Skip to content

Security Functions

Product Security

Modern Application Security
  • An application security program revolves around finding, fixing and preventing security vulnerabilities.
Area Description
Finding bugs
  • Diff reviews
    • Setup rules in your system of choice to alert you to diffs matching dangerous functions or patterns
  • Ad-hoc audits
    • These go deeper than a diff review and should be done over the most critical parts of your code
    • Even if you don’t find bugs these are the building blocks of your comprehension of the codebase
    • A good first stop here is looking at the unit tests for the code to see how things are supposed to work
  • Architecture reviews
  • External audits
    • External audits are most useful for an area you have no expertise (android security), a really sensitive area or simply for work you don’t want to do (acquisitions)
    • If possible, try to work alongside the consultants so you can learn from them
  • Bug bounty
Fixing bugs
  • Fix it fast
  • Fix it everywhere
  • Review mistakes
    • A debrief after a bad one where everyone suggests ideas on how it could have been prevented is a good vehicle for this
    • Document a historical list of security mistakes your company has made
    • Build unit tests to ensure there are not regressions
  • Isolate badness
    • If there is some part of the issue you can’t fix, quarantine it
Prevent bugs
  • Deputize engineers (You need to make friends across the company)
  • Documentation
    • Publicizing interesting or unique security issues builds awareness across engineering
    • End of year or quarter roundups of any themes or trends you are seeing in security issues is good
  • Research/skills
  • Frameworks
  • Tooling (SAST/DAST)
The five factors used to secure systems
  • The commitments made by a company in order to mitigate a risk
Factor Description
Response: We’ll be ready to respond to the threat
  • Adopt an “assume breach” mentality
  • Instead of directly mitigating the risk, you’ll commit to building the tools and policies needed to react upon that event
  • You will assume the event will happen, and you are advocating the preparation for an inevitable response
Evidence: We can trace the threat‘s steps
  • You will not allow a risk to occur in a way that avoids the production of evidence
  • The event will occur while also revealing a root cause for a post-mortem, which lets you learn from mistakes
  • This will accumulate enough data to only let an event happen once, because you’ll be better informed for future mitigations that are more comprehensive than what exists
Containment: The threat will have limited impact
Prevention: The threat isn’t likely to occur
  • Commits to reducing the likelihood of a risk
  • This is a direct, hands on approach to the risk, removing the exposure or behavior at the source. All of the previous factors are regarded as asymmetric approaches to avoid dealing with risk head on
Elimination: Mitigation through innovation We’ll reduce the cost of mitigating a risk so dramatically that we’ll find ourselves with resources to pursue other risks

SDLC

Link Notes
Appsec Development: Keeping it all together at scale
  1. Project Risk assessment: Help teams manage risk to their timeline and help security schedule penetration tests
  2. Security Impact Assessment: Let teams quickly exit the review process without the need for peer review
  3. Risk Assessment: Identify potentially risky items with peer review
  4. Threat Model: Analyze risky designs and create mitigations
Democratizing Security: Application Security Scanning How to build an application and cloud security automation program
Building a SAST program at Razorpay’s scale No single tool or technique can identify all security defects in an application. Part of building a mature Security program is to use a number of techniques to find security defects
Security Drone: Scaling Continuous Security at Revolut How Revolut uses a custom system to scale and improve their continuous security scanning
Best practices on rolling out code scanning at enterprise scale Some best practices on how to roll out centrally managed, developer-centric application security with a third party CI/CD system like Jenkins or ADO
Fixing Debug Log Leakage with Safe Coding The average Googler should not have to worry about redaction or sanitization when writing code; using the default well-lit path should always be safe and low-friction
Probably Are Gonna Need It: Application Security Edition
  • Table stakes: use a library/framework that mitigates common flaws
  • Have a vulnerability disclosure policy and a security@ email
  • Consider the “abusive ex” persona
  • Audit trails
  • Build safe admin interfaces
  • Build safe ways to move redacted data out of production
  • Session or password invalidation
Modernizing LinkedIn’s Static Application Security Testing Capabilities to protect our members LinkedIn has modernized its Static Application Security Testing (SAST) capabilities to enhance security for its members by analyzing source code for vulnerabilities early in the development lifecycle. They rebuilt their SAST pipeline natively on GitHub Actions, integrating CodeQL and Semgrep scanners, and they also deviated from the default "paved path" approach
awesome-secure-defaults Awesome secure by default libraries to help you eliminate bug classes

