What is your code’s security posture? Six steps to prepare.

What is security posture?

We’ve all heard the proverb:

Image for post
Image for post
Even old legacy code can still be secure
  • Is every user required to have MFA in order to use our repository?
  • How comprehensive is our security code review?
  • Can we accurately measure Open Source vulnerabilities?
  • Do we have a process in place to monitor Open Source vulnerabilities?
  • Who determines compliance for system tools and operating systems?
  • How effective is our vulnerability management?
  • How do we test our application security?

Understanding application security

While providing a thorough guide to hardening a team’s security posture would be one great gift I could give to the world, its not reasonable for me to tell you how and what to do. Instead, I can provide some steps to quickly define a posture and take action and next steps.

Step 1 — Determine your vulnerabilities

What would be the major loss or result if your application was compromised?

  • Intellectual Property?
  • Private Records?
  • Zombie bot net

Step 2 — Determine your targets

What are your targets? What kinds of applications do you manage and are they available on the internet?

  • Auth system
  • User system
  • Background processor
  • Is your public facing API a target (most of the time yes!)?
  • Are your developers targets (usually!)?

Step 3 — Audit your targets

If you have access to an internal Red Team, have them attack your app (in a controlled environment please!). How secure are your targets? Do a preliminary audit on all the targets.

  • Are your cloud projects isolated, or is there dev code running nearby prod code?
  • Are there timely scans of open source packages and containers on every build or deploy?

Step 4 — Plan

Now that you have your targets identified in a basic list, flesh them out! Figure out what kinds of controls are in place to prevent accidental or unauthorized security events. Write them down — because then you will fix them!

  • Total code level security lint vulnerabilities
  • Total architectural vulnerabilities
  • Total operating systems vulnerabilities

Step 5 — Monitor

While we all can’t drop in a fancy expensive SIEM system to be a watch dog on all of our systems, basic application code logging, error tracking, and metrics collection are nearly free or cheap depending on your cloud provider, and can be easily enhanced via open source libraries and offerings.

  • Sentry / Rollbar / New Relic
  • Papertrail / Logstash / Loggly
  • Slack and Email

Step 6 — Defend and Improve

As you discover vulnerabilities and issues, you and your team will fix them, but should also prevent them again with new controls or processes.

  • Code review and security review
  • Continue Red Team attacks
  • Stress test your application
  • Annual training on CyberSecurity
  • Phishing training
  • Talk to your team — sometimes internal cybersecurity incidents can be avoided by simply being friendly with coworkers

Conclusion

Image for post
Image for post
Navigating a forest

Father, Husband, Engineer, CTO at Libretto, 15+ yrs of software engineering — cameronmanavian.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store