Security Functions
Product Security¶
Modern Application Security
- An application security program revolves around finding, fixing and preventing security vulnerabilities.
| Area | Description |
|---|---|
| Finding bugs |
|
| Fixing bugs |
|
| Prevent bugs |
|
The five factors used to secure systems
- The commitments made by a company in order to mitigate a risk
| Factor | Description |
|---|---|
| Response: Weâll be ready to respond to the threat |
|
| Evidence: We can trace the threatâs steps |
|
| Containment: The threat will have limited impact | |
| Prevention: The threat isnât likely to occur |
|
| Elimination: Mitigation through innovation | Weâll reduce the cost of mitigating a risk so dramatically that weâll find ourselves with resources to pursue other risks |
SDLC¶
| Link | Notes |
|---|---|
| Appsec Development: Keeping it all together at scale |
|
| Democratizing Security: Application Security Scanning | How to build an application and cloud security automation program |
| Building a SAST program at Razorpayâs scale | No single tool or technique can identify all security defects in an application. Part of building a mature Security program is to use a number of techniques to find security defects |
| Security Drone: Scaling Continuous Security at Revolut | How Revolut uses a custom system to scale and improve their continuous security scanning |
| Best practices on rolling out code scanning at enterprise scale | Some best practices on how to roll out centrally managed, developer-centric application security with a third party CI/CD system like Jenkins or ADO |
| Fixing Debug Log Leakage with Safe Coding | The average Googler should not have to worry about redaction or sanitization when writing code; using the default well-lit path should always be safe and low-friction |
| Probably Are Gonna Need It: Application Security Edition |
|
| Modernizing LinkedInâs Static Application Security Testing Capabilities to protect our members | LinkedIn has modernized its Static Application Security Testing (SAST) capabilities to enhance security for its members by analyzing source code for vulnerabilities early in the development lifecycle. They rebuilt their SAST pipeline natively on GitHub Actions, integrating CodeQL and Semgrep scanners, and they also deviated from the default "paved path" approach |
| awesome-secure-defaults | Awesome secure by default libraries to help you eliminate bug classes |
Threat Modeling¶
| Link | Notes |
|---|---|
| A Guide to Threat Modelling for Developers | Clear and simple steps to help teams that want to adopt threat modelling |
| Scalable threat modeling |
|
| Awesome Threat Modeling | A curated list of threat modeling resources |
| An introduction to approachable threat modeling | A few simple questions can help us build better systems and keep them safe |
Security Champions & Involvement¶
| Link | Notes |
|---|---|
| AWS Security Guardians | |
| Implement Security Champions Programme | Main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes |
| Monocle: How Chime creates a proactive security & engineering culture | How to choose where to prioritize investments in security, and how to empower engineers and teams to independently improve the security posture of their code |
| Beyond The Security Team | |
| Delegating security remediation to employees via Slack | There is a growing trend of delegating security remediation tasks to employees directly through Slack, rather than relying solely on the security team. |
Bug Bounties¶
| Link | Notes |
|---|---|
| How we run our bug bounty program at Segment | |
| magoo Vulnerability Disclosure | Donât hate the finder, hate the vuln |
| magoo Bounty Launch Lessons | Build a launch plan so you donât drown yourself |
| magoo Tabletops for Bug Bounty | Improving a bug bounty program with fictional problems |
Abuse, Fraud, Spam¶
| Link | Notes |
|---|---|
| magoo Preventing Account Takeover | Building a defensive program around âAccount Takeoverâ, and make sure that users are who they claim to be, even if theyâve successfully authenticated |
| magoo Investigating Account Takeover | How a security team identifies ATO threats |
| magoo The Account Takeover Runbook | To really investigate an account takeover, you have to sit with a victim and walk through mitigation, and remember all of these little corner cases that can be tricky to clean up |
Incident Response¶
