We so often hear from developers that they don’t need to worry about cyber security because they’re too small to be targeted or because they trust their service providers to take care of it for them. Sound like someone you know? Well, let’s start with a quick synopsis of recent cloud failures that were not targeted attacks and where service providers weren’t a silver bullet. Each of these examples were simply failures in security hygiene.
Still think you’re above the fray? Well maybe you are, so the checklist below will just be reassurance that you and your team have already done everything you need to do. Let’s dig in with this set of 5 security practices that can get you going in the right direction.
The CVE databases are great but, but are you monitoring your system for known vulnerable packages? Most developers will setup a server and then perhaps just periodically update it a few times a year, leaving the server(s) vulnerable for an extended period of time.
CVE scanners solve this problem by checking the system packages in your operating system against the database and flagging packages that need an update.
SSH is meant to be secure and is secure when it is configured correctly. Unfortunately, an error configuring SSH can mean that an attacker can apply a brute-force attack against your node(s). Root access, passwordless login, timeout intervals and updates are all points that need to be managed correctly.
The same is true for any service accessing your server. It’s important to regularly audit your services for threats and vulnerabilities.
mTLS solves two problems: password management and client side authentication. There are great tools out there for secrets management like Vault by Hashicorp. However, even more sophisticated than passwords and API keys is using TLS certificates for both client and server authentication.
The difficulty here is in setting up your own CA. Let’s Encrypt can be used but it is generally not advisable to use a public CA for your internal infrastructure. There are some reliable private CAs as a service like WoTT that can support your needs.
Firewall configurations seem fairly trivial, yet so often this is the source of massive breaches at large companies (see above Facebook fail). Tracking and managing the appropriate access to servers can be incredibly difficult at scale.
Security Enhanced Linux (SELinux) and AppArmor are Linux kernel security modules that support access control policies and include mandatory access controls. Enabling these tools is a rigorous process but provides hardening at the application level.
SELinux is more sophisticated in its settings but consequently presents more pitfalls to the developer since more decisions need to be made. AppArmor provides similar functionality but requires less customization.
So you know what you need to do but that’s only part of the problem. The bigger part of the problem seems to be making sure these things actually get prioritized and handled consistently. We have a few tips for making that happen.
Agile development is too dynamic for retroactive security audits. Build security practice into your team processes and make it part of your DNA. Security does not belong in the hands of a single team, it should be part of a mindset and a culture at the organization level.
Create metrics to measure the security dimension and manage performance accordingly. Behavior is nurtured through culture, metrics and rewards. Find ways to attribute numbers to security posture of the individual, the team, the asset and reward your people for making improvements.
Integrate security tools into your tool chain. Companies like Snyk have done an excellent job of auditing dependencies and providing developers with real time feedback. The NIST states that it is at least 10x cheaper to implement security before code is committed. It’s also faster to get things right the first time than to use up product and developer time on bug fixes that are retroactively identified by a security team.
Consider a tool like WoTT to monitor, measure and provide actions to improve security.