40 | - Consider ENS as a registry for official protocol extensions and integrations 41 | - Use ENS records to store protocol metadata in a human-readable format 42 | 43 | **Rationale**: ENS can serve as more than just a human-readable address layer, it can function as critical 44 | infrastructure for contract systems. Using ENS for implementation pointers enables flexible and upgradeable 45 | architectures, as contract dependencies can be redirected without requiring contract redeployment. This pattern supports 46 | robust governance models while maintaining a consistent user interface. Additionally, using ENS to register official 47 | extensions creates a trust layer that helps users identify legitimate protocol integrations, while storing protocol 48 | metadata in ENS records improves discoverability and system documentation. 49 | 50 | --- 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /docs/pages/encryption/communication-encryption.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Communication Encryption" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Secure Messaging Systems 14 | 15 | 16 | 17 | 18 | Using secure messaging systems is crucial for protecting the privacy and integrity of your communications. Here are some 19 | popular messaging systems that offer end-to-end encryption and those that do not by default. 20 | 21 | ## End-to-End Encrypted Messaging Systems 22 | 23 | 1. **Signal** 24 | - Offers strong end-to-end encryption for messages, voice calls, and video calls. 25 | - Open source and highly recommended for secure communication. 26 | - [Signal](https://signal.org/) 27 | 28 | 2. **Matrix/Element** 29 | - An open standard for decentralized communication with end-to-end encryption. 30 | - Element is a popular client for the Matrix protocol. 31 | - [Matrix](https://matrix.org/) / [Element](https://element.io/) 32 | 33 | 3. **WhatsApp** 34 | - Provides end-to-end encryption for messages, voice calls, and video calls by default. 35 | - Owned by Meta (Facebook). 36 | - [WhatsApp](https://www.whatsapp.com/) 37 | 38 | 4. **Wire** 39 | - End-to-end encryption for messages and calls 40 | - Open source with a strong focus on privacy. 41 | - [Wire](https://wire.com/) 42 | 43 | ## Messaging Systems Without Default End-to-End Encryption 44 | 45 | These messaging systems supposedly provides encryption for data in transit and at rest, but not end-to-end encryption 46 | for messages. 47 | 48 | 1. **Telegram** 49 | - Offers end-to-end encryption only for "Secret Chats". 50 | - [Telegram](https://telegram.org/) 51 | 52 | 2. **Discord** 53 | - Does not offer end-to-end encryption for messages. 54 | - [Discord](https://discord.com/) 55 | 56 | 3. **Zoom** 57 | - End-to-end encryption for calls, but must be manually enabled. 58 | - [Zoom](https://zoom.us) 59 | 60 | 4. **Slack** 61 | - Does not offer end-to-end encryption for messages. 62 | - [Slack](https://slack.com/) 63 | 64 | 5. **Microsoft Teams** 65 | - Does not offer end-to-end encryption for messages. 66 | - [Microsoft Teams](https://www.microsoft.com/en/microsoft-teams/group-chat-software) 67 | 68 | For secure communication, it is recommended to use messaging systems that offer end-to-end encryption by default. 69 | 70 | --- 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /docs/pages/secure-software-development/secure-coding-standards-guidelines.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Secure Coding Standards Guidelines" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Secure Coding Standards and Guidelines 14 | 15 | 16 | 17 | 18 | Using secure coding standards and guidelines increases the likelihood of you being resilient to security threats. Having 19 | these type of standards can help developers avoid common vulnerabilities, and help ensure that security is considered 20 | at every stage of development. 21 | 22 | ## Secure Coding Standards 23 | 24 | 1. **Input Validation** 25 | - Validate all inputs to ensure they conform to expected formats and ranges. 26 | - Use whitelisting (allowing only known good inputs) rather than blacklisting. 27 | 28 | 2. **Output Encoding** 29 | - Encode output data. 30 | - Use libraries and frameworks that provide built-in encoding functions. 31 | 32 | 3. **Authentication and Authorization** 33 | - Implement strong authentication mechanisms to verify user identities. 34 | - Ensure proper authorization checks are in place to control access to resources based on user roles. 35 | 36 | 4. **Error Handling** 37 | - Handle errors gracefully without revealing sensitive information. 