2eNYprY6

1PROCESS
2✓ Ask questions and take notes during onboarding
3Regardless of the maturity of the onboarding process at your company, whether
4formal or informal, seize the opportunity to ask questions and take extensive notes.
5These will be useful as you get settled into your role. Pay extra attention to anything
6security-related during onboarding. You can compile your observations in a
7discovery report for an early win.
8✓ Automate security as much as possible in the CI pipeline
9If your security practices impact your development velocity, they will be looked at
10as more of a burden than a value. The best practices today are to take lessons from
11DevOps and find ways to bring security closer to developers. Leverage tools that
12can automate security checks and monitoring. Implementing automated SAST/
13DAST tools, vulnerability dependency scanning, and others will help you catch the
14obvious flaws before they get into production. Just beware that you’ll have to sift
15through false positives and that these tools will not be able to identify flaws in your
16business logic or once your tools are in production.
17Read more:
18- SAST vs. DAST vs. RASP
19- SAST, DAST, IAST, and RASP: Pros, cons and how to choose
20
21✓ Automation is key
22With the amount of tasks required as the first security engineer, you can easily
23drown under less important tasks, resulting in losing track of serious unresolved
24vulnerabilities and substantially diminishing your incident response capabilities.
25Automate as much as possible in order to free up valuable time for tasks that
26actually require human expertise and deeper analyses. Take advantage of the
27multiple solutions ofered in the market and of computational analytical power.
28Read more:
29- Sqreen
30- Security automation is maturing, but many firms not ready for adoption
31- Why automation is key for the future of cyber security
32- 8 Ways Security Automation and Orchestration Is Transforming Security
33Operations
34✓ Be the point of contact to perform security reviews of
35architecture
36Be available to your engineering team for security reviews of the architecture and
37update the architecture documentation regularly. You want your engineering team
38to come to you and work closely with you on the entire gamut of security needs, so
39be as present and helpful as possible.
40Read more:
41- OWASP Application Security Verification Standard Project
42
43✓ Build a process to manage third-party services
44Third-party providers and agencies need to be managed from onboarding to
45ofoarding. This entails a thorough due diligence before and during the relationship
46as well as frequent risk assessments to keep abreast of the level of access the
47provider has and the potential vulnerabilities involved. The contract termination
48step is often overlooked and should be well prepared for during contract drafting,
49notably in terms of data migration and access removal. A checklist of all the tasks
50to be performed during onboarding and ofoarding should be set up and regularly
51updated.
52Read more:
53- Five Steps to Efectively Managing Third-Party Service Provider Risk
54- 9 Best Practices to Jumpstart your Third-Party Management Program
55- Vendor Security Assessment Questionnaire
56✓ Create a flag for security-related tasks
57If your company has an issue tracking system (such as JIRA), make sure that
58security-related issues can be identified easily or work with the team managing the
59system to create a special flag or project. Communicate this new category to your
60co-workers and clarify how and when to use it. You can also use a dedicated
61vulnerability management system such as ThreadFix which can be integrated with
62JIRA.
63This will make addressing and prioritizing security issues much easier for you.
64Read more:
65- ThreadFix Vulnerability Resolution
66
67✓ Create a security incident response plan
68Define what constitutes a security incident and design the response plan outlining
69the necessary tasks and roles. Share the response plan widely and make sure the
70employees are aware of their roles through regular training and simulation
71exercises. You don’t want to be in the position of needing to wing it during the
72crucial time after a breach or major incident.
73Read more:
74- Awesome Incident Response
75- 10 steps for a successful incident response plan
76- 6 Phases In The Incident Response Plan
77✓ Determine who was informally in charge of security before
78you joined
79Even though it may not have been somebody’s specific role, someone was handling
80security aspects for the company before you started. Take the time to meet early
81on with the “security champion,” not only to gather precious information about the
82current state of things, but also to agree on his/her scope onwards should the
83person want to stay involved in security tasks. Depending on the company, this
84person might be the CTO or a security-minded developer.
85✓ Enforce a process for security code reviews
86Work with your developers to set up a process and a checklist for security code
87reviews in order to empower them to run manual and automated security code
88reviews themselves. Be available to answer their questions and be ready to assist if
89needed.