Threat Modeling

Link Notes
A Guide to Threat Modelling for Developers Clear and simple steps to help teams that want to adopt threat modelling
Scalable threat modeling
  • Document the process
  • Have, use, and improve templates
  • Focus on changes, not existing systems
  • Clarify what changes should be threat modeled
  • Identify changes based on existing processes
  • Communicate the priority of recommendations
Awesome Threat Modeling A curated list of threat modeling resources
An introduction to approachable threat modeling A few simple questions can help us build better systems and keep them safe

Security Champions & Involvement

Link Notes
AWS Security Guardians
Implement Security Champions Programme Main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes
Monocle: How Chime creates a proactive security & engineering culture How to choose where to prioritize investments in security, and how to empower engineers and teams to independently improve the security posture of their code
Beyond The Security Team
Delegating security remediation to employees via Slack There is a growing trend of delegating security remediation tasks to employees directly through Slack, rather than relying solely on the security team.

Bug Bounties

Link Notes
How we run our bug bounty program at Segment
magoo Vulnerability Disclosure Don’t hate the finder, hate the vuln
magoo Bounty Launch Lessons Build a launch plan so you don’t drown yourself
magoo Tabletops for Bug Bounty Improving a bug bounty program with fictional problems

Abuse, Fraud, Spam

Link Notes
magoo Preventing Account Takeover Building a defensive program around “Account Takeover”, and make sure that users are who they claim to be, even if they’ve successfully authenticated
magoo Investigating Account Takeover How a security team identifies ATO threats
magoo The Account Takeover Runbook To really investigate an account takeover, you have to sit with a victim and walk through mitigation, and remember all of these little corner cases that can be tricky to clean up

Incident Response

Detection

Tech resources -> DevOps/Monitoring

Link Notes
Detection Engineering Maturity Matrix This matrix aims to help the community better measure the capabilities and maturity of their detection function and provide a high-level roadmap for organizations looking to either build a team or expand an existing one
Saas Event Maturity Matrix A web application to display data from the event-maturity-matrix framework
Prioritizing Detection Engineering
  1. Get logging in order
  2. Spend time on hardening and plan to come back to detection
  3. Introduce strictly high-quality detections and alerts
  4. Spend time on management and plan to come back to detection
  5. Fully embracing an engineering approach to detection
Lessons Learned in Detection Engineering What I’ve learned from “good” intrusion detection programs
Operational reporting for SOC This blog post addresses the challenges of effective stakeholder reporting in Security Operations Centers (SOCs). It emphasizes the importance of clear and concise communication to different audiences, including management, risk teams, and technical staff
Detection as Code: A Maturity Framework Breaking Detection as Code down into functional areas: programming language, testing, integration & automation, and monitoring
Alerting and Detection Strategy Framework
How to Write Security Alerts

IR

Tech resources -> DevOps/IR

Link Notes
Magoo
Tips for SOCLess Oncall Handling alerts when there's no alert handlers
Running an investigation How do you run an investigation with a group?
Writing a Playbook Authoring the guides you might use in a future crisis
Phishing Incident 101 This is a reference for handling traditional phishing incidents that result in a breach
Debriefing Facilitation Guide
Post-mortem Samples

