Importance of Server/Application/Code Security
Got an opportunity to be a part of Yes #FINTECHACK workshop organised by YES Bank for startups. It was indeed a fruitful session and worth spending 2 hours on it.
One of the speaker was Mr. K. K. Mookhey, Founder of Network Intelligence on security of your application.
Let me summarize the outcome of session so that it would be of help to those who are in their early stage of startups or working on web applications for their clients at any level.
#1 -- Compliance Vs Security -
Thinking compliance and security are one and same? This is the most common misconception that people have. In fact, they play different roles, both in your internal environment and your respective clouds.
Proper cyber security protects your information from threats by controlling how that information is used, consumed and provided. In comparison, compliance is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations such as PCI. Another wrong perception that people have is meeting compliance regulations will cover all security needs. This “checkbox” mentality is a surefire path to inadequate protection. Why? Because compliance corresponds to a set of specific requirements that change slowly, not the daily changes in the security landscape. Relying on merely being compliant does not keep you secure. Compliance is simply ensuring that a specific set of requirements are in place (typically only once a year). A proper security program keeps you safe.
If you really want to safeguard against sophisticated threats, you must elevate security and develop an approach in which all the controls mesh with each other to create a cohesive, multilayered web of security. This simply isn’t something that satisfying a regulatory standard can provide.
Understand that compliance is not a blueprint for securing your application or server. it is just a mere set of instructions to protect you from one kind of attacks. To completely secure your server and application you need to study many of these compliances and build your own security at Server/Cloud/Application level.
Always an effective cyber security program should be built from the ground up and be based on the organization’s needs. Focusing on compliance first is putting the virtual cart before the horse. Compliance should be a byproduct of a solid security program, not the source of it.
#2 -- Security by design -
Most of you will agree with my next statement that, we think security should be handled at the end of project and ideally that stage never comes unless you really start facing issues because of security breaches. This is totally wrong and you should start thinking about security of your application at the design stage itself and keep that in your plan always.
#3 -- Security as part of your SDLC
In previous point I mentioned that keep it in your plan. That means security is not the thing which can be handled in one go and it should be part of your software development life cycle. If you plan things there are better chances of getting those done so look out for security guidelines for different level of SDLC and add those in your SDLC plan.
#4 -- Bug Bounty
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.
Before going live or in beta stage enroll/submit your site for such bug bounty programs where individuals will test your site and they will get paid for the bugs they found, in this way you can be more sure that your site is tested by different kind of individuals which will reduce the chance of hacking drastically.
#5 -- Cloud Security
While hosting portals on Cloud platforms like AWS/GCloud/Azure most of us think that security related to infrastructure lies with cloud provider. Even I was also under impression that this is handled by cloud provider before attending this session.
Cloud providers provide you only infrastructure or in other way an instance to you and you need to implement required security layers above it.
For this you can follow CIS benchmarks. CIS Benchmarks help you safeguard systems, software, and networks against today's evolving cyber threats. Developed by an international community of cybersecurity experts, the CIS Benchmarks are configuration guidelines for over 100 technologies and platforms.
#6 -- Incident management
Plan your actions well in advance against security breaches, if occurs any after going live.
Would love to share learning from recent incidence where one of the big portals security was breached by hackers and millions of users data was stolen. Instead of running from the issues the CEO faced it from front and handled everything carefully without denying the incident which got resolved very fast because of his corrective actions.
#Mobile - 9619291948