Driver | |
Objective | Initiative timeline and strategy to deliver application security requirements in every period |
Proposed Security Plan and Programs
Designed for Security
Bake security within our application
Perform security assessments to components
Establish security framework, policies, procedures, and guidelines
Establish the security architecture
Implement coding standards (OWASP based)
Designed for Least Privilege - Zero trust at any level!
Implement access control in micro services level
Implement RBAC on service to human interfaces (control planes of components like Okta, Cloudflare, Google Cloud, Vault, Back Office)
Designed for Understandability by Security Testing
Establish and tune SAST using SonarQube
Establish Software Component Analysis (SCA) using Snyk
Establish and tune Container Scanning using Trivy
Establish and tune Static Terraform Scan (SAST on IaaC) using tfsec
Establish Cluster Vulnerability Scan using ThreatMapper
Establish Security Benchmarking using Policy and Compliance using ThreatMapper
Establish and tune DAST using Burp, OWASP Zap, Metasploit
Establish Penetration Testing following OWASP ASVS
Establish Testing Metrics
Designed for Resiliency by Hardening
Implement gap mitigations and remediations to security testing results
Harden and implement security controls by create security baselines
Cloudflare ZNTA and WAF
Fine-tuned rulesets and policies
IAM policies (either integrated to Okta)
Okta IDM
Fine-tuned policy enforcement
Fine-tuned group roles and attributes
Fine-tuned Password Security requirements (complexity, longevity, etc)
Kubernetes
Networking policies
Security contexts
Best practices
OWASP Cheatsheet
Database
Storage security
Configuration security
Access controls
OWASP Cheatsheet
Thought Machine
Secrets configuration
SEIM integration
Network Policies
Admin plane security
Meiro
IAM policies (either integrated to Okta)
Data in transit controls
Data at rest controls
Admin plane security
Google Cloud Policies
IAM policies (either integrated to Okta)
Network policies
Disaster Recovery policies
Fail over strategy
Designed for Risk-based Response
Establish SIEM to different layers
Business logic SIEM using Grafana
Infra Monitoring using Google Cloud Dashboard
Attack Surface Monitoring using Cloudflare Dashboard
Create custom use case creation to security events
Alert generation in prometheus alert manager
Alert metrics from MiTRE Attack Framework
Alert metrics from OWASP Attack
Establish Threat Monitoring using OSINT like NVD, Talos, MITRE, CVE-Details, Snyk Vulnerability Database, Exploit-DB.
Establish vulnerability assessment using Risk-based assessment on top of CVSS
Establish vulnerability management using Jira
Establish incident response integrated to Incident Management Guild
Designed for Everyone - Educate everyone!
Implement BSP mandated customer awareness
Implement BSP mandated internal employee awareness
Implement Awareness Program
WIP: Milestones and deadlines
Milestone | Owner | Deadline | Status |
---|---|---|---|