Develop and integrate security planning into SDLC
Integrate software security planning and activities into your organization’s software development life cycle from start to finish. Activities should include architecture risk analysis, static, dynamic, and interactive application security testing, and penetration testing. Planning generally starts with developing and integrating the security plan with the information security team for the enterprise.
Establish and protect the perimeter
- Firewalls and routers to establish and control the flow of traffic
- Virtual Private Clouds
- Virtual Private Networks
Enforce the principle of least privilege
- Segment the network
- Limit the extent of administrator access
System hardening and patching
- Establish server hardening templates to condense attack surface
- Establish patch management best practices including:
- Maintain a categorized inventory of network assets
- Track software sources for updates and patches
- Test in a staging area or controlled canary release
- Develop a rollback plan
- Assess deployment and either roll back or mitigate for exceptions
Establish an open-source software vulnerability management plan
- Establish a vetting process for new software
- Create a software repository of approved software
- Build the software repository into the CI/CD pipeline
Automate routine security checks
Scan projects against the Common Vulnerabilities and Exposures (CVE) glossary
Prioritize Web application security
Generally, track and follow the guidance of the Open Web Application Security Project® (OWASP), a nonprofit foundation that works to improve the security of software. Specifically, follow the OWASP Web Security Testing Guide. Start by evaluating for the OWASP Top 10 application security risks.
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting XSS
- Insecure Deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
- Develop and integrate the security plan with the information security team for the enterprise
- Move towards Federated Identity Management for enterprise user identity and access control
- Establish a strong perimeter and minimize what needs to be in the public network
- Plan to monitor everything using centralized tooling
- Have you established a clear security perimeter around your network resources?
- Do you have a process for managing access based on the principle of least privilege?
- Do you have a regular process for applying system updates and security patches?
- Do you have an open-source software vulnerability management plan?
- Have you automated routine security checks?
- Do you have focused security guidelines for securing web applications?