The Open Source Security Page

Easily integrate a security policy on your website to showcase the security measures taken to protect your customers

Table of Contents

    TLDR: This article will help you integrate a great security page (like this one) on your website in under 10-15 mins. Want to get started right away? Jump to this section

    What is a public security overview?

    A security overview is a public page on your website that describes security processes and tools used to protect your data and users. It’s a best practice to have it on a “/security” path and have it easily accessible for your visitors (from the footer for example).

    Why would you even need one?

    A security overview has several benefits:

    • It brings more users / revenue: A security page shows your maturity to potential users. Enterprise or security-aware people will not even consider your solution if your security page is missing or of low quality. But security and privacy concerns are also increasingly part of the buying decision process for consumers.
    • It can save time: If you’re selling to enterprise customers, you probably know about the dreaded security questionnaires required in procurement processes. A good security overview can sometimes be enough for some smaller companies.
    • It protects you: The internet is like the Wild West, but you have a lot of great people just looking to help ✌️. A security page provides information for security researchers to report critical vulnerabilities.
    👉 everyone needs a security overview 👈

    With all these benefits why are there still A LOT of websites without a good security policy? Some will argue security should be obscure, others will just say that they don’t have the expertise or the time to write one.

    But security through obscurity is dead ☠️ and, we want to change this status quo. So let me introduce you to the Open Source Security Page…

    An Open Source Security Overview?

    If we agree on the fact that expertise and time are the biggest challenges when it comes to implementing a security page, then an open source security overview created by security specialists is the solution.

    We created this overview for the community. Our main requirement is that it’s easy to integrate and therefore doesn’t need a lot of customization (of course the more customized, the better).

    Every item of this policy comes with several parts:

    1. A descriptive title
    2. A “Recommended for” part to help you prioritize your security efforts
    3. A brief explanation of the item
    4. A description of the required customizations
    5. The actual content of the item

    Here is an example:

      ## Secure development
      <!--- __Recommended for:__ >Series A/Series B startups. --->
      <!--- __Explanation:__ This part describes the tools and processes in place to avoid pushing code vulnerabilities to production. The more mature the company, the more tools you should have in place. --->
      <!--- __Customization:__ Delete the tools you don’t use. --->
    
      We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:
      - Developers participate in regular security training to learn about common vulnerabilities and threats
      - We review our code for security vulnerabilities
      - We regularly update our dependencies and make sure none of them has known vulnerabilities
      - We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
      - We use Dynamic Application Security Testing (DAST) to scan our applications
      - We rely on [yearly | bi-annually | quarterly] third-party security experts to perform penetration tests of our applications.
      

    You can read the full content here

    And it looks good too!!

    Security page example

    We welcome contributions! Do you see things that we missed or could be added? Submit your PR!

    Inspired by

    Projects like

    Great security policies

    How to use it?

    This security page is easy to use. Here are the steps you need to follow:

    Step 1: Fork the repository

    Step 2: Open /docs/markdown-content.md in your favorite editor

    Step 3: Search for “DOMAIN” and replace it with your domain (i.e. search for “DOMAIN” and replace with “sqreen.com”)

    Step 4: Read the titles and the explanations of every item and delete the sections that aren’t relevant to your company (it might be a good time to improve your practices. Just saying 😃)

    Step 5: Use the customization guide to customize the remaining sections. Feel free to add more sections (and don’t hesitate to submit a PR 😅)

    Step 6: You can customize the global color used for links and navigation. Go to the index.html file and look for :root{—global-color: in the head.

    Step 7: Replace the logo in the index.html. Search for the class=”logo”

    Step 8: How to run it locally:

    npm install
      //or
      yarn install

    And then

    gulp

    It will compile, minify the css and compress the javascript into /build.

    Step 9: And Voilà! You can now deploy it 🙌 (read part below)

    Warning: Be honest and do not lie!

    How to deploy it with Netlify

    (Want to learn more about Netlify? –> https://www.netlify.com/ )

    Step 1: Create a Netlify account

    Step 2: Create a new site

    Create a new Netlify site

    Step 3: Link it to your Github repository

    Step 4: Select your Github Repository

    Link your Netlify account to Github

    Step 5: Deploy and configure your DNS 🎉

    Deploy with Netlify

    How to deploy it with Github Pages

    Step 1: Go to the settings of your forked repository.

    Github Settings

    Step 2: Then scroll down to the Github pages section

    Github Pages Section

    Step 3: Select the “master branch /docs folder” in the selector

    Step 4: Set up a custom domain and configure your DNS to point to your repo

    Finding this security page awesome?

    Check out this guide to easily integrate yours!