Detection¶
Tech resources -> DevOps/Monitoring
| Link | Notes |
|---|---|
| Detection Engineering Maturity Matrix | This matrix aims to help the community better measure the capabilities and maturity of their detection function and provide a high-level roadmap for organizations looking to either build a team or expand an existing one |
| Saas Event Maturity Matrix | A web application to display data from the event-maturity-matrix framework |
| Prioritizing Detection Engineering |
|
| Lessons Learned in Detection Engineering | What Iâve learned from âgoodâ intrusion detection programs |
| Operational reporting for SOC | This blog post addresses the challenges of effective stakeholder reporting in Security Operations Centers (SOCs). It emphasizes the importance of clear and concise communication to different audiences, including management, risk teams, and technical staff |
| Detection as Code: A Maturity Framework | Breaking Detection as Code down into functional areas: programming language, testing, integration & automation, and monitoring |
| Alerting and Detection Strategy Framework | |
| How to Write Security Alerts |
IR¶
Tech resources -> DevOps/IR
| Link | Notes |
|---|---|
| Magoo | |
| Tips for SOCLess Oncall | Handling alerts when there's no alert handlers |
| Running an investigation | How do you run an investigation with a group? |
| Writing a Playbook | Authoring the guides you might use in a future crisis |
| Phishing Incident 101 | This is a reference for handling traditional phishing incidents that result in a breach |
| Debriefing Facilitation Guide |
Post-mortem Samples
- Reference Breach Blog Posts
- Malicious Insider Scenarios
- Learning From Cryptocurrency Breaches
- Cloudbleed Retrospective
- OneLogin Breach (2017) Retrospective
- Learning From Security Breaches in 2017
- Learning from Californiaâs Data Breaches
- Learning From A Year of Security Breaches
- Learning from the Expedia Heist
- Blockchain Graveyard
[2024]Phishing Incident Report: Facts and Timeline: The AnyRun team provides an interest postmortem and the first results of their investigation into the recent incident and share a full account of the events.
Vulnerability Management¶
| Link | Notes |
|---|---|
| Phil Venables Vulnerability Management |
|
| Vulnerability Inbox Zero | You should tame the avalanche of findings with a noise-suppressing processing pipeline. Think in shovels, not in teaspoons |
| The Art of Vulnerability Management | How to create a positive vulnerability management culture and process that works for engineers and the security team |
| Vulnerability Scanning at Palantir | How Palantir streamlines and automates vulnerability remediation efforts |
| Business-friendly vulnerability management metrics | Post from the Uber team, where they describe a methodology and metric to track the health of the vulnerability management program in your organization |
| Vulnerability Management at Lyft: Enforcing the Cascade | Blog detailing the systems Lyft built to address OS and OS-package level vulnerabilities in a timely manner across hundreds of services run on Kubernetes |
| Scaling vulnerability management across thousands of services and more than 150 million findings | GitHub shares insights about how they run a scalable vulnerability management program built on top of GitHub |
| Diving into Exploit Prediction Scoring System (EPSS) for Effective Vulnerability Management |
|
| Mastering Vulnerability Elimination Starts With The Basics | From detect to protect: an overview of how to eliminate vulnerabilities from your Application and Cloud security Programs |
| Contextual Vulnerability Management With Security Risk As Debt | How DigitalOcean redesigned its vulnerability management program using the concept of "security debt" to drive meaningful risk reduction and empower engineering teams to prioritize and resolve security issues autonomously |
| The âAI Vulnerability Stormâ: Building a âMythos-readyâ Security Program | AI, as demonstrated by Anthropic's Mythos, has significantly increased the likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale. While AI also increases the speed of patch development and reduces defects in new software, defenders still face a heavier relative burden due to the inherent limitations of patching. Attackers gain asymmetric benefits |
Compliance¶
Programs¶
| Link | Notes |
|---|---|