90Read more:
91- Vulnerability Management Process
92- OWASP Code Review Guide
93
94✓ Enforce the usage of password managers with strong
95password policies
96With a password manager, your users will only need to remember one master
97password. All other passwords can be complex and long; the password manager will
98take care of storing them and retrieving them when needed. The password manager
99can also generate random strong passwords to be used.
100Read more:
101- Password managers: A cheat sheet for professionals
102- Dashlane
103✓ Ensure you are looped in on the SDLC
104You should add some checkpoints to the SDLC so the developer teams will think of
105the security team when they’re creating and updating applications. Some tools or
106checklists allow for asking developers a small set of questions when starting a
107project in order to let the security team know how much attention they should pay
108here. For instance, “is this service gonna be exposed on the Internet”, or “Is this
109service handling customer data” are questions that can help you quickly get a sense
110of how involved you need to be on any particular project.
111Read more:
112- GoSDL
113✓ Explore and address the security backlog (if there is one)
114Oftentimes, even if vulnerabilities have been reported (in JIRA for example), they
115have not been addressed prior to your arrival because people did not know they had
116to address them, did not realize that they needed to be fixed immediately, or did
117not have or allocate the resources to assess and fix the issues. Getting a handle on
118the backlog of reported security issues and prioritizing fixes is a good place to start
119after you understand the systems your company has in place.
120Read more:
121- 7 common security bug management mistakes and how to avoid them
122
123✓ Fix the most urgent issues
124Do not be alarmed or overwhelmed by the number of vulnerabilities uncovered
125during your audits. All of them do not need to be fixed right away; you can draw up
126a plan to fix them over time. However, do not defer fixing the most critical issues. If
127you identify a serious vulnerability during one of the audits and security reviews,
128you should pause and fix the issue immediately. If you can’t fix it, mitigate it.
129✓ Implement and maintain company security policies and
130procedures
131Draft security policies and procedures for the company, and, more importantly,
132communicate and circulate them. Make sure they are easily accessible and make
133them understandable for your co-workers. Set up a process to review and update
134them regularly at a certain frequency or when a specific event occurs.
135Read more:
136- 9 policies and procedures you need to know about if you’re starting a new security
137program
138- The Key to Better Cybersecurity: Keep Employee Rules Simple
139- Drafting Cyber Security Policy for your Company
140✓ Include security in the onboarding/offboarding process for
141employees
142Onboarding and ofoarding are important security moments for your company.
143You’ll want to ensure that new employees enact the security measures needed and
144that your company follows the appropriate steps for employees who are leaving.
145Your onboarding checklist should contain a list of all the steps you and they need to
146follow when an employee, contractor, or intern joins your company. A similar list
147can also be used when someone is leaving. Ensure that you deprovision all accounts
148they had access to during the ofoarding.
149Read more:
150- Awesome onboarding
151- Rippling
152
153✓ List and prioritize your security issues
154Compile all the issues you uncovered during the general and specific security
155audits, then prioritize them by risk. Setting up a vulnerability management system
156will be helpful.
157If no security issues are in the backlog… there is probably a cultural flag here!
158Read more:
159- Vulnerability vs. risk
160
161✓ Prepare the groundwork for external security tests
162Before embarking on independent security assessments and penetration tests, it is
163good practice to run checks and correct some commonly identified issues (such as
164missing patches, weak or default passwords used, unsupported operating systems
165or missing input/output data validation) in order to use the external auditors time
166and expertise on more subtle issues.
167Read more:
168- 10 Tips to Reduce Common Vulnerabilities Exploited by Cybercriminals
169- How to Fully Leverage your Pentest
170- 10 steps to managing a successful network penetration test
171
172✓ Set up and facilitate a public bug bounty program
173A bug bounty program will allow external hackers to report vulnerabilities. Most of
174the bug bounties programs allow you to ofer rewards for bugs found. A lot of the
175reports won’t be valuable and you need security-aware people inside your
176development teams to evaluate the bugs you receive. These programs are good
177additions to other security initiatives as it incentivizes people outside your company
178to share bugs you may have overlooked.
