Security Best Practices

Introduction

Be aware that no system is secure. The best you can ever hope for is secure enough. As such, good security is an exercise in risk management. To manage security well, to need to understand the risks you are exposed to, their impact, the possible mitigation strategies available to you and the costs of such mitigation. Your business can then decide on what level of risk it wants to accept.

That being said, there are many easy, best practices and efforts you can understand that provide a good foundation for ensuring that better security is integral to your systems. Having a good, secure foundation for your software and systems development allows you to concentrate on more strategic security decisions and be more confident that your system is safe.

Those two paragraphs seem a bit too full of flowery language, so here are two more concrete examples:

1. If you are developing a travel blog, you will think about security very differently to a bank. Someone is less likely to want to spend a lot of time and effort hacking a travel blog. If your blog is hacked, the consequences are limited. Therefore your business’ level of acceptable risk may be higher, and the amount of time and effort you want to put in to ensuring every aspect of your business is secure may be lower. A bank, however, may be exposed to large financial and reputational losses if they are hacked. They will probably want to (and be legally required to) spend much more time and energy making sure that their systems are safer from malicious actors.
2. With a good foundation of security best practices, you can spend more time on strategic decisions: Do you want a user to be able to set any password they like and reset it easily? This is more user friendly. Users will complain less, marketing conversions will be higher, password reset support requests will be lower. Or, to you want a password strength policy to be included, have a two-stage login process with a 2-factor authentication time-generated PIN, or a hardware security device? Are your users required to send a photo of some government ID before they register? Both decisions are secure enough for different organisations with different risk profiles.

Security Foundations

Get Educated

Look for expert advice and best practices. Organisations like NIST can provide a good framework for teams wanting to start taking security seriously. Look for good security information for each system and tool you use.

Keep Informed

Be aware of security update channels for all the components of your system. For example, Ruby has a Google Groups mail list and Rails has a a similar group for security updates. These vulnerabilities will usually be assigned to CVE records, a system used by many other software developers.

Your OS distro will have something similar. Any other part of the system may have other avenues to notify users when important security issues have been identified. Make sure you know how to keep informed, and ensure that you are ready to apply security patches to software whenever they are available.

Develop Securely

Always be considering security

Security is an aspect of systems that you need to consider at every stage of the development lifecycle: gathering requirements, development, testing and production & maintenance. It’s far harder to add security as an afterthought or second phase of the process.

Secure all the things

Securing a system involves securing ALL THE THINGS. You need to secure everything, everywhere. That means:

• ensuring your application logic is safe and does not allow unauthorised or unauthenticated actions
• ensuring your application framework and the software components you use are safe
• ensuring your application environment (like your Docker build) is secure,
• securing the OS you are running on
• securing the network you use
• checking the security of any third party systems and services you use.

And it doesn’t end there. Even if all your IT systems are secure, if your building security is not, someone could gain physical access to your infrastructure and still attack you. If your building is secure, you might still be subject to a social engineering attack such as phishing scam or a phone call from an impersonator.

Someone trying to compromise your system needs to find just one vulnerability anywhere in any component of any part of your system. You need to protect them all.

So, you need to be as diligent and thorough as possible. Adding many layers of protection will help make life as difficult as possible for an attacker. If you practice defence in depth, it is more likely that a single vulnerability won’t lead to more significant problems. If you are relying on one layer of protection, and it is compromised, your entire system becomes vulnerable. If you have layers upon layers of security, it’s easier to limit the damage.

Use open, well established, well reviewed security practices where possible. Don’t try to roll your own encryption algorithm or build your own door lock. Where possible, use tools already created and certified by experts. Ones that have been tested in the field.

On a similar note, don’t rely on obscurity to protect your system. Many security protocols, tools and practices can be guessed. If you are retying on an attacker not knowing how your system is secured, you may be overconfident in its security. Assume an attacker knows all about your system, and make it secure anyway.

Test

As well as security being an integral part of regular acceptance testing, professionals with expertise in finding vulnerabilities in security can look for problems or ethically hack your systems.

Have a plan

Have a plan in place for responding to security events. For example, have an emergency patch/update release plan that lets you fix critical vulnerabilities quickly.

What will you do if an active security problem is detected? Think:

• People. Who needs to get involved with various different security issues? What response times do you need?
• Procedures for investigation and response. How will you find and close a vulnerability if your system is currently under attack? Have a backup/recovery plan. If a system is compromised, how will you recover data quickly, and get compromised parts of your system back into a know good state as quickly as possible?
• Mitigation of loss. How do you reduce damage caused by a vulnerability? For example, if you have a crypto wallet, do you have hot and cold storage? Do you split your assets across multiple wallets so no single wallet causes a 100% loss?
• Protection of assets. Can you quickly take assets offline to limit your exposure, once a problem is discovered? Is your data encrypted, so that even after a data leak, your risk is reduced?

Monitor

A building might have a security guard patrolling the perimeter and CCTV cameras to ensure a site is secure. A IT system has many ways of monitoring for security threats and responding appropriately.

Some tools that fall under this category include Cloudfare, Canaries, Honeypot systems, monitoring of failed login attempts, as well as general systems monitoring that detect unusual activity. Monitoring access requests and logs (and keeping those logs for possible forensic analysis later) is good practice.