Ignorance is not a bliss

If you already watched the movie Matrix, you got the reference when Cipher asks to be reinserted into the Matrix and forget everything. He might not know the danger, but it will torment you when you least expect it.
  • Again, stop thinking like: “I’m using a super platform. They already worry about security”. All platforms like AWS, GCP, Azure, Wordpress.org, SalesForce, Outsystems, and anything else have worries about security, but they aren’t ready for your business. They are generic tools to help all kinds of companies, and they need to have some security breaches to accept all types of businesses, not only yours. It’s your job to complement the security controls of your application.
  • If you don’t know how to protect your web application, contact a real expert to do it. Ok, this may be expensive, but many security experts can provide occasional services. They can tell you the real risks, and after knowing about them, you can decide what to do (I’ll talk more about it in the future).
  1. Logical Process Review: Think about all the controls this process needs before developing. Ask your process owner, security experts, and the developer/architect to specify these controls;
  2. Secure Code Review: analyze the code before merging and be published. Many SAST tools can help you in this process. But it’s always suitable for a security expert and a senior developer to make this manually sometimes.
  3. Security Controls in Place: Ensure the security controls are implemented and configured correctly for your site. (Tools like waf, API gateway, authentication, anti-DDoS, security headers, CDN, reverse proxy, antivirus, system hardening, CASB, and others) These controls must be constantly analyzed.
  4. Make security tests: Preferably, do these tests before publishing your application. Many Vulnerability Scanning tools can help at this moment (but they aren’t perfect, you need a security expert to analyze and make advanced tests).
  5. Unexpected behaviors Review: analyze the unpredictable behaviors of your application. They can be security breaches or someone trying to find one. Many tools that work with observability, DAST and SIEM will help at this moment.
  6. Contract someone to hack your web application: There are many ways to make this. Some companies will sell you Security Penetration Tests; you can have a segregated Red Team on your company or contract someone in the bug bounty platforms. It’s expensive but necessary to have this external analysis when your system is a critical process to your company.
  7. Have a clear and open channel for receiving security feedback on your site: Even if you have several controls in place to prevent security breaches, users may notice strange behaviors and notify you about it
  8. Analyze if your providers (platforms, datacenters, and|or services) also have their security controls up to date. It’s no use investing your time and money if your supplier doesn’t do his part.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store