diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6c0a82b6..422c4385 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -69,7 +69,7 @@ in MDX files. 5. **Notify reviewers** by tagging a steward or maintainer, requesting reviews directly in your PR. 6. Additionally, you can paste your PR and/or potential associated issues to the `frameworks-contribs` Discord channel. 7. Once reviewed and approved, your changes will be merged into `develop`. -8. Don't forget to add yourself to the YAML header of the file you're modifying, since that is how we provide +8. Don't forget to add yourself to the YAML header of the file you're modifying, given that is the way we provide attribution. You should also create your profile inside the contributors list, at `docs/pages/config/contributors.json`. 9. Periodically, reviewed content from `develop` is merged into `main` for the stable site. @@ -85,7 +85,7 @@ Choose the development approach that works best for you: ### Option A: DevContainer with VSCode -The easiest way to get started is using our pre-configured devcontainer with VSCode: +The easiest way to get started is to use our pre-configured devcontainer with VSCode: 1. **Prerequisites**: VSCode with [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) @@ -96,14 +96,14 @@ extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote. ### Option B: DevContainer CLI Only (No VSCode Required) Since you won't require extensions for the initiative to work, you can just create a devcontainer using the CLI and -access it through whatever means you think suits you best. +access it through whatever means suit you best. **Using DevContainer CLI (Recommended):** - Install [DevContainer CLI](https://github.com/devcontainers/cli) ```bash -git clone +git clone https://github.com/security-alliance/frameworks.git cd frameworks && git checkout develop devcontainer up --workspace-folder . devcontainer exec --workspace-folder . bash @@ -129,7 +129,7 @@ If you prefer to install dependencies locally on your machine: 2. Clone the repository: ```bash - git clone + git clone https://github.com/security-alliance/frameworks.git cd frameworks && git checkout develop ``` @@ -145,7 +145,7 @@ If you prefer to install dependencies locally on your machine: pnpm exec just serve ``` -5. Once the server is running, access the site at port ```5173``` +5. Once the server is running, access the site on port `5173`. **(Optional) Authenticate with GitHub CLI**: The GitHub CLI (`gh`) is already preinstalled in the devcontainer. You can authenticate by running `gh auth login` in the terminal, making it easy to interact with GitHub directly from your @@ -298,7 +298,7 @@ Example of a category with multiple pages: This ensures that new content appears correctly in the site’s navigation for readers on the `.dev` site while staying hidden from the stable `.org` site until ready. -### 4. Error Checking +### 3. Error Checking Before pushing changes, always make sure your build works without errors: @@ -312,7 +312,7 @@ This helps catch build or formatting issues early so reviewers see clean contrib Wiki pages follow standard MDX. The audience of this wiki is technical, and the content should reflect that. There are many guides on technical and -documentation writing you can learn from, for example, you can check [this +documentation writing you can learn from; for example, you can check [this lecture](https://www.youtube.com/watch?v=vtIzMaLkCaM) to get started. ### Writing guidelines @@ -321,13 +321,13 @@ lecture](https://www.youtube.com/watch?v=vtIzMaLkCaM) to get started. - Use concise sentences and break down complex ideas with bullet points, tables, images, or block-quotes. - Always link your resources and verify them - Introduce acronyms and technical jargon before using them. -- Web3 changes fast, write the content to be as future-proof as possible +- Web3 changes fast; write the content to be as future-proof as possible. - Do **not** submit content entirely generated by AI; however, we recommend using it to fix grammar or phrasing - Consider tutorials or hands-on guides for practical steps. - Use visualizations (mermaid, diagrams, tables) to clarify concepts. - Add recommended reading or dependencies at the top of a page if relevant. - Focus on delivering credible, formal, technical content without unnecessary high-level introductions; use examples, -comparisons, or anecdotes to clarify