179Read more:
180- Launching an Efcient and Cost-Efective Bug Bounty Program
181- Hackerone
182
183✓ Structure and be the technical resource for your sales team
184and customers
185As a security engineer, you might also be the go-to resource for sales teams that
186require help filling in security forms. Spend some time retrieving and structuring all
187the previous requests to save time for future questionnaires.
188Read more:
189- CSA - Cloud Security Alliance
190
191✓ Take time to learn the specifics of your new company
192Don't just take your previous experiences at past companies as the go-to model for
193your new company. While some things will be the same, several aspects will
194undoubtedly be diferent, and doing exactly what you’ve done before won’t be as
195efective. If you’re coming from a more mature company, it's easy to sufocate an
196agile startup with heavy security that does not scale well, for example. Security
197engineers operate inside a business, and understanding that business before
198enforcing GovAgency-like security measures is key.
199
200✓ Understand how product development happens in your
201company
202As part of your first week exploration, you need to gather enough information from
203key stakeholders in order to have a clear understanding of the product
204development processes (e.g. steps, key milestones, teams involved, governance
205structure, etc.). These might be catalogued in documentation or through detailed
206oral explanations that should be written down. Deeply understanding the product
207development processes and structure of the engineering organization in your
208company will serve as a basis when you start to introduce security awareness and
209tasks within the product development lifecycle.
210Read more:
211- Spotify squads
212- Scaling the engineering org at PagerDuty
213
214CULTURE
215
216✓ Be humble and respectful - Kill the shame game!
217As a general rule of thumb, adopting a humble and respectful demeanor is a factor
218of success for every newcomer within an organization. It's tempting to show of how
219much you know about security and cyber-splain to everyone how insecure their
220setup is, if only out of a desire to establish your authority and credentials. But this
221will backfire on you. Being too hasty and judgmental in pointing out the
222shortcomings in the company’s security will not earn you the respect of your new
223colleagues, rather it will drive them away. Take comfort in the fact that if the
224company deemed there were no issues, you would not have been hired!
225
226✓ Build relationships with key stakeholders
227If it was not included in your onboarding documentation, ask for a list of the key
228stakeholders in your organization, be they developers, ops, execs, or managers.
229Your manager might see the importance of accompanying you to introduce you.
230Arrange together to meet with them and discuss their understanding of security,
231your role, and their concerns.
232
233✓ Don’t create a security awareness program (they don’t work) but…
234… enable and infuse a security culture
235Don’t make security a one-day annual training everyone has to go through and
236then forgets about. Permanent and contract employees need to be aware at all
237times of security threats, beginning with how they set and handle their passwords,
238use their emails, and secure their laptops and external drives.
239Read more:
240- The Fundamental Flaw in Security Awareness Programs
241- 7 elements of a successful security awareness program
242
243✓ Hold security trainings for engineers and non-engineers
244Liaise with your people team or your CTO to set up a targeted security training for
245all employees, whether they’re engineers or not. The training should not be just a
246list of instructions, but rather a clear explanation as to why certain rules have to be
247put in place. You can include technical details if necessary, but make them
248accessible for all skill levels. The training should be included in the onboarding
249process.
250Getting buy-in on the security policies you’re implementing will make them much
251more efective, and a good, empathetic training will help you do that.
252Read more:
253- Good security trainings
254
255✓ Meet with fellow security engineers from similar companies
256The security community is generally a friendly one, and you can learn a lot from
257other security-minded professionals. As such, if you are not already a member of a
258professional group in your area, look for security meetups and communities, both
259online and ofine. You could also reach out directly to fellow security engineers,
260whether in the same business line as you or not, to exchange ideas about your jobs
261and responsibilities or to discuss how they navigated being one of the first security
262engineers in their organization, if they were.
263Read more:
264- AppSec meetups
265- Information Security Community (LinkedIn group)
266
267✓ Never stop learning!
268Managing security is an ever-changing landscape, so you need to keep yourself
269updated on the practices, tools, zero-day vulnerabilities, patches etc. It can seem
270overwhelming, but there are many websites and newsletters in which you can get
271regular information.
