diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 29c55dd069..fb02ccecbd 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -60,6 +60,8 @@ When submitting changes in a PR, consider the following areas: ### Structure +> **Need help with content structure?** Check out [How To Make A Cheatsheet guide](GUIDELINE.md) for structured guidelines, content organization, and best practices. + - Start with a H1 of the cheat sheet name - The first section of the cheat sheet should be an introduction which briefly sums up the contents, and provides a short list of key bullet points. - The table of contents will be automatically generated on the site, so does not need to be added as a section. diff --git a/GUIDELINE.md b/GUIDELINE.md new file mode 100644 index 0000000000..dc27c42c0f --- /dev/null +++ b/GUIDELINE.md @@ -0,0 +1,245 @@ +# Cheat Sheet Creation Guide + +## Basic Cheat Sheet Template + +```markdown + +# [Topic] Cheat Sheet + +## Introduction + +Brief overview of the topic, its importance in application security, and target audience. + +## Table of Contents + +- [Background](#background) +- [Threat Analysis](#threat-analysis) +- [Prevention Strategies](#prevention-strategies) +- [Implementation Guide](#implementation-guide) +- [Testing & Validation](#testing--validation) +- [Monitoring & Maintenance](#monitoring--maintenance) +- [References & Resources](#references--resources) + +## Background + +### What is [Topic]? + +Definition and explanation of the security concept. + +### Why is [Topic] Important? + +Explanation of why this security topic matters. + +### Current Threat Landscape + +Overview of current threats and attack vectors. + +## Threat Analysis + +### Attack Vectors + +- Attack Vector 1: Description and examples +- Attack Vector 2: Description and examples +- Attack Vector 3: Description and examples + +### Vulnerability Types + +- Vulnerability Type 1: Description and impact +- Vulnerability Type 2: Description and impact +- Vulnerability Type 3: Description and impact + +### Risk Assessment + +- High Risk: Critical vulnerabilities and their impact +- Medium Risk: Moderate vulnerabilities and their impact +- Low Risk: Minor vulnerabilities and their impact + +## Prevention Strategies + +### Defense in Depth + +1. Layer 1: Primary defense mechanism +2. Layer 2: Secondary defense mechanism +3. Layer 3: Tertiary defense mechanism + +### Best Practices + +- Best Practice 1: Description and implementation +- Best Practice 2: Description and implementation +- Best Practice 3: Description and implementation + +## Implementation Guide + +### Step-by-Step Implementation + +#### Step 1: Preparation + +language +// Code example for step 1 + + +#### Step 2: Configuration + +language +// Code example for step 2 + + +#### Step 3: Validation + +language +// Code example for step 3 + + +### Framework-Specific Implementation + +#### Framework A + +language +// Framework A specific implementation + + +#### Framework B + +language +// Framework B specific implementation + + +## Testing & Validation + +### Testing Methods + +- Method 1: Description and tools +- Method 2: Description and tools +- Method 3: Description and tools + +### Validation Checklist + +- [ ] Check 1: Description +- [ ] Check 2: Description +- [ ] Check 3: Description + +### Tools & Utilities + +- Tool 1: Description and usage +- Tool 2: Description and usage +- Tool 3: Description and usage + +## Monitoring & Maintenance + +### Ongoing Monitoring + +- Metric 1: What to monitor and how +- Metric 2: What to monitor and how +- Metric 3: What to monitor and how + +### Maintenance Tasks + +- Task 1: Frequency and procedure +- Task 2: Frequency and procedure +- Task 3: Frequency and procedure + +### Incident Response + +- Detection: How to detect issues +- Response: How to respond to issues +- Recovery: How to recover from issues + +## References & Resources + +### Further Reading + +- [Resource 1](link): Description +- [Resource 2](link): Description +- [Resource 3](link): Description + +### Tools & Utilities + +- [Tool 1](link): Description +- [Tool 2](link): Description +- [Tool 3](link): Description + +### Standards & Frameworks + +- [Standard 1](link): Description +- [Standard 2](link): Description +- [Standard 3](link): Description + +### Related Cheat Sheets + +- [Related Cheat Sheet 1](link): Description +- [Related Cheat Sheet 2](link): Description +- [Related Cheat Sheet 3](link): Description + +``` + +### Advanced Template Features + +```markdown + +#### Code Comparison Tables + +| Aspect | Secure Implementation | Vulnerable Implementation | +|--------|---------------------|---------------------------| +| Input Validation | `validateInput(input)` | `raw_input()` | +| Output Encoding | `html.escape(output)` | Direct output | +| Authentication | `verifyToken(token)` | No verification | + +#### Risk Assessment Matrix + +| Threat | Likelihood | Impact | Risk Level | +|--------|------------|--------|------------| +| Threat 1 | High | High | Critical | +| Threat 2 | Medium | High | High | +| Threat 3 | Low | Medium | Medium | + +#### Implementation Checklist + +### Implementation Checklist + +#### Preparation +- [ ] Review security requirements +- [ ] Identify target environment +- [ ] Gather necessary tools + +#### Implementation +- [ ] Configure security settings +- [ ] Implement validation logic +- [ ] Test functionality + +#### Validation +- [ ] Run security tests +- [ ] Verify configurations +- [ ] Document changes +``` + +--- + +## Conclusion + +This guideline helps you to create security guidance that helps practitioners implement effective security controls. + +### Key Success Factors + +1. **Clear Scope**: Define what you're covering and what you're not +2. **Practical Focus**: Emphasize actionable guidance over theory +3. **Comprehensive Coverage**: Address all major aspects of the topic +4. **Current Information**: Keep content up-to-date with latest threats and defenses +5. **Community Engagement**: Gather feedback and continuously improve +6. **Quality Assurance**: Thorough review and testing of all content + +### Next Steps + +1. **Choose Your Topic**: Select a security domain that needs coverage +2. **Research Existing Content**: Review current cheat sheets and identify gaps +3. **Plan Your Structure**: Use the templates provided to organize your content +4. **Develop Content**: Write comprehensive, practical guidance +5. **Review & Test**: Validate technical accuracy and usability +6. **Publish & Maintain**: Share with community and keep updated + +### Remember + +The goal is to create **practical, concise, and actionable security guidance** that helps practitioners build more secure applications and systems. Focus on providing value to your target audience and maintaining high quality standards. + +--- + +*This guide is based on analysis of existing OWASP cheat sheets to identify common patterns and best practices for creating effective security documentation.* diff --git a/README.md b/README.md index 368aa88a46..fa99050a8c 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ Feel free to ask questions, suggest ideas, or share your best recipes. ## Contributions, Feature Requests, and Feedback -We are actively inviting new contributors! To start, please read the [contribution guide](CONTRIBUTING.md). +We are actively inviting new contributors! To start, please read the [contribution guide](CONTRIBUTING.md) and our [How To Make A Cheatsheet guide](GUIDELINE.md). This project is only possible thanks to the work of many dedicated volunteers. Everyone is encouraged to help in ways large and small. Here are a few ways you can help: