While you can read our full guide to start-up security, we figured it would be easier to digest and apply the best practices in smaller chunks. So, we broke up our full guide into four parts. This is Part 2, which focuses on infrastructure and application security best practices.full guide to start-up security, we figured it would be easier to digest and apply the best practices in smaller chunks. So, we broke up our full guide into four parts. This is Part 2, which focuses on infrastructure and application security best practices.
Application and Infrastructure Security: Keep Bad Hombres Out
The Security Basics Checklist 1. HTTPS: By now a given, but you’d be surprised: We almost left this out for fear of coming across as pedantic. But, we’d be remiss if we didn’t at least offer a reminder for encrypting all communications for your customers. If you need a certificate, get a free one from Let's Encrypt: a non-profit certificate authority that’s provided certs for 200+ million websites. 2. Back up your backups (and make sure they have backups): And if you don’t have something in place, then get S3, Blob Storage, or Cloud Storage from AWS, Azure, and GCP, respectively. 3. Metrics and monitoring aka canaries in the coal mine: Both allow you to quickly drill down to the root cause of any anomalies without having to dig into logs. And in case you needed a refresher, the four golden signals of traffic, latency, saturation, and error are good foundations to understand the health of your system and your customers’ experiences. 4. Do let the logs out (when you need to): We’ll spare you the sermon of why turning to your logs is helpful when needed. At the very least, you should have a log aggregator in order to cross-reference logs from various systems and apps. They’ll come in handy as the real “black box” source of truth. 5. May DDoS attacks never happen to you, but be prepared: Here are some ways to defend against them:
Diversity and redundancy should already be core parts of your disaster recovery and business continuity plans, but it’s worth checking to see if your servers are located in different data centers and that there are no single failure points. Make sure your CDN bandwidth can scale quickly when needed. CDN providers like CloudFront, Akamai, Fastly, and Cloudflare all offer solid protection and coverage regardless of your team’s size. Check out the Australian Government's Cyber Security Centre's guide on how to prep for and respond to DDoS attacks. It's one of the few reputable DDoS guides that were updated last year (from what we could find, many guides were published in 2014 and 2016). Are Your Infrastructure Providers Watching Your Infrastructure?
1. Properly set up and use all built-in security functions: It may seem like chore when setting them up in infra like AWS, but you’d be surprised at how many people leave firewalls off or don’t enable logging.
Here’s the high-level hit list:
Enable firewalls Keep IAM lean and mean:
undefinedundefined Make sure your backups have backups (and then more backups) Have logging in place (even if it’s the native logging solution like CloudWatch) Isolate infrastructure through network boundaries
And check out security best practices from the three big cloud providers (AWS, Azure, and Google Cloud Platform): Keep Your Product on Your Mind (and Your Mind on Your Product)
1. Know your dependencies backwards and forwards: #9 on the OWASP Top 10 is (you guessed it): “Using Components with Known Vulnerabilities”. And given that apps are always built using third-party libraries, there’s plenty of risk you’ll need to mitigate. You have to always check that they’re up-to-date and not exposed to any vulns (we recommend tasking your team’s “Security Czar” with checking at least once a week). 2. Pentest everything in your environment: Not only do pentests reveal all weaknesses and areas of improvement in your infrastructure and product, but they help you achieve security certs like SOC 2. They can be pricey depending on your scope of work (esp. if you need it for a cert like SOC 2): reputable pentest vendors usually charge $15K - $30K, conducted annually. However, pentests certainly bring you peace of mind and actionable steps for improving your security.