Vulnerability Management

Link Notes
Phil Venables Vulnerability Management
  • Coverage completeness, criticality ranking and dependency mapping
  • Component flaw discovery and remediation
  • Configuration flaw discovery and remediation
  • Architectural goal enumeration and enforcement
Vulnerability Inbox Zero You should tame the avalanche of findings with a noise-suppressing processing pipeline. Think in shovels, not in teaspoons
The Art of Vulnerability Management How to create a positive vulnerability management culture and process that works for engineers and the security team
Vulnerability Scanning at Palantir How Palantir streamlines and automates vulnerability remediation efforts
Business-friendly vulnerability management metrics Post from the Uber team, where they describe a methodology and metric to track the health of the vulnerability management program in your organization
Vulnerability Management at Lyft: Enforcing the Cascade Blog detailing the systems Lyft built to address OS and OS-package level vulnerabilities in a timely manner across hundreds of services run on Kubernetes
Scaling vulnerability management across thousands of services and more than 150 million findings GitHub shares insights about how they run a scalable vulnerability management program built on top of GitHub
Diving into Exploit Prediction Scoring System (EPSS) for Effective Vulnerability Management
  • The Exploit Prediction Scoring System (EPSS) is a scoring system which estimates the probability of a vulnerability being exploited
  • EPSS is based on real life data of vulnerability exploitation attempts: behind the scoring system is a machine learning model which integrates information from vulnerability databases, and real life exploitation attempts spotted in the wild
Mastering Vulnerability Elimination Starts With The Basics From detect to protect: an overview of how to eliminate vulnerabilities from your Application and Cloud security Programs
Contextual Vulnerability Management With Security Risk As Debt How DigitalOcean redesigned its vulnerability management program using the concept of "security debt" to drive meaningful risk reduction and empower engineering teams to prioritize and resolve security issues autonomously
The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program AI, as demonstrated by Anthropic's Mythos, has significantly increased the likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale. While AI also increases the speed of patch development and reduces defects in new software, defenders still face a heavier relative burden due to the inherent limitations of patching. Attackers gain asymmetric benefits

Compliance

Programs

Link Notes
Compliance in a DevOps Culture Integrating the necessary Security Controls and Audit capabilities to satisfy Compliance requirements within a DevOps culture can capitalize on CI/CD pipeline automation, but presents unique challenges as an organization scales
Phil Venables Cybersecurity and the Board : A Fresh Perspective? How to represent cybersecurity (or technology / information risks more generally) to the Board
Open-Sourcing riskquant, a library for quantifying risk
Experimenting with visualizations and code risk overview
GRC Engineering GRC Engineering is a step-change evolution in security governance, risk, and compliance (GRC), and related disciplines such as trust and assurance

Security Questionnaires

Link Notes
magoo Understanding the Security Questionnaire
  • A questionnaire does not care about your actual risks
    • A questionnaire appeals to the perceptions of risk by your customers, not your actual risks
    • Your answers are only one part of passing the questionnaire
  • Alternative approaches may satisfy a customer’s security process, without filling out a questionnaire
    • Share the summary from a security audit
    • Show metrics from a bug bounty program
    • Build an FAQ on the internal practices you want to brag about
    • Host a vulnerability disclosure program
    • Offer an incident escalation channel with an SLA, and commit to assisting in any investigation they need
    • Offer a breach notification policy
    • Have an incident response policy, and an approach to risk management documented that you can share
    • Have an internal information security policy that you’ve committed to, so a customer can back off from imposing their own policies
    • Fill out the answers to a more reasonable security questionnaire, like the Google Vendor Security Questionnaire or the VSA questionnaire, and return them instead of the bespoke questionnaire per customer
  • Expressing your security program proactively
You Don't Need a Vendor to Automate Security Questionnaires I tested three approaches to automating security questionnaires with AI: expensive SaaS vendors, custom RAG solutions, and direct LLM use.
Answering "Dumb Security Questionnaires"
  • Preempt
  • Common “Dumb” Questions and Smart Answers
  • Clean and Dirty Tricks
Startups and security questionnaires How can I minimize the pain?
VSAQ Interactive questionnaire application to assess the security programs of third parties
goSDL Web application tool that serves as a self-service entry point for following a SDLC checklist in a software development project
LLMs at Work: Outsourcing Vendor Assessment Toil to AI
  • Traditional vendor reviews rely on cumbersome, manual processes, which often involves lengthy questionnaires
  • To streamline this, Mercari is experimenting with employing code and LLMs to automate the information-gathering phase, significantly reducing review time
What is a trust center? And how to use it to demonstrate trust Establishing a trust center can help you earn trust with customers and prospects while freeing up your security team’s time and preventing them from becoming a bottleneck for revenue-impacting deadlines.
bedrock-secure-questionnaire-automation Infrastructure-as-code for a serverless knowledge base using Amazon Bedrock, Aurora PostgreSQL, Lambda, and S3
Amp Security Reference
  • Certifications & 3rd-Party Assessments
  • Infrastructure & Service Providers
  • Data Security & Retention
  • User Authentication
  • Model Training
  • System Components
  • Client Security
  • Secret Redaction
  • Bill of Materials
  • Vulnerability Disclosure Policy