complex topics. + comparisons, or anecdotes to clarify complex topics. - You can use mermaid diagrams for visualizations ### Content standardization @@ -351,15 +351,17 @@ fits, for example in block-quotes. where you can jump straight to draw! ```mermaid - pie title What Voldemort doesn't have? +pie title What Voldemort doesn't have? "FRIENDS" : 2 "FAMILY" : 3 "NOSE" : 45 - ``` +``` + - Adding images is welcome and encouraged. Please follow the steps below to include them correctly: - 1. After making your changes and opening a PR, add the images you want to include in the PR's comments (by uploading them directly) + 1. After making your changes and opening a PR, add the images you want to include in the PR's comments + (by uploading them directly) 2. During the review, a maintainer will upload your images to our S3 bucket and reply with the links you should use. 3. Once you receive the new links, update your PR to add the images' links. diff --git a/docs/pages/config/contributors.json b/docs/pages/config/contributors.json index ae43731a..b3989275 100644 --- a/docs/pages/config/contributors.json +++ b/docs/pages/config/contributors.json @@ -23,7 +23,7 @@ { "name": "Issue-Opener-5", "assigned": "2024-08-22" }, { "name": "Issue-Opener-10", "assigned": "2024-08-24" }, { "name": "Issue-Opener-25", "assigned": "2024-09-25" }, - { "name": "Active-Last-7d", "lastActive": "2026-03-24" } + { "name": "Active-Last-7d", "lastActive": "2026-04-08" } ] }, "fredriksvantes": { @@ -191,7 +191,7 @@ { "name": "Framework-Steward", "assigned": "2025-07-10", "framework": "Wallet Security" }, { "name": "First-Contribution", "assigned": "2025-07-10" }, { "name": "First-Review", "assigned": "2025-09-25" }, - { "name": "Dormant-90d+", "lastActive": "2025-10-27" } + { "name": "Active-Last-7d", "lastActive": "2026-04-07" } ] }, "njelich": { @@ -231,7 +231,7 @@ { "name": "First-Review", "assigned": "2025-08-11" }, { "name": "Reviewer-10", "assigned": "2026-02-24" }, { "name": "Reviewer-25", "assigned": "2024-03-01" }, - { "name": "Active-Last-7d", "lastActive": "2026-03-23" } + { "name": "Active-Last-7d", "lastActive": "2026-04-06" } ] }, "blackbigswan": { @@ -445,7 +445,7 @@ { "name": "First-Review", "assigned": "2025-08-12" }, { "name": "Reviewer-10", "assigned": "2025-09-12" }, { "name": "Reviewer-25", "assigned": "2026-03-20" }, - { "name": "Active-Last-7d", "lastActive": "2026-03-25" } + { "name": "Active-Last-7d", "lastActive": "2026-04-09" } ] }, "gunnim": { @@ -461,7 +461,7 @@ "description": "Cloud architecture enthusiast with a passion for IT Security", "badges": [ { "name": "First-Contribution", "assigned": "2026-01-21" }, - { "name": "Active-Last-7d", "lastActive": "2026-03-21" } + { "name": "Active-Last-30d", "lastActive": "2026-03-21" } ] }, "madjin": { @@ -552,8 +552,11 @@ "company": "QuillAudits", "job_title": "Smart Contract Audit Firm", "role": "contributor", - "description": "Leading smart contract audit firm specializing in Web3 security solutions, DeFi auditing, and DApp penetration testing.", - "badges": [] + "description": "Frameworks Contributor", + "badges": [ + { "name": "First-Contribution", "assigned": "2025-12-30" }, + { "name": "Dormant-90d+", "lastActive": "2025-12-30" } + ] }, "hexnickk4997": { "slug": "hexnickk4997", @@ -634,21 +637,21 @@ { "name": "First-Contribution", "assigned": "2025-09-18" }, { "name": "Dormant-90d+", "lastActive": "2025-09-18" } ] -}, -"andrew-chang-gu": { - "slug": "andrew-chang-gu", - "name": "Andrew Chang-Gu", - "avatar": "", - "github": "", - "twitter": "", - "website": "https://www.linkedin.com/in/achanggu", - "company": "Google Cloud Security", - "job_title": "Google Cloud Security", - "role": "contributor", - "description": "Google Cloud Security", - "badges": [] -}, -"JosepBove": { + }, + "andrew-chang-gu": { + "slug": "andrew-chang-gu", + "name": "Andrew Chang-Gu", + "avatar": null, + "github": null, + "twitter": null, + "website": "https://www.linkedin.com/in/achanggu", + "company": "Google Cloud Security", + "job_title": "Google Cloud Security", + "role": "contributor", + "description": "Google Cloud Security", + "badges": [] + }, + "JosepBove": { "slug": "JosepBove", "name": "Josep Bove", "avatar": "https://avatars.githubusercontent.com/JosepBove", @@ -662,14 +665,47 @@ "badges": [ { "name": "Framework-Steward", "assigned": "2026-03-17", "framework": "Monitoring" }, { "name": "First-Contribution", "assigned": "2026-03-16" }, - { "name": "New-Joiner", "lastActive": "2026-03-17" }, - { "name": "Active-Last-7d", "lastActive": "2026-03-23" } + { "name": "Active-Last-30d", "lastActive": "2026-03-23" } ] -}, -"shallem": { + }, + "tim-sha256": { + "slug": "tim-sha256", + "name": "tim-sha256", + "avatar": "https://avatars.githubusercontent.com/tim-sha256", + "github": "https://github.com/tim-sha256", + "twitter": null, + "website": null, + "company": null, + "job_title": null, + "role": "contributor", + "description": "Frameworks Contributor", + "badges": [ + { "name": "First-Contribution", "assigned": "2026-04-05" }, + { "name": "New-Joiner", "assigned": "2026-04-05" }, + { "name": "Active-Last-7d", "lastActive": "2026-04-05" } + ] + }, + "fvelazquez-x": { + "slug": "fvelazquez-x", + "name": "fvelazquez-x", + "avatar": "https://avatars.githubusercontent.com/fvelazquez-x", + "github": "https://github.com/fvelazquez-x", + "twitter": null, + "website": null, + "company": null, + "job_title": null, + "role": "contributor", + "description": "Frameworks Contributor", + "badges": [ + { "name": "First-Contribution", "assigned": "2026-04-07" }, + { "name": "New-Joiner", "assigned": "2026-04-07" }, + { "name": "Active-Last-7d", "lastActive": "2026-04-07" } + ] + }, + "shallem": { "slug": "shallem", "name": "Seth Hallem", - "avatar": "", + "avatar": null, "github": "https://github.com/shallem", "twitter": "https://x.com/seth_certora", "website": "https://www.certora.com/", @@ -678,6 +714,9 @@ "job_title": null, "description": "Steward of Opsec framework", "badges": [ + { "name": "Framework-Steward", "assigned": "2026-04-09", "framework": "Operational Security" }, + { "name": "First-Contribution", "assigned": "2025-09-10" }, + { "name": "Active-Last-7d", "lastActive": "2026-04-09" } ] } } diff --git a/docs/pages/contribute/contributing.mdx b/docs/pages/contribute/contributing.mdx index 6ba348a0..a2612bf4 100644 --- a/docs/pages/contribute/contributing.mdx +++ b/docs/pages/contribute/contributing.mdx @@ -285,7 +285,7 @@ This helps track contributions and ensures proper attribution. For a complete frontmatter example, see the [template file](https://github.com/security-alliance/frameworks/blob/develop/docs/pages/config/template.mdx?plain=1). -### 3. Sidebar / Navigation +### 2. Sidebar / Navigation Because of how we handle the `.org` and `.dev` domains in different branches, when contributing **new pages** you must also **update `vocs.config.tsx`** so that the page appears in the site’s sidebar. For content still in review, remember @@ -310,7 +310,7 @@ Example of a category with multiple pages: This ensures that new content appears correctly in the site’s navigation for readers on the `.dev` site while staying hidden from the stable `.org` site until ready. -### 4. Error Checking +### 3. Error Checking Before pushing changes, always make sure your build works without errors: @@ -372,7 +372,8 @@ fits, for example in block-quotes. - Adding images is welcome and encouraged. Please follow the steps below to include them correctly: - 1. After making your changes and opening a PR, add the images you want to include in the PR's comments (by uploading them directly) + 1. After making your changes and opening a PR, add the images you want to include + in the PR's comments (by uploading them directly) 2. During the review, a maintainer will upload your images to our S3 bucket and reply with the links you should use. 3. Once you receive the new links, update your PR to add the images' links. @@ -404,7 +405,7 @@ This page is also open for contributions! Suggest improvements to our style and ## About this page -Originally inspired by the [Ethereum Protocol Fellows](https://github.com/eth-protocol-fellows/protocol-studies) +Originally inspired by the [Ethereum Protocol Fellows](https://github.com/eth-protocol-fellows/protocol-studies). --- diff --git a/docs/pages/dprk-it-workers/techniques-tactics-and-procedures.mdx b/docs/pages/dprk-it-workers/techniques-tactics-and-procedures.mdx index 3c8f0f9d..fbe51408 100644 --- a/docs/pages/dprk-it-workers/techniques-tactics-and-procedures.mdx +++ b/docs/pages/dprk-it-workers/techniques-tactics-and-procedures.mdx @@ -210,18 +210,18 @@ hiring a DPRK IT Worker. profile, which can uncover further identity mismatches. 