| Compliance in a DevOps Culture | Integrating the necessary Security Controls and Audit capabilities to satisfy Compliance requirements within a DevOps culture can capitalize on CI/CD pipeline automation, but presents unique challenges as an organization scales |
| Phil Venables Cybersecurity and the Board : A Fresh Perspective? | How to represent cybersecurity (or technology / information risks more generally) to the Board |
| Open-Sourcing riskquant, a library for quantifying risk | |
| Experimenting with visualizations and code risk overview | |
| GRC Engineering | GRC Engineering is a step-change evolution in security governance, risk, and compliance (GRC), and related disciplines such as trust and assurance |
Security Questionnaires¶
| Link | Notes |
|---|---|
| magoo Understanding the Security Questionnaire |
|
| You Don't Need a Vendor to Automate Security Questionnaires | I tested three approaches to automating security questionnaires with AI: expensive SaaS vendors, custom RAG solutions, and direct LLM use. |
| Answering "Dumb Security Questionnaires" |
|
| Startups and security questionnaires | How can I minimize the pain? |
| VSAQ | Interactive questionnaire application to assess the security programs of third parties |
| goSDL | Web application tool that serves as a self-service entry point for following a SDLC checklist in a software development project |
| LLMs at Work: Outsourcing Vendor Assessment Toil to AI |
|
| What is a trust center? And how to use it to demonstrate trust | Establishing a trust center can help you earn trust with customers and prospects while freeing up your security teamâs time and preventing them from becoming a bottleneck for revenue-impacting deadlines. |
| bedrock-secure-questionnaire-automation | Infrastructure-as-code for a serverless knowledge base using Amazon Bedrock, Aurora PostgreSQL, Lambda, and S3 |
| Amp Security Reference |
|
Trainings¶
| Link | Notes |
|---|---|
| Phil Venables Security Training & Awareness - 10 Essential Techniques |
|
| Developing Secure Software |
|
Policies¶
SOC2¶
| Link | Notes |
|---|---|
| The SOC 2 Guide | Quickly figure out what you need and how much it will cost |
| SOC2 Policy Templates | Policies, procedures, standards, and templates for SOC2 compliance |
| SOC2 Starter Pack | A collection of resources to help you get started with SOC2 |
| The SOC 2 Guide | Quickly figure out what you need and how much it will cost |
| SOC2: The Screenshots Will Continue Until Security Improves | A great post explaining what SOC2 is and how it works |
| Everything and Anything You Need To Know About SOC 2 | A high-level overview of SOC2 |
| ISO27001 and SOC2 Type II from Greenfield to Success | Post delving into Clarity AI's experience in successfully obtaining ISO27001 and SOC2 Type 2 certifications within 10 months, shedding light on their strategies and insights for fellow scale-up companies |
| The 10-minute guide to SOC 1 vs. SOC 2 | For companies looking to get SOC 1 or 2 compliant, it can be hard to find out where to start, so weâre providing a straightforward guide to the ins and outs of SOC audits |
| Do Macs need third-party antivirus for SOC 2 compliance? | This piece answers whether the built-in security of macOS is enough to forgo a third-party antivirus solution, and how admins can document that security for a SOC 2 audit. |
| How much does a SOC 2 audit cost? | This blog breaks down how much businesses can expect to spend on a SOC 2 audit, depending on their size, structure, and what they hope to achieve |
| AIUC-1 â the "SOC 2 for AI agents" | AIUC-1 is the world's first standard for AI agents. It covers data & privacy, security, safety, reliability, accountability and societal risks |
ISO 27001¶
| Link | Notes |
|---|---|
| The business guide to ISO 27001 compliance and certification | Here we provide an overview of the ISO 27001 audit process, so companies can embark on it with a clear idea of what it entails, and how they stand to benefit |
| ISO 27001:2022 Requirements Explained for 2025 | This blog breaks down ISO 27001 requirements in 2025, and what's changed from 2013 to 2022 |
ISO 42001¶
| Link | Notes |
|---|---|
| AI lifecycle risk management: ISO/IEC 42001:2023 for AI governance | Post explaining how ISO/IEC 42001 enables effective AI governance, review the risk management requirements, and explore how you can use threat modeling as a practical technique to meet those expectations |