Computer security guidelines and references

A list of computer security guidelines and references.

Table of content

Guidelines

Misc. and general guidelines

• NIST Guidelines
• OpenSSF Guides
• OWASP
  • OWASP Cheat Sheets
• NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1
• Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default
• Référentiel général de sécurité (RGS) of ANSSI (France)
• Publications from ANSSI (France)

Authentication guidelines

• NIST SP 800-63 Digital Identity Guidelines, revision 4
• NIST SP 800-63 Digital Identity Guidelines, revision 3
• A review of current Password Policies/Recommendations (2024)

In French:

• Recommandations relatives à l'authentification multifacteur et aux mots de passe from ANSSI (France)

Cryptography guidelines

Cryptographic Right Answer:

• Latacora's Cryptographic Right Answer: Post Quantum Edition (2024)
• Latacora's Cryptographic Right Answers (2018)
• Ptacek's Cryptographic Right Answers (2015)
• Percival's Cryptographic Right Answers (2009)

Misc:

• Cryptographic Key Length Recommendation
• NIST SP 800-57 Part 1 Rev 5 - Recommendation for Key Management: Part 1 General
• ECrypt - Algorithms, Key Size and Protocols Report (2018)

In French:

• Guide des mécanismes cryptographiques from ANSSI (France)

Application security guidelines

• OWASP Application Security Verification Standard (ASVS)
  • ASVS 5.0.0 (with some contributions of mine)
  • ASVS 4.0.3
• OWASP Software Component Verification Standard (SCVS)
• Minimum Viable Secure Product (MVSP)
• OWASP Mobile Application Security (MAS)
  • OWASP Mobile Application Security Verification Standard 2.0.0 (MASVS)
  • OWASP Mobile Application Security Testing Guide (MASTG)
  • OWASP MAS Checklist
• Concise Guide for Developing More Secure Software (OpenSSF)

The different OWASP Top 10 are intended to be awareness documents:

• OWASP Top 10 (for web applications)
• OWASP API Security Top 10
• OWASP Top 10 Proactive Controls

Supply chain guidelines

• SLSA (Supply-chain Levels for Software Artifacts)
• OWASP Software Component Verification Standard (SCVS)

IoT security guidelines

• ETSI EN 303 645 V2.1.1, Cyber Security for Consumer Internet of Things: Baseline Requirements
• ETSI EN 303 645 V2.1.2, Cyber Security for Consumer Internet of Things: Baseline Requirements
• ENISA Baseline Security Recommendations for IoT

In French:

• Recommandations relatives à la sécurité des (systèmes d’)objets connectés (ANSSI, France)

Vulnerability reporting guidelines

• How to Write a Good Report and Use the CVSS Calculator (hacker101)

Vulnerability disclosure guidelines

• OWASP - Vulnerability Disclosure Cheat Sheet
• OpenSSF Guide to implementing a coordinated vulnerability disclosure process for open source projects
• The CERT Guide to Coordinated Vulnerability Disclosure
• HackerOne - Vulnerability Disclosure Guidelines
• GitHub docs - About coordinated disclosure of security vulnerabilities
• ISO/IEC 29147:2014 ~ Information technology — Security techniques — Vulnerability disclosure
• Responsible Vulnerability Disclosure Process
• ETSI TR 103 838 V1.1.1, Guide to Coordinated Vulnerability Disclosure

Threat models

• The MITRE EMB3D™ Threat Model, cyber threats to embedded devices

Standards

• Common Weakness Enumeration
• Common Vulnerability Scoring System (CVSS)
  • CVSS 4.0 Calculator
  • CVSS 3.1 Calculator
  • CVSS 3.0 Calculator
• SSVC Calculator (Stakeholder-Specific Vulnerability Categorization)

Courses

Security courses

• Brown CSCI 1650 – Software Security and Exploitation
• Brown CSCI 2951U – Topics in Software Security
• Stanford CS 253 – Web Security

Cryptography courses

• Stanford CS255: Introduction to Cryptography and its online videos
• A Graduate Course in Applied Cryptography By Dan Boneh and Victor Shoup (book)
• Introduction to Cryptography (videos) by Christof Paar