feat: added security command

[asbedb]

After the react2shell incident there was a discussion to proactively add a security command.

The command adopted !security returns the following response:

Managing security in a web application requires a proactive approach.

Some points to consider:

• Don't use create-react-app it is no longer recommended.
• Set up automated alerts via a service like dependabot to be notified of new disclosures.
• Review packages either by inspecting the code or use a service like Snyk.
• Proactively keep your technology up to date – (everything not just packages).
• Test your code – follow safe practices (like sanitising errors) and ensure you audit features and functionality before pushing to prod.
• Set up multi-factor authentication and avoid re-using passwords by implementing something like a password manager to avoid credential stuffing attacks.

The command was tested successfully prior to the PR being raised.

[what-the-diff]

PR Summary

• New Command Handler
  A new command handler for the !security feature has been added. It is designed to provide general information on managing the security of a web application.

• Detailed "Security Tips" Message
  Embedded within the security command handler is a thorough component named "Security Tips." This contains important advice on security best practices for developers.

• Key Security Insights
  Several essential points of advice are bundled in the "Security Tips" message. These include the following:

  • Suggestion against using the create-react-app tool due to potential security risks
  • Instructions on setting automated alerts with services like Dependabot
  • Guidelines on how to conduct safe and effective code reviews
  • The importance of keeping software technology updated
  • Overview of secure coding practices
  • The implementation of multi-factor authentication for added security

[vcarl]

I love this, thank you for opening it!

[vcarl]

I don't love these 2 points in a frequently-reused command, as advice they're not super actionable on their own — it would be great to see these link out to other resources that are somewhat comprehensive/canonical as to what threats exist and what mitigations are recommended. I don't have great recommendations handy immediately, though

[asbedb]

That's completely fair - I'll do some digging and see what i can find. I did try to bring it back to the simple stuff but also wanted to ensure it captured the essence of "its not just packages and lets be sensible."