What is your code’s security posture? Six steps to prepare.

What is security posture?

We’ve all heard the proverb:

A chain is only as strong as its weakest link.

Even old legacy code can still be secure

And while this is true in the literal sense, the metaphor also fits well when applied to a code base or project repository.

Why spend three solid days ensuring SQL queries are all injection safe if your API authorization layer doesn’t protect content properly via Role Base Access Controls (RBAC) and two-factor protected access tokens?

We define security posture as the combined strength and efficacy of a company’s cybersecurity policies, controls, and risk mitigation, but we can also apply this to an engineering team.

Consider these questions:

• How secure is our distributed repository? Who can push to the master branch?
• Is every user required to have MFA in order to use our repository?
• How comprehensive is our security code review?
• Can we accurately measure Open Source vulnerabilities?
• Do we have a process in place to monitor Open Source vulnerabilities?
• Who determines compliance for system tools and operating systems?