<h2 class="editor-heading-h2 ltr" dir="ltr">People</h2>The first component is people. Your team is your biggest asset and your biggest risk. If you have a secure system, but the people using it are not properly trained, then the system is not secure. This is why it is important to have a good security policy in place. This policy should be enforced by management and should be followed by all employees.<h3 class="editor-heading-h3 ltr" dir="ltr">Device Management Policy</h3>The first part of your security policy should be a device management policy. This policy should cover the following topics:<ol class="editor__ol1"><li value="1" class="editor__listItem ltr" dir="ltr">Device Ownership </li><li value="2" class="editor__listItem ltr" dir="ltr">Device Encryption</li><li value="3" class="editor__listItem ltr" dir="ltr">Device Locking and Strong Passwords</li><li value="4" class="editor__listItem ltr" dir="ltr">Device Backups </li></ol><h3 class="editor-heading-h3 ltr" dir="ltr">Social Hacking</h3>Social hacking is a big problem. It is a problem that is not talked about enough. Social hacking is when someone tricks you into giving them information. This can be done in many ways, but the most common way is through phishing. Phishing is when someone sends you an email that looks like it is from a trusted source, but it is not. The email will ask you to click on a link, or open an attachment. If you do this, then you are giving the hacker access to your computer. This is why it is important to have a good security policy in place. This policy should be enforced by management and should be followed by all employees.Conducting phishing tests is a good way to test your employees. This will help you find out who is following the security policy, and who is not. This way you can train the employees who are not following the security policy.<h4 class="editor-heading-h4 ltr" dir="ltr">Identity Verification</h4>Many companies have remote employees. These employees are not in the office every day. This is why it is important to have a good identity verification policy in place. This policy should be required before any sensitive data is shared with the employee or a password is given to the employee.<h2 class="editor-heading-h2 ltr" dir="ltr">Vendors</h2><h3 class="editor-heading-h3 ltr" dir="ltr">Cloud Infrastructure</h3>When you are using cloud infrastructure, you are trusting the vendor to keep your data safe. Cloud infrastructure is a shared-security model. This means that the vendor is responsible for the security of the infrastructure, and you are responsible for the security of your data.<h3 class="editor-heading-h3 ltr" dir="ltr">Software as a Service (SaaS)</h3>When you are using SaaS, you are trusting the vendor to keep your data safe. Having a good vendor management policy and onboarding process is important. Industry standards like SOC 2 and ISO 27001 are a good places to start to verify that the vendor is following good security practices.<h2 class="editor-heading-h2 ltr" dir="ltr">Application</h2>Don’t store secrets in code.If secrets are stored in code, they are visible to all the developers working on a code repository. They also get stored in code version history and make the organization vulnerable to unauthorized access, especially if these secrets are not changed when users leave the organization. Many of the secrets provide programmatic access to the production environment that allows bad actors to access the production environment. Moreover, in case of a breach, it becomes extremely hard to attribute the breach to a specific actor.Learn, and follow basic application security guidelines.Open Web Application Security Project (OWASP), SANS, and others provide industry-standard guidance on the most common application security issues with specific cheat sheets. Provide developers with security guidelines to minimize application-related vulnerabilities and avoid common mistakes.Encrypt data in transit and at rest.Traffic encryption using TLS or IPSec defeats many network-related attacks with minimal overhead, especially mutual TLS. Utilize it for all internal and external communications. A good resource to verify external facing TLS level security configuration and settings are optimized is SSL Labs. Strive for an A/A+ rating on the SSL Labs test report. Any data repositories which have sensitive data should be encrypted by default. Better yet, consider using a cloud provider for storing sensitive data and do not store any sensitive consumer information - e.g., tokenization services. When storing sensitive data, consider encrypting the data repository; at a minimum, use the built-in encryption offered by many cloud providers; preferably, implement column or row-level encryption.Run applications as unprivileged users.Running applications as unprivileged users limits the potential damage of a successful attack against the application. If the application runs as an unprivileged user, the attack is not as likely to compromise the entire system, reducing the impact and the likelihood of a major incident. Compromise of applications running as privileged users, e.g., root, on the other hand, generally results in a total system compromise.Only use up-to-date and trusted third-party components for the software developed by the organizationThird-party components can be malicious. E.g. Bitcoin miners or those which contain security vulnerabilities that could be exploited, particularly if the code in question is running on a publicly accessible system, resulting in exposure for organizations using them. Use of known/reputable third-party components, which are regularly updated is recommended. Code repository tools like GitHub provide third-party dependency vulnerability alerting for common languages. This should be enabled to ensure that code contributors to specific repos are aware of the security vulnerabilities in third-party dependencies.Adopt and deploy Secure Development LifecycleIt is important to establish a Software Development Lifecycle (SDLC) which incorporates security and privacy, early on. This could be as simple as having security and privacy reviews as a section in any of the tech specs or product requirement Documents.Perform security assessments as part of product development.New and existing features should be tested for security vulnerabilities, both at the application level and the infrastructure supporting the feature. Depending on the severity of the vulnerability, require remediation prior to release.

A brief introduction to three main pillars of security for software organizations: people, vendors, and the application layer.

A Brief Introduction to Security for Software Organizations

ShortIdPostQuery

query ShortIdPostQuery(
  $shortId: String!
) {
  home {
    blogPost(shortId: $shortId) {
      id
      title
      tags
      publishedAt
      richTextContent {
        contentHtml
      }
      ...PostView_record
    }
  }
}

fragment PostView_record on BlogPost {
  id
  title
  summary
  publishedAt
  category {
    id
    name
  }
  richTextContent {
    content
    contentHtml
    formatVersion
    format
  }
}


SecurityA Brief Introduction to Security for Software Organizations