38 | - Log errors securely and provide generic error messages to users. 39 | 40 | ## Guidelines for Secure Coding 41 | 42 | 1. **Use Secure Libraries and Frameworks** 43 | - Use libraries and frameworks that have been vetted for security and are regularly updated. 44 | - Avoid using deprecated or unmaintained libraries. 45 | 46 | 2. **Follow Principle of Least Privilege** 47 | - Grant the minimum level of access necessary for code to function. 48 | - Avoid running code high privileges. 49 | 50 | 3. **Secure Data Storage** 51 | - Encrypt sensitive data both at rest and in transit. 52 | - Use secure storage mechanisms for credentials and secrets. 53 | 54 | 4. **Regular Code Reviews** 55 | - Conduct regular code reviews to identify and fix security vulnerabilities. 56 | - Use automated tools to complement manual code reviews. 57 | 58 | 5. **Continuous Security Training** 59 | - Provide ongoing security training for developers to keep them informed about the latest threats and best practices. 60 | - Encourage participation in security communities and events. 61 | 62 | --- 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /docs/pages/secure-software-development/code-reviews-peer-audits.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Code Reviews Peer Audits" 3 | tags: 4 | - Engineer/Developer 5 | - Security Specialist 6 | --- 7 | 8 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 9 | 10 | 11 | 12 | 13 | # Code Reviews and Peer Audits 14 | 15 | 16 | 17 | 18 | Code reviews and peer audits help identifying and mitigating security vulnerabilities in software. They involve 19 | systematically examining code to ensure it adheres to the security standards and best practices of the project. 20 | 21 | ## Best Practices for Code Reviews 22 | 23 | 1. **Regular Reviews** 24 | - Conduct code reviews regularly to identify and fix security vulnerabilities early in the development process. 25 | - Integrate code reviews into the development workflow to make them a routine part of the process. 26 | 27 | 2. **Review Checklists** 28 | - Use review checklists to ensure that all security aspects are covered during the review. 29 | - Checklists should include common security issues such as input validation, error handling, and authentication. 30 | 31 | 3. **Automated Tools** 32 | - Use automated code analysis tools to assist in identifying potential security vulnerabilities. 33 | - Tools like SonarQube, Checkmarx, and Snyk can help in detecting issues that might be missed during manual reviews. 34 | 35 | 4. **Peer Audits** 36 | - Encourage peer audits where team members review each other's code. 37 | - Peer audits provide a fresh perspective and can help identify issues that the original developer might overlook. 38 | 39 | ## Conducting Effective Code Reviews 40 | 41 | 1. **Focus on Security** 42 | - Prioritize security issues during code reviews. 43 | - Ensure that code follows secure coding standards and guidelines. 44 | 45 | 2. **Collaborative Approach** 46 | - Foster a collaborative environment where reviewers and developers work together to improve code quality. 47 | - Provide constructive feedback and encourage open communication. 48 | 49 | 3. **Document Findings** 50 | - Document all findings from code reviews and track their resolution. 51 | - Use issue tracking systems to manage identified vulnerabilities and ensure they are addressed. 52 | 53 | 4. **Continuous Improvement** 54 | - Continuously improve the code review process based on feedback and lessons learned. 55 | - Regularly update review checklists and practices to keep up with evolving security threats. 56 | 57 | --- 58 | 59 | 60 | 61 | -------------------------------------------------------------------------------- /docs/pages/multisig-for-protocols/joining-a-multisig.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | tags: 3 | - Engineer/Developer 4 | - Security Specialist 5 | - Multisig Security 6 | contributors: 7 | - role: wrote 8 | users: [isaac, geoffrey, louis, pablo, dickson] 9 | - role: reviewed 10 | users: [pinalikefruit, engn33r] 11 | --- 12 | 13 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 14 | 15 | 16 | 17 | 18 | # Joining a Multisig 19 | 20 | 21 | 22 | 23 | It is recommended to always create a fresh address on a hardware wallet for each new multisig. 24 | 25 | ## Verifying address ownership 26 | 27 | Creating a proof of address ownership provides important documentation and security assurances to the protocol for all multisig signers. Entity affiliations are acceptable - the goal is accountability, not doxxing. 