1. On LinkedIn, examine the strength of the actor's connection network. - - ### Defeating Deepfakes: Liveness Verification -Pre-recorded deepfake video can fool a casual interviewer, particularly when audio "technical difficulties" are used as cover. Incorporate unpredictable, interactive requests that a pre-rendered deepfake cannot handle: +Pre-recorded deepfake video can fool a casual interviewer, particularly when audio "technical difficulties" +are used as cover. Incorporate unpredictable, interactive requests that a pre-rendered deepfake cannot handle: - Ask the candidate to turn their head sideways and hold the position - Have them read a randomly generated phrase displayed on screen for the first time during the call - Request a hand movement across the face mid-stream - Ask them to screen-share and perform a live technical task requiring real-time interaction with their environment -> Any candidate who persistently avoids in-person interaction — even for high-value roles — warrants a security review. This is a documented indicator of DPRK IT worker activity. +> Any candidate who persistently avoids in-person interaction — even for high-value roles — warrants a security +> review. This is a documented indicator of DPRK IT worker activity. ## Did I hire a DPRK IT Worker? diff --git a/docs/pages/opsec/endpoint/overview.mdx b/docs/pages/opsec/endpoint/overview.mdx index d960d0ea..8608e2c0 100644 --- a/docs/pages/opsec/endpoint/overview.mdx +++ b/docs/pages/opsec/endpoint/overview.mdx @@ -22,9 +22,12 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -> **Key Takeaway:** Match device security investment to role risk. Managed hardware for privileged operators, VDI for global contractors, enterprise browsers as minimum viable security for everyone else. +> **Key Takeaway:** Match device security investment to role risk. Managed hardware for privileged operators, +> VDI for global contractors, enterprise browsers as minimum viable security for everyone else. -Unmanaged personal devices are a primary vector for credential theft and lateral movement in Web3 organizations. Infostealers, malicious browser extensions, and compromised development environments all start at the endpoint. Organizations need a device provisioning strategy that scales security with role sensitivity. +Unmanaged personal devices are a primary vector for credential theft and lateral movement in Web3 organizations. +Infostealers, malicious browser extensions, and compromised development environments all start at the endpoint. +Organizations need a device provisioning strategy that scales security with role sensitivity. ## Device Security Tiers @@ -42,7 +45,9 @@ Issue organization-managed hardware to your highest-risk roles. This provides fu ### Tier 2: Virtual Desktop Infrastructure (Privacy-First Scale) -For global contractors where issuing hardware is impractical, VDI provides a secure cloud-hosted environment accessible from any device. The employee's personal machine becomes a thin client — all sensitive work happens inside the managed virtual desktop. +For global contractors where issuing hardware is impractical, VDI provides a secure cloud-hosted environment +accessible from any device. The employee's personal machine becomes a thin client — all sensitive work happens +inside the managed virtual desktop. - Complete visibility and control inside the virtual environment - Corporate web proxying and traffic inspection @@ -51,7 +56,8 @@ For global contractors where issuing hardware is impractical, VDI provides a sec - **Limitation:** Performance and latency overhead - **Limitation:** Hardware authentication dongle (YubiKey) compatibility issues in virtualized environments -**Target roles:** Global operations, customer support, regional teams, contractors with defined scopes. Providers: AWS WorkSpaces, Azure Virtual Desktop, Google Cloud Workstations. +**Target roles:** Global operations, customer support, regional teams, contractors with defined scopes. +Providers: AWS WorkSpaces, Azure Virtual Desktop, Google Cloud Workstations. ### Tier 3: Enterprise Browser (Minimum Viable Security) @@ -65,23 +71,26 @@ For general staff and short-term contractors, an enterprise browser provides a m **Target roles:** General staff, community managers, short-term contractors. -> If you use Google Workspace, you already have **Chrome Enterprise Core** at no additional cost. Enabling extension allowlisting alone eliminates one of the most common attack vectors against Discord and web-based