Why settle for a hacker in a hoodie when you can get an emo hacker with a guinea pig on the Tugboat Logic blog?

Security Best Practices for Start-ups Pt. 2: Application and Infrastructure Security

While you can read our full guide to start-up security, we figured it would be easier to digest and apply the best practices in smaller chunks. So, we broke up our full guide into four parts. This is Part 2, which focuses on infrastructure and application security best practices.full guide to start-up security, we figured it would be easier to digest and apply the best practices in smaller chunks.

Application and Infrastructure Security: Keep Bad Hombres Out

The Security Basics Checklist

1. HTTPS: By now a given, but you’d be surprised: We almost left this out for fear of coming across as pedantic. But, we’d be remiss if we didn’t at least offer a reminder for encrypting all communications for your customers. If you need a certificate, get a free one from Let’s Encrypt: a non-profit certificate authority that’s provided certs for 200+ million websites.

2. Back up your backups (and make sure they have backups): And if you don’t have something in place, then get S3, Blob Storage, or Cloud Storage from AWS, Azure, and GCP, respectively.

3. Metrics and monitoring aka canaries in the coal mine: Both allow you to quickly drill down to the root cause of any anomalies without having to dig into logs. And in case you needed a refresher, the four golden signals of traffic, latency, saturation, and error are good foundations to understand the health of your system and your customers’ experiences.

4. Do let the logs out (when you need to): We’ll spare you the sermon of why turning to your logs is helpful when needed. At the very least, you should have a log aggregator in order to cross-reference logs from various systems and apps. They’ll come in handy as the real “black box” source of truth.

5. May DDoS attacks never happen to you, but be prepared: Here are some ways to defend against them:

  • Diversity and redundancy should already be core parts of your disaster recovery and business continuity plans, but it’s worth checking to see if your servers are located in different data centers and that there are no single failure points.
  • Make sure your CDN bandwidth can scale quickly when needed. CDN providers like CloudFront, Akamai, Fastly, and Cloudflare all offer solid protection and coverage regardless of your team’s size.
  • Check out the Australian Government’s Cyber Security Centre’s guide on how to prep for and respond to DDoS attacks. It’s one of the few reputable DDoS guides that were updated last year (from what we could find, many guides were published in 2014 and 2016).

Are Your Infrastructure Providers Watching Your Infrastructure?

1. Properly set up and use all built-in security functions: It may seem like chore when setting them up in infra like AWS, but you’d be surprised at how many people leave firewalls off or don’t enable logging.

Here’s the high-level hit list:

  • Enable firewalls
  • Keep IAM lean and mean:
    undefinedundefined
  • Make sure your backups have backups (and then more backups)
  • Have logging in place (even if it’s the native logging solution like CloudWatch)
  • Isolate infrastructure through network boundaries

And check out security best practices from the three big cloud providers (AWS, Azure, and Google Cloud Platform):

Keep Your Product on Your Mind (and Your Mind on Your Product)

1. Know your dependencies backwards and forwards: #9 on the OWASP Top 10 is (you guessed it): “Using Components with Known Vulnerabilities”. And given that apps are always built using third-party libraries, there’s plenty of risk you’ll need to mitigate. You have to always check that they’re up-to-date and not exposed to any vulns (we recommend tasking your team’s “Security Czar” with checking at least once a week).

2. Pentest everything in your environment: Not only do pentests reveal all weaknesses and areas of improvement in your infrastructure and product, but they help you achieve security certs like SOC 2. They can be pricey depending on your scope of work (esp. if you need it for a cert like SOC 2): reputable pentest vendors usually charge $15K – $30K, conducted annually. However, pentests certainly bring you peace of mind and actionable steps for improving your security.

Related Articles

Security Awareness Training: Montage Optional

Security Awareness Training: Montage Optional

Creating a plan for Security Awareness Training is only half the battle. Implementing and ensuring that your employees follow that plan regularly is the key to implementing this control. Also, investing in training and security awareness programs is vital for sustainable business growth and success.

read more
Employee Training Plan: Good Plans Go A Long Way

Employee Training Plan: Good Plans Go A Long Way

How you train your employees will largely determine their effectiveness and adherence to company policies. While many practices can be common sense and their skills catered specifically to the job they were hired to perform, a training plan can go a long way to ensure that elements of your organization stay safe, secure and run as smoothly as possible.

read more

0 Comments

Pin It on Pinterest

Share This