Create Security Guideline

[lonnieezell]

Should list common security issues, their risks, and how to use the tools within CodeIgniter to prevent or minimize them.

See Rails' Security docs for a great example.

[Bikerboi]

I'm Interested to help with this. Although I have just a few questions. what format does the documentation need to be? Would you like any examples that could integrate into the getting started Application that could help show basic examples of the attacks where possible? and how to mitigate them with the supplied tools in CI. Sorry I am new to contributing on GitHub.

[lonnieezell]

@Bikerboi that would be awesome!

We have a first crack at the page but it's missing a lot of the things that I think would be helpful, like realistic examples of how to do this within a CI application, using CI tools. Ideally, I would love to see it fleshed out to something more like Rails' security guide.

The documentation is written in Sphinx's RST format. More info at their docs and in our own guidelines.

Love the fact that you're a first-time contributor! Always exciting to see new people helping out the community. Feel free to ask any questions you have as you move along.

[Bikerboi]

@lonnieezell That will be no problem.

That is a very good start I like how its heavily aligned to OWASP, I'm an OWASP member.

I will give it a shot to flesh it out quite similar to the Rails guide with realistic examples with CI, that does lead me on to another question,
Does everything work so far in CI4 especially the sample app that's used in the documentation? as I would like to build on from that to help new and experienced devs to implement CIs security features with a little bit of a hands on approach to cement/back up the theory. I will get started this weekend.

I am very excited to help out in this community, I originally came over from hackerone to check out the CI bug bounty program which I am still planning on doing.

[lonnieezell]

That's great to hear that you're an OWASP member! We look forward to any places you find that we're lacking in what we can provide.

The sample app should be working with the current state of CI4, yes. And I think expanding on that is a great idea! Look forward to seeing your work and advice.

[jim-parry]

@Bikerboi Any update on this? We have an existing guideline (https://bcit-ci.github.io/CodeIgniter4/concepts/security.html), but I had the impression that this issue was intended to expand on that.

[Bikerboi]

@jim-parry What I have done so far is towards the Owasp top ten 2013 so I am adapting that slowly but surely to the Owasp top ten 2017 list. As it is only in release candidate phase I will have it ready to go when it is actually released which should be this month or next according to Owasp.

[jim-parry]

Looking forward to it!

[atishhamte]

@jim-parry @lonnieezell any update on this. Is anybody working on the same?

[lonnieezell]

No one is working on this currently.

[lonnieezell]

This won't happen for release. It's a large project to do it well. Closing for now.