platforms. +> If you use Google Workspace, you already have **Chrome Enterprise Core** at no additional cost. Enabling +> extension allowlisting alone eliminates one of the most common attack vectors against Discord and web-based platforms. ## Choosing the Right Tier | Factor | Managed Device | VDI | Enterprise Browser | -|--------|---------------|-----|-------------------| +| ------ | -------------- | --- | ------------------ | | **Visibility** | Full (OS + apps) | Inside VDI only | Browser only | | **Host compromise protection** | Yes — EDR on host | Partial — Host keyloggers | No — None | | **Hardware cost** | High (org buys devices) | Low (any device) | None | | **Privacy** | Low (org owns device) | Medium (host is private) | High (only browser managed) | | **Best for** | Core team, signers | Global contractors | General staff | -Most Web3 organizations will use all three tiers simultaneously — the goal is to match investment to actual risk, not to force a single approach across all roles. +Most Web3 organizations will use all three tiers simultaneously — the goal is to match investment to actual risk, +not to force a single approach across all roles. ## Further Reading -- [Hardening your organization](/dprk-it-workers/mitigating-dprk-it-workers#hardening-your-organization) — Access control policies for remote workers +- [Hardening your organization](/dprk-it-workers/mitigating-dprk-it-workers#hardening-your-organization) + — Access control policies for remote workers - [Browser Security](/opsec/browser/overview) — Browser-specific hardening diff --git a/docs/pages/opsec/mfa/overview.mdx b/docs/pages/opsec/mfa/overview.mdx index b80776da..a87b67ae 100644 --- a/docs/pages/opsec/mfa/overview.mdx +++ b/docs/pages/opsec/mfa/overview.mdx @@ -18,7 +18,8 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -MFA is necessary but not sufficient as an OpSec strategy. If you have not yet implemented MFA, we suggest making it your first priority as soon as you finish reading this page. +MFA is necessary but not sufficient as an OpSec strategy. If you have not yet implemented MFA, we suggest making it +your first priority as soon as you finish reading this page. Not all MFAs are created equally. A few recommendations: @@ -26,23 +27,44 @@ Not all MFAs are created equally. A few recommendations: is a good idea. Suffice it to say, best practices have long since outlawed these MFA methods. 2. **TOTP (e.g., Google Authenticator) is good but not great.** Why? It is easy enough to trick users into - entering TOTP codes into a phishing site. The methods cited below are more difficult to exploit. Also, any manual typing is susceptible to keyloggers. + entering TOTP codes into a phishing site. The methods cited below are more difficult to exploit. Also, any + manual typing is susceptible to keyloggers. 3. **Push-based MFA is better.** Why? Because initiating a push notification on iOS/Android requires that the device itself be enrolled with the identity provider. Phishing sites cannot initiate a push notification to the Gmail app, for example, without a major compromise of Google's infrastructure. 4. **Passkeys are the best.** Biometrics are hard to fake, and in a world where attackers are looking for low - hanging fruit, passkeys protected by biometric factors are typically too hard for them to reach. However, passkey storage is critical to ensuring that this choice is secure - please read the note below. + hanging fruit, passkeys protected by biometric factors are typically too hard for them to reach. However, passkey + storage is critical to ensuring that this choice is secure - please read the note below. 5. **Key admins (e.g., your G Suite admin) should be using Yubikeys.** They are inexpensive and easy. There is no excuse here for not protecting the keys to the castle with the industry gold standard for MFA. -Once you have MFA in place, you are ready to move on to the next step in your Opsec framework. However, before you declare your MFA journey a success, make sure you haven't forgotten any of your communication tools along the way. In this industry, we often use a combination of X, Signal, and Telegram, and each of them can and should be protected with an additional authentication factor. Also, note that the more you allow one-off sign-ins for each tool you use, the more you have to be concerned about the MFA features of each tool. Implementing