Play 11: Bake in Security at All Levels – Software, Hardware & Deployment

Develop and integrate security planning into SDLC

Integrate software security planning and activities into your organization’s software development life cycle from start to finish. Activities should include architecture risk analysis, static, dynamic, and interactive application security testing, and penetration testing. Planning generally starts with developing and integrating the security plan with the information security team for the enterprise.

digital security icons

Establish and protect the perimeter

  • Firewalls and routers to establish and control the flow of traffic
  • Virtual Private Clouds
  • Virtual Private Networks

Enforce the principle of least privilege

  • Segment the network
  • Limit the extent of administrator access

System hardening and patching

  • Establish server hardening templates to condense attack surface
  • Establish patch management best practices including:
    • Maintain a categorized inventory of network assets
    • Track software sources for updates and patches
    • Test in a staging area or controlled canary release
    • Develop a rollback plan 
    • Assess deployment and either roll back or mitigate for exceptions

open source icons

Establish an open-source software vulnerability management plan

  • Establish a vetting process for new software
  • Create a software repository of approved software 
  • Build the software repository into the CI/CD pipeline

Automate routine security checks

Scan projects against the Common Vulnerabilities and Exposures (CVE) glossary

Prioritize Web application security

Generally, track and follow the guidance of the Open Web Application Security Project® (OWASP), a nonprofit foundation that works to improve the security of software. Specifically, follow the OWASP Web Security Testing Guide. Start by evaluating for the OWASP Top 10 application security risks.

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access Control
  • Security Misconfiguration
  • Cross-Site Scripting XSS
  • Insecure Deserialization
  • Using components with known vulnerabilities
  • Insufficient logging and monitoring

CHECKLIST

  • Develop and integrate the security plan with the information security team for the enterprise
  • Move towards Federated Identity Management for enterprise user identity and access control
  • Establish a strong perimeter and minimize what needs to be in the public network
  • Plan to monitor everything using centralized tooling

KEY QUESTIONS

  • Have you established a clear security perimeter around your network resources?
  • Do you have a process for managing access based on the principle of least privilege?
  • Do you have a regular process for applying system updates and security patches?
  • Do you have an open-source software vulnerability management plan?
  • Have you automated routine security checks?
  • Do you have focused security guidelines for securing web applications?