A Practical Guide
Process¶
- Familiarise with the Product
-
Perform a Risk Assessment
-
Setup Interviews with Stakeholders (đ template)
(setup regular meetings)Questions to ask
- Close call incidents and war stories
- Embarrassing practices that keep them up at night
- Who has the most privileged access in the company
- What risks they think youâre supposed to be working on
- What do they think are existential risks to the business?
-
Identify Technical Risks
Questions to ask
- Spend time enumerating the anatomy of all technology
- Get a high level of how data moves in and out of systems
- When do their employees gain and lose the authorization to access what data?
- Where is that data geographically located when at rest? Is it encrypted? Where are the keys? Who has access to those keys? Who made those keys?
- How is new code written? How are bugs fixed? How is code released and shipped? How are updates pulled down to a client?
- Who are the vendors that our company is dependent on?
- What to look for when reviewing a company's infrastructure
-
Model Threats
-
Build a Risk Registry
Risk registry template
- Risk ID
- Area (ProdSec, CorpSec, etc.)
- System (Cloud, IaC, Code, CI/CD, Endpoints, SaaS, etc.)
- Risk Name
- Description
- Owner
- Creation Date
- Risk Level
- Risk Acceptance
- Date
- Expiry Date
- Status
- Review Date
- Review Status
- Risk Mitigation
- Plan
- Status
- Risk
- Inherent Risk
- Reputation Consequences
- Legal or Regulatory Dictates
- Threat and Vulnerability Environment
- Control Economics
-
Prioritise Risks
- Get consensus from leadership
(You want consensus that these risks are worth mitigating and that cooperation will happen)
-
-
Define a Strategy
-
Set metrics
- Setup supporting resources
- Weekly Digests
- WTF document
- Decision Log
- Learning Hours
- Quarterly Security Review
References
- [CloudSecDocs] Security Programs: Strategic (starting, scaling, frameworks) vs Tactical (practical, selling internally, metrics), Culture, Budgeting, Hiring
- [CloudSecDocs] Risk Management: how to manage, communicate, and forecast risk, as well as how to create useful OKRs
Implement¶
References
- âď¸ My Security Controls for Startups micro-website
- âď¸ Latio Tech: A list of security tools/vendors
- [CloudSecDocs] Security Functions: How-to guides for implementing security functions (ProdSec, IR, Vulnerability Management, Compliance, etc.)
- [CloudSecDocs] Practical Case Studies: A collection of case studies and implementation around Identity, Code, and general Implementations
Additional ideas
- Security Control checklist for startups (included in custom Roadmap)
- An opinionated guide to scaling your company's security
- How to 10X Your Security
Controls included in custom Roadmap
Work towards Fundamental ojectives
| Objective | Description |
|---|---|
| Centralize and improve logging |
|
| Improve employee responsiveness in reporting incidents |
|
| Reduce the risks associated with vendors |
|
| Reduce the risk of insider abuse |
|
| Reduce the risk of an endpoint compromise |
|
| Improve responsiveness to incidents |
|
| Reduce the risk of remote IaaS API compromise (leaked credentials) |
|
| Reduce the risks of a SaaS account compromise |
|
| Lay groundwork for secure development practices |
|
| Lay groundwork for future detection efforts |
|
| Lay groundwork for future risk management efforts |
|
| Lay groundwork for finding and fixing |
|
Setup basic Incident Response
- Create an incident response plan to manage these changes â âď¸ template, explanation
- A rolodex of contacts: Law enforcement, Forensic, Legal, Leadership, and PR contacts who can come online quickly and contribute to a response
- A template for collaboration: Incidents are often about managing uncertainty. What are questions we still have? Who is accountable for answering them? What are the short term emergency actions, and what are the long term learnings?
- Approval Points: Who approves an emergency blog post, an email to customers, or calls law enforcement? Pre-approvals for expected steps will avoid delays and meetings
- Internal Communications: Who communicates issues with employees?
- See also Security Breach 101 and Security Breach 102
Secure - Products
| Area | Description |
|---|---|
| Strict Engineering Standards | NOW:
|
| Vulnerability Disclosure and Bug Bounty | NOW:
|
| Engineer Onboarding | NOW:
|
| Manage Secrets | NOW:
|
| Review | Figure out critical security bits, auth flows, etc. |
Secure - Infrastructure
| Area | Description |
|---|---|
| Authentication | NOW:
|
| Patching | NOW:
|
| Centralized Logging | NOW:
|
| Cloud Fundamentals | Secrets management, IAM, API Keys, configuration |
Secure - Employees
| Area | Description |
|---|---|
| Endpoint | NOW:
|
| Shared Passwords | NOW:
|
| On-boarding and Off-boarding | |
| Yubikeys |
Secure - Compliance
| Area | Description |
|---|---|
| Have public facing security docs | Something you can put on your website with technical details about the security things youâve done that people can reference |
| Establish Knowledge Base | The best use of your time is not completing questionnaires for sales teams. Find a way to make it self-service. Place where sales can get info |
| GDPR and current laws | Make sure you comply with all of the relevant laws |