single sign-on wherever possible is the best way to enforce MFA across all the tools you use. +Once you have MFA in place, you are ready to move on to the next step in your Opsec framework. However, before you +declare your MFA journey a success, make sure you haven't forgotten any of your communication tools along the way. +In this industry, we often use a combination of X, Signal, and Telegram, and each of them can and should be protected +with an additional authentication factor. Also, note that the more you allow one-off sign-ins for each tool you use, +the more you have to be concerned about the MFA features of each tool. Implementing single sign-on wherever possible +is the best way to enforce MFA across all the tools you use. -Take into consideration that, while using passkeys seems the most appropriate course of action, using them irresponsibly could lower your security posture. Passkeys only improve security when they remain tied to a strong device and recovery model; used carelessly, they can weaken it by shifting trust from a hard-to-phish login flow to softer cloud sync and account recovery paths. A common failure case is storing high-value passkeys in consumer sync ecosystems protected by weak recovery, reused credentials, SMS reset, or unmanaged devices, so an attacker who compromises the sync account can restore those passkeys on their own device and log in cleanly with what appears to be strong authentication. In that setup, the passkey itself is not broken, but the overall security posture is worse because the real attack surface becomes account recovery, device enrollment, and endpoint compromise rather than direct credential theft. A typical mistake would be to store a passkey in the Google password manager for your personal Google account, which may not be adequately protected with a strong password, MFA, and a secure account recovery method. +Take into consideration that, while using passkeys seems the most appropriate course of action, using them +irresponsibly could lower your security posture. Passkeys only improve security when they remain tied to a +strong device and recovery model; used carelessly, they can weaken it by shifting trust from a hard-to-phish login +flow to softer cloud sync and account recovery paths. A common failure case is storing high-value passkeys in consumer +sync ecosystems protected by weak recovery, reused credentials, SMS reset, or unmanaged devices, so an attacker who +compromises the sync account can restore those passkeys on their own device and log in cleanly with what appears to +be strong authentication. In that setup, the passkey itself is not broken, but the overall security posture is worse +because the real attack surface becomes account recovery, device enrollment, and endpoint compromise rather than direct +credential theft. A typical mistake would be to store a passkey in the Google password manager for your personal Google +account, which may not be adequately protected with a strong password, MFA, and a secure account recovery method. -To address the passkey storage issue, this section should be read in conjunction with the section (coming soon) about password handling and password management. Passkeys are the strongest form of MFA when stored in a secure password manager with biometric authentication (e.g., Bitwarden, 1Password). Passkeys stored in a personal account that uses phone or SMS as a recovery mechanism make overall security worse, not better. Before finalizing any decision to migrate to passkeys, please read the password management section and ensure that you are ready to store your passkeys securely. +To address the passkey storage issue, this section should be read in conjunction with the section (coming soon) about +password handling and password management. Passkeys are the strongest form of MFA when stored in a secure +password manager with biometric authentication (e.g., Bitwarden, 1Password). Passkeys stored in a personal account +that uses phone or SMS as a recovery mechanism make overall security worse, not better. Before finalizing any decision +to migrate to passkeys, please read the password management section and ensure that you are ready to store your +passkeys securely. diff --git a/wordlist.txt b/wordlist.txt index ac6954ca..55f292f6 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -360,3 +360,5 @@ Upbit Valimail viem wagmi +NCSC +Intune