Posted by Harshad Janorkar on January 31, 2017
While it is a common misnomer that many firms rely on, it’s never a good security strategy to simply buy the latest security tool and call it a day. Your organization may need to invest in focused employee education and tool deployment before seeing a return on investment. Software security isn’t simply plug and play.
Prior to making a significant investment in deploying a tool that may in fact only solve a small subset of your security issues, take a step back and ensure that your firm is following the top 10 software security best practices:
The majority of attacks exploit known vulnerabilities associated with old, or out-of-date software. Thus, it is critical to ensure that all of your systems have up-to-date patches. This has proven to be one of the most effective practices in thwarting common attacks.
Organizations often think of education and training as unnecessary, or not worth an investment. This practice should be a part of your organization’s security DNA. Having a well-organized and well-maintained security training curriculum for your employees will go a long way in protecting your data and assets.
Attackers resort to heavy automation to detect open ports, security misconfigurations, and so on. There is no way to defend against these attempts using only manual techniques. Your organization should automate day-to-day security tasks such as analyzing firewall changes and device security configurations. This allows your security staff to focus on more strategic security initiatives.
An organization needs to ensure that privileges given to both individuals and systems are the minimum required to perform the job function. This significantly reduces an organization’s attack surface by eliminating unnecessary access rights that may cause a variety of compromises.
No matter how much an organization adheres to best software security practices, there is always the possibility of a breach. Consequently, it is of paramount importance to have a solid incident response (IR) plan in place that may help limit damage inflicted by an attack.
It is important for every organization to have a knowledge repository that includes comprehensively documented security policies. This enables employees of your organization, including network administrators, security staff, etc. to understand what’s taking place and the rationale behind it.
Proper network segmentation is an important practice because it limits the movement of attackers. An organization should identify where its critical data is stored and use appropriate security controls to limit the traffic coming in and out from those network segments.
Integrating software security activities into your organization’s software development life cycle (SDLC) might be a complex and daunting task. While it may require considerable time and effort, it goes a long way in reducing exposure to security risks.
Trust, but verify. Monitoring user activities aids an organization in ensuring that user actions meet best security practices. It also allows for the detection of suspicious activities such as privilege abuse and user impersonation.
Define key metrics that are meaningful and relevant to your organization. This helps in the assessment of your security posture over time.
There is no silver bullet when it comes to securing your organization’s assets. Often, the greatest impact when securing an organization can be achieved by sticking to these security fundamentals.
Get the latest Software Integrity news, thought leadership, and more.