methodology.cs · murplz, inc

explorer

▾ murplz, inc 3srom.dev

≡index.md ⬡services.cs ◈about.lua ⚙contact.toml

▸ ▸ solutions/

⬡secure-dev.md ⬡code-review.md ⬡methodology.cs

▸ ▸ industries/

≡federal.md ≡defence.md ≡critical-infra.md

▸ ▸ partners/

≡teaming.md ≡bench.md

▸ ▸ resources/

≡insights.md ≡capability.md

▸ ▸ legal/

≡privacy.md ≡terms.md

links

⌥github/3srom

⌥github/murplz

// methodology.cs — how we map controls to .NET code
 
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.EntityFrameworkCore;
 
// ─── OWASP A01:2021 — Broken Access Control ──────────────
//   .NET mitigations: [Authorize] policies,
//   resource-based authorization handlers, claims
//   transformation pipeline, row-level filtering at
//   EF Core query level.
 
[Authorize(Policy = "RequireSecurityClearance")]
public IActionResult Sensitive() { ... }
 
// ─── OWASP A02:2021 — Cryptographic Failures ─────────────
//   .NET mitigations: Data Protection API for
//   at-rest, Azure Key Vault for key storage,
//   AES-GCM only, never custom crypto.
 
var protector = _provider.CreateProtector("Murplz.PII.v1");
 
// ─── OWASP A03:2021 — Injection ──────────────────────────
//   .NET mitigations: parameterized queries via
//   EF Core or Dapper, no string concatenation in
//   SQL, input validation via FluentValidation,
//   output encoding by Razor by default.
 
// ─── OWASP A04:2021 — Insecure Design ────────────────────
//   We threat-model with STRIDE before any code.
//   Trust boundaries, data flow diagrams,
//   abuse-case scenarios. Output drives the
//   architecture, not the other way around.
 
// ─── OWASP A05:2021 — Security Misconfiguration ──────────
//   Hardened baseline: HSTS, CSP, X-Frame-Options,
//   secure cookie flags, framework debugging off,
//   minimal exposed surface area.
 
// ─── ITSG-33 Control Families We Apply ───────────────────
//   AC — Access Control
//   AU — Audit and Accountability
//   IA — Identification and Authentication
//   SC — System and Communications Protection
//   SI — System and Information Integrity
//   CM — Configuration Management
 
// (Truncated. Full mapping with control selection
//  rationale is available in our capability
//  statement — /resources/capability)

Find Files

≡index.mdmarkdown

⬡services.cscsharp

◈about.lualua

⚙contact.tomltoml

⬡solutions/secure-dev.mdmarkdown

⬡solutions/code-review.mdmarkdown

⬡solutions/methodology.cscsharp

≡industries/federal.mdmarkdown

≡industries/defence.mdmarkdown

≡industries/critical-infra.mdmarkdown

≡partners/teaming.mdmarkdown

≡partners/bench.mdmarkdown

≡resources/insights.mdmarkdown

≡resources/capability.mdmarkdown

≡legal/privacy.mdmarkdown

≡legal/terms.mdmarkdown