28 | 29 | ### Preparing and sharing address & Signature 30 | 31 | Sign the message like [@social_handle | name | entity] is looking to join [Multisig Name] X DAO multisig with address 0x... with the private key you intend to use as a signer. One of the options is going using MyCrypto web UI: 32 | 1. Connect your wallet to https://app.mycrypto.com/sign-message 33 | 2. Enter the message, click "sign" and sign the message on the wallet. 34 | 3. The sig field in the result json is the signature hash. 35 | 36 | Share the message: 37 | - **Option 1** - Publish the message along with the signature hash on twitter or other easily accessible social media. 38 | - **Option 2** - Share the message privately with multisig admin so it can be stored with multisig documentation 39 | 40 | ## Ethereum signature verification 41 | 42 | ### Etherscan UI 43 | 1. Go to https://etherscan.io/verifiedSignatures. 44 | 2. Click the Verify Signature button. 45 | 3. Input address, message & signature hash data & click Continue. 46 | 4. See whether the signature provided is valid. 47 | 5. To publish: choose "Verify & publish" and click "Continue". 48 | 6. After the signature is verified, you'll get the link for sharing. 49 | 50 | Note: Enter plain text message (not the hex version MyEtherWallet will give!) and ensure the signature includes the 0x prefix. 51 | 52 | ### MyCrypto 53 | 1. Go to https://app.mycrypto.com/verify-message 54 | 2. Enter json & click Verify: 55 | 56 | ```json 57 | { 58 | "address": "0x...", 59 | "msg": "0x...", 60 | "sig": "signature_hash" 61 | } 62 | ``` 63 | 64 | Note that "msg" is hex text starting with 0x (add 0x before the hex encoded string if necessary). 4. See whether the signature provided is valid. 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /docs/pages/safe-harbor/self-checklist.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Self Checklist" 3 | tags: 4 | - SEAL/Initiative 5 | - Protocol 6 | - DAO 7 | - Whitehat 8 | contributors: 9 | - role: wrote 10 | users: [dickson] 11 | --- 12 | 13 | import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' 14 | 15 | 16 | 17 | 18 | # Safe Harbor Eligibility Checklist 19 | 20 | 21 | 22 | 23 | Use this checklist to evaluate whether adopting the **SEAL Whitehat Safe Harbor Agreement** makes sense for your 24 | protocol. 25 | 26 | ## Can Safe Harbor Help Your Protocol? 27 | 28 | - [ ] **Do you hold user funds in smart contracts?** Without Safe Harbor, whitehats who could save your users' funds 29 | might hesitate to act due to legal uncertainty around unauthorized access. 30 | - [ ] **Do you want whitehats to help during active attacks?** Safe Harbor gives ethical hackers legal protection to 31 | intervene immediately, before attackers can drain your protocol. 32 | - [ ] **Do you already have a bug bounty or security disclosure program?** Safe Harbor fills the critical gap your bug 33 | bounty can't cover - live attacks happening right now when disclosure timelines don't matter. 34 | - [ ] **Do you want to increase the odds of recovering funds?** Safe Harbor encourages rescue attempts by trusted 35 | whitehats. 36 | 37 | If you checked any of the above - you can benefit from adopting our Safe Harbor. 38 | 39 | ## What Does Adoption Involve? 40 | 41 | 1. Define your scope (what's covered, where funds go, bounty %, etc.) 42 | 2. (If DAO) Pass a governance proposal 43 | 3. Register on-chain 44 | 4. Update your Terms of Service and documentation 45 | 5. Make a public announcement to inform users and whitehats 46 | 47 | It's fast, flexible (DAO or non-DAO), and aligns with industry standards. 48 | 49 | ## Ready to Get Started? 50 | 51 | You have 3 ways to adopt: 52 | 53 | 1. **Self-adopt using our guide:** 54 | 55 | → [Self-Adoption Guide](/safe-harbor/self-adoption-guide) 56 | 57 | 2. **Get help from SEAL (free):** 58 | 59 | → [Apply for onboarding](https://form.typeform.com/to/QF3YjWno) 60 | 61 | 3. **Adopt via a third-party:** 62 | 63 | → Immunefi: 64 | [Immunefi Integration Form](https://docs.google.com/forms/d/e/1FAIpQLSehHw_KyNfSr9YbnO1AB3OZ4cvVS2oInIxdveCPguR9GSxZFQ/viewform) 65 | 66 | Find out more about [Safe Harbor](/safe-harbor/overview) 67 | 68 | --- 69 | 70 | If you ever need help or have any questions, don’t hesitate to reach out! 71 | 72 | Contact us at: [safe-harbor@securityalliance.org](mailto:safe-harbor@securityalliance.org) 73 | 74 | --- 75 | 76 | 77 | 78 | --------------------------------------------------------------------------------