SaFi Bank Space : Strategic Plan

 Proposed Security Plan and Programs

Designed for Security

1. Bake security within our application

2. Perform security assessments to components

3. Establish security framework, policies, procedures, and guidelines

4. Establish the security architecture

5. Implement coding standards (OWASP based)

Designed for Least Privilege - Zero trust at any level!

1. Implement access control in micro services level

2. Implement RBAC on service to human interfaces (control planes of components like Okta, Cloudflare, Google Cloud, Vault, Back Office)

Designed for Understandability by Security Testing

1. Establish and tune SAST using SonarQube

2. Establish Software Component Analysis (SCA) using Snyk

3. Establish and tune Container Scanning using Trivy

4. Establish and tune Static Terraform Scan (SAST on IaaC) using tfsec

5. Establish Cluster Vulnerability Scan using ThreatMapper

6. Establish Security Benchmarking using Policy and Compliance using ThreatMapper

7. Establish and tune DAST using Burp, OWASP Zap, Metasploit

8. Establish Penetration Testing following OWASP ASVS

9. Establish Testing Metrics

Designed for Resiliency by Hardening

1. Implement gap mitigations and remediations to security testing results

2. Harden and implement security controls by create security baselines

   1. Cloudflare ZNTA and WAF

      1. Fine-tuned rulesets and policies

      2. IAM policies (either integrated to Okta)

   2. Okta IDM

      1. Fine-tuned policy enforcement

      2. Fine-tuned group roles and attributes

      3. Fine-tuned Password Security requirements (complexity, longevity, etc)

   3. Kubernetes

      1. Networking policies

      2. Security contexts

      3. Best practices

      4. OWASP Cheatsheet

   4. Database

      1. Storage security

      2. Configuration security

      3. Access controls

      4. OWASP Cheatsheet

   5. Thought Machine

      1. Secrets configuration

      2. SEIM integration

      3. Network Policies

      4. Admin plane security

   6. Meiro

      1. IAM policies (either integrated to Okta)

      2. Data in transit controls

      3. Data at rest controls

      4. Admin plane security

   7. Google Cloud Policies

      1. IAM policies (either integrated to Okta)

      2. Network policies

      3. Disaster Recovery policies

      4. Fail over strategy

Designed for Risk-based Response

1. Establish SIEM to different layers

   1. Business logic SIEM using Grafana

   2. Infra Monitoring using Google Cloud Dashboard

   3. Attack Surface Monitoring using Cloudflare Dashboard

2. Create custom use case creation to security events

   1. Alert generation in prometheus alert manager

   2. Alert metrics from MiTRE Attack Framework

   3. Alert metrics from OWASP Attack

3. Establish Threat Monitoring using OSINT like NVD, Talos, MITRE, CVE-Details, Snyk Vulnerability Database, Exploit-DB.

4. Establish vulnerability assessment using Risk-based assessment on top of CVSS

5. Establish vulnerability management using Jira

6. Establish incident response integrated to Incident Management Guild

Designed for Everyone - Educate everyone!

1. Implement BSP mandated customer awareness

2. Implement BSP mandated internal employee awareness

3. Implement Awareness Program

 WIP: Milestones and deadlines

 WIP: Reference materials