Cybersecurity Awareness

As a company, you should be hyper focused on cybersecurity if you have any sensitive data on servers that are connected to the internet. You need to be aware of the latest threats, exploits and vunerabilities and maintain a vigilant cybersecurity posture. Cybersecurity must come first, not new applications, new features or anything else. If you can't protect the data you have, writing another insecure application is just a recipe for disaster.

Web Application Firewall (WAF)

A web application firewall (WAF) can defend your website against malicious attacks by filtering and monitoring traffic for known malware and exploits like injection attacks, cookie tampering, buffer overflow, botnet attacks and more.

Firewall

A next generation firewall that implements an intrusion detection system (IDS) & intrusion provention system (IPS) should be deployed to further increase cybersecurity at the network perimeter.

Reduced Blast Radius

Servers or virtual machines should only be giving the necessary access to other required resources and nothing more. Should a system become compromised, you want to reduce the blast radius and contain the attack to as small an area as possible.

Endpoint Protection

Servers or Virtual machines should use endpoint protection software to monitor activity and lateral movement.

Patching / Software Updates

The operating system, libraries, computer languages and databases should all be updated with the latest security patches to prevent known attacks. Keeping critical systems up to date is crucial in preventing cybersecurity attacks.

Multi-Factor Authentication (MFA)

Many users use the same password or password pattern on different websites. There's a good chance that these passwords are already compromised which is why implementing Multi-Factor Authentication (MFA) is critical. MFA works by requiring an addition piece of information, like a rotating security code, in addition to your password. For the best security, you should use physical hardware keys such as a Yubikey because physical keys are un-phishable.

Strong Encryption

Any sensitive data should be encrypted using AES 256-bit GCM or XChaCha20-Poly1305 & should be stored at rest encrypted as well. Encryption keys should be encrypted themselves and stored in a key management system and rotated on a regular basis.

Protected Backup Vault

Backups should be stored in a secure vault where they cannot be deleted. Sometimes hackers can lurk around environments for months before doing damage. It is crucial that no matter what, you're backups are safe. In AWS, you can use a Backup Vault Lock. Microsoft Azure has something similar called Immutable Vaults. Google Cloud has cloud storage with Object Retention Locks. In these backup vaults, not even administrator users can delete the backups.

Source Code Scanning

One critical area that is often over looked is source code scanning or source code analysis tools. This is where you scan your source code for known security exploits in libraries or code. This should ideally be integrated into the software build cycle. These are some of the best Source Code Security Analyzers.

BONUS TIPS WORTH REPEATING

Hire Knowledgeable Engineers

You can't configure what you don't know. Hire extremely knowledgeable engineers in all areas of your software stack.

Default Passwords

All default passwords for application software and devices should be changed to strong passwords and regularily checked. We've seen cases where, after a software upgrade, the default password is reset back to it's default value.