272Read more:
273- Sqreen blog
274- OWASP Top Ten Project
275- AppSec USA
276- Down the Security Rabbithole
277- Inside security
278
279APPLICATION SECURITY
280
281✓ Add a security policy to the website
282When security researchers discover vulnerabilities in the web services of your
283company, they will need a way to report them properly to you. By adding a security
284policy, such as security.txt, to your website, you help them easily get in touch with
285you about any security issues they uncover. You should mention that you support
286responsible disclosure, allowing you time to assess and fix the reported
287vulnerabilities.
288Not having a clear means to communicate security vulnerabilities will either mean
289that they won’t get reported, or that they will get lost in the shufe of your
290company’s generic “contact us” inbox.
291Read more:
292- Open Source Security Page
293- https://securitytxt.org
294
295✓ Audit your DNS settings
296As more and more day-to-day business activities and revenue rely heavily on
297access and interactions with your website, it is important to audit your DNS as
298soon as possible and regularly afterward. Without proper security on your DNS,
299attackers could extract a list of all your assets or steal your domain names, which
300means they could lead efcient phishing attacks on your customers.
301Read more:
302- Eight reasons why you should conduct a DNS audit
303
304✓ Audit your applications
305Application security is increasingly one of the top security concerns for modern
306companies. On early audit you’ll need to do is on your applications. You’ll want to
307gather answers to questions like:
308- Are your applications using vulnerable or outdated dependencies?
309- Are they accessing the database?
310- Are they handling authentication?
311Do they rely on a framework (Rails, Symfony) or are they using in-house
312components?
313Read more:
314- Use Sqreen during your audit to find and remediate issues faster
315- Web Application Security Testing Cheat Sheet
316- OWASP Top Ten Project
317- Auditing Applications, Part 1
318- Auditing Applications, Part 2
319
320✓ Enforce two-factor authentication
321Everyone at your company should use 2-factor authentication. By adding 2FA, you
322add an extra layer of security. Should your coworker’s password get stolen, the
323attacker would still be locked out unless they have access to the second factor (e.g.
324phone app or text) as well. Phones are the most commonly used device for second
325factors, and thus have to be secured accordingly (e.g. with codes or biometry).
326Another option is to use purpose-built hardware-based 2FA, like Yubikeys.
327Read more:
328- Duo Security
329- Auth0
330- What is two-factor authentication (2FA)?
331
332✓ Ensure that your dependencies are secure
333Infuse security into all steps of the product development process and not just at the
334testing phase. Security-minded developers should check the dependencies in your
335applications for known bugs and vulnerabilities before using them and keep them
336updated when zero-days are found or patches are available.
337Read more:
338- 13 tools for checking the security risk of open-source dependencies
339- Security alerts on Github
340- Sqreen
341- Snyk
342✓ Help engineering and business teams protect sensitive
343business logics
344The attacks representing the most significant business risk for organizations are
345often attacks targeting sensitive business functions of applications rather than
346common vulnerabilities. Work with business and engineering teams to identify the
347biggest threats and implement monitoring and protection solutions to automatically
348remediate these threats.
349Read more:
350- Use security playbooks to protect your business logic
351
352✓ Make sure everything is properly encrypted
353When it comes to cryptography, don’t roll your own. Use accepted standards
354instead. Encrypt everything, including computers and mobile devices handed out to
355employees during the onboarding process. Turn on encryption for onsite and cloud
356backups. Use HTTPS to protect the users of your applications.
357Read more:
358- Let’s Encrypt
359- Microsoft encryption
360- MacOs encryption
361
362✓ Protect your applications in production
363Doing as much as you can to catch security vulnerabilities pre-production is
364helpful, but without the full context of runtime, you won’t be able to catch
365everything. Protecting and monitoring your applications in production, in real time,
366can greatly improve your security posture. Tools like RASPs and ASM platforms
367can give you visibility into the security of your production applications and help you
368stay on top of what’s going on.