Trainings

Link Notes
Phil Venables Security Training & Awareness - 10 Essential Techniques
  • Computer Based Training (if you have to do it then do it better)
  • Ambient Controls (Solutions Not Just Policies)
  • Explain the Purpose of Controls
  • Risk Culture / Escalation
  • Gamification, Labs and Ranges
  • Tooling and User Experience Integration
  • Drills, Exercises and Incident Learning
  • Workforce Development and Feedback at Point of Need
  • Training at Point of Maximum Receptivity
  • Nudges
Developing Secure Software
  • How to design software to be secure
  • Key implementation issues (e.g., input validation, processing data securely, calling out to other programs, sending output, and error handling)

Policies

SOC2

Link Notes
The SOC 2 Guide Quickly figure out what you need and how much it will cost
SOC2 Policy Templates Policies, procedures, standards, and templates for SOC2 compliance
SOC2 Starter Pack A collection of resources to help you get started with SOC2
The SOC 2 Guide Quickly figure out what you need and how much it will cost
SOC2: The Screenshots Will Continue Until Security Improves A great post explaining what SOC2 is and how it works
Everything and Anything You Need To Know About SOC 2 A high-level overview of SOC2
ISO27001 and SOC2 Type II from Greenfield to Success Post delving into Clarity AI's experience in successfully obtaining ISO27001 and SOC2 Type 2 certifications within 10 months, shedding light on their strategies and insights for fellow scale-up companies
The 10-minute guide to SOC 1 vs. SOC 2 For companies looking to get SOC 1 or 2 compliant, it can be hard to find out where to start, so we’re providing a straightforward guide to the ins and outs of SOC audits
Do Macs need third-party antivirus for SOC 2 compliance? This piece answers whether the built-in security of macOS is enough to forgo a third-party antivirus solution, and how admins can document that security for a SOC 2 audit.
How much does a SOC 2 audit cost? This blog breaks down how much businesses can expect to spend on a SOC 2 audit, depending on their size, structure, and what they hope to achieve
AIUC-1 — the "SOC 2 for AI agents" AIUC-1 is the world's first standard for AI agents. It covers data & privacy, security, safety, reliability, accountability and societal risks

ISO 27001

Link Notes
The business guide to ISO 27001 compliance and certification Here we provide an overview of the ISO 27001 audit process, so companies can embark on it with a clear idea of what it entails, and how they stand to benefit
ISO 27001:2022 Requirements Explained for 2025 This blog breaks down ISO 27001 requirements in 2025, and what's changed from 2013 to 2022

ISO 42001

Link Notes
AI lifecycle risk management: ISO/IEC 42001:2023 for AI governance Post explaining how ISO/IEC 42001 enables effective AI governance, review the risk management requirements, and explore how you can use threat modeling as a practical technique to meet those expectations