369Read more:
370- Sqreen
371
372✓ Retrieve and audit your backups or set up new backups
373In today’s business world, company data is the most precious asset and backups are
374therefore crucial. Check the integrity of previous backups and make sure the
375settings are correct for future backups with sufcient storage space and backup
376frequency. If there are no backups, set them up immediately.
377✓ Secure your emails with DMARC
378Emails are usually a weak spot for attacks, especially via phishing and spoofing. A
379single email can do serious damage if it hits the wrong person at the wrong time.
380You can implement DMARC (Domain-based Message Authentication, Reporting
381and Conformance) to help protect your users from fraudulent emails. DMARC
382can be the technical support element to the security training you should be holding
383to help your co-workers spot and avoid dangerous emails.
384Read more:
385- DMARC
386- How to Set Up and Implement DMARC Email Security
387- Build Your DMARC Record in 15 Minutes
388- OnDMARC
389
390✓ Structure secrets management
391Secrets, such as private keys, are extremely sensitive data and must not be stored
392unprotected. They should be securely stored in a vault. Some vaults can manage
393certificates as well.
394Secrets committed in an application’s source code should also be tracked down and
395stored elsewhere.
396Read more:
397- Vault Project
398- AWS CloudHSM
399- OWASP key management cheat sheet
400- An Introduction to Managing Secrets Safely with Version Control Systems
401- TrufeHog
402
403✓ Think about centralized authentication
404The benefits of centralized authentication for users is having a single set of
405credentials for all their applications. From a security standpoint, it enables you to
406handle only one account and gets rid of the risk of forgetting to disable an account
407during ofoarding. It also saves time during onboarding by getting rid of the need
408to create lots of accounts for new employees.
409Read more:
410- Five Lessons We Learned on Our Way to Centralized Authentication
411- Centralized Linux Authentication
412
413INFRASTRUCTURE SECURITY
414
415✓ Protect your infrastructure from intrusions
416Make sure to follow the latest security releases and update your infrastructure as
417soon as they become available. Having servers without public IP addresses (e.g. in a
418VPC) and rate limiting authentication services are some of the measures that can
419be implemented to protect your servers, and consequently your applications.
420Read more:
421- Sqreen
422- ThreatStack
423- 7 Security Measures to Protect Your Servers
424
425✓ Start thinking about physical security and hardware protection
426Attackers can do a lot of damage very quickly if they get physical access to your
427company’s or employees’ hardware. Assess the risks for your company’s hardware
428and implement some best practices around physical security protection.
429Read more:
430- 7 physical security practices every business should implement
431
432✓ Perform a security review of your architecture
433Review the elements of your architecture and the interfaces between them. Using
434the list of assets you were given or compiled earlier, you should be able to map the
435elements, draw the interconnections and identify flaws in communication
436protocols, servers configurations, and databases choices.
437If you use Sqreen, you can also leverage the security flow map to get a real-time
438view of your applications and their security status.
439Read more:
440- Application Architecture Review
441- AWS security best practices
442
443MONITORING
444
445✓ Assess the completeness and accuracy of your company’s
446assets list
447As a first step, assess the availability and freshness of your assets information. Is
448there a list of the hardware? Is there a list of the applications and services used
449within your company? Is there an employee directory and a list of all user
450accounts? Is there a list of third-party providers and their contracts? When were
451these lists last updated?
452The employee directory might be the easiest to retrieve, as your people
453department should be able to provide up-to-date records with the dates of
454everyone joining and leaving the company. As for the other lists, you will probably
455have to build them or update them if they already exist.
456
457✓ Audit your SaaS providers
458Know your SaaS services! Security is a major concern when it comes to SaaS.
459Examine the settings and SLAs of your SaaS services, whether application,
460platform, or infrastructure, and compare with what was agreed to in the contracts.
461Take note of the flaws in the contracts to renegotiate them if needed. SaaS
462providers might be reluctant to be audited beyond providing documentation of
463their policies and procedures. Prioritize the audits requests based on the service
464criticality or the data sensitivity. Ensure they comply with privacy related legislation
465such as GDPR.
466Read more:
467- Audit of the top 1000 SaaS providers
468- Assessing SaaS security: A top down approach
469
470✓ Build a security dashboard
471Create a security dashboard to give you an overview of the security eforts, or
472implement a tool that will do it for you. Avoid manual reporting -- all data should be
473automatically provided by the solutions you use.
474Read more:
475- The Top 10 Tips for Building an Efective Security Dashboard
476- Sqreen
477
478✓ Evaluate your third-party providers
479Now that you have a list of your third-party providers, and a process in place for
480evaluating them, you should conduct thorough assessments of your existing thirdparty providers to make sure they are secure. Renegotiate contracts to strengthen
481the security responsibilities of your providers and the service levels required.
482Read more:
483- Security of SaaS Companies
484
485✓ Perform deeper vulnerability testing, risk analysis and
486security assessments
487Once you have a baseline audit of your company’s security across the major areas,
488you should schedule deeper tests and assessments in all areas (infrastructure,
489applications, people). These will give you a complete picture and the baseline you
490need to make strategic security decisions.
491
492✓ Perform your first security audit
493Design and perform your first security audit to understand the most critical
494security vulnerabilities within your company. This first audit should be broad in
495scope but not too detailed as other more thorough audits will be performed later
496for specific areas. Breadth over depth here will give you a high level understanding
497of where the burning platforms are and what areas need your attention first.
498Read more:
499- How to Conduct an Internal Security Audit in Five Simple, Inexpensive Steps
500- Prioritizing Your Security – Where Do You Begin?
501
502✓ Protect against Denial of Service attacks
503DoS and DDoS attacks can be devastating for a business’ bottom line. Depending
504on your business, disruption to the availability of your service could make you lose
505out on revenue or impact your customers. Taking actions to protect your systems
506and mitigate the efects of these types of attacks is key.
507Read more:
508- AWS Shield
509- DDoS protection, mitigation and defense: 7 essential tips
510- Best DDoS protection of 2019
511
512✓ Set up a centralized logging platform
513Logs are a valuable asset for getting signals from your production environment and
514for investigating suspicious activity or a security breach. A centralized log platform
515helps you to make the most out of the analytics potential held in your logs and
516provides a view across all themes (applications, network, users, etc.)
517Read more:
518- Logging Cheat Sheet
519- Choosing the Best Log Management Tool for Your System
520- Centralized Logging on AWS
521- 30 best practices for logging at scale
522
523✓ Update or build the list of applications
524If you have been handed a list of the applications in use within your company, make
525sure it is up-to-date. If not, take time immediately to update the information about
526the major applications first, and schedule some time a bit later to update the rest of
527the list comprehensively as soon as possible.
528If there is no application list, you should prioritize building it.
529Ask which employees have (or had previously) admin rights to install software
530themselves on their computer and identify the shadow IT within your company.
531Read more:
532- Sqreen’s security flow map
533
534✓ Update or build the list of devices
535If you have been handed a list of the devices, make sure it is up-to-date or take
536time to update the exposed machine’s information first and schedule to update the
537list thoroughly as soon as possible.
538If the company has a BYOD policy, list those devices as well with the identification
539of each employee. If there is no device list, you should build it.
540The list should at least include information such as IP, type of device, and physical
541location, if appropriate.
542Read more:
543- Mobile Device Management Best Practices
544- Securing Laptops and Mobile Devices
545
546✓ Update or build the list of services exposed to the Internet
547If you have been handed a list of the exposed services, make sure it is up-to-date
548or take time to update the exposed machine’s information first and schedule to
549update the list thoroughly as soon as possible. One good way to create this list is to
550use cloud API (AWS to list Route 53 domain names, or EC2 instances).
551Read more:
552- SaaS CTO Security Checklist
553
554✓ Update or build the list of third-party providers
555You will need to know every company or individual that has direct or indirect access
556to the company’s systems or sensitive data. List or update the list of third-party
557providers and the contracts data. One critical piece of information is the date of
558contract renewal or termination and the data they have access to. You will also need
559to know how the provider’s teams access the systems and which rights are assigned
560to them.
561Having a clear understanding of the ways third party providers can and do access
562your systems and data is central to building the appropriate security measures on
563this front.