In our last article on OWASP Top 10 cheat sheet for startup CTOs we discussed the anatomy of application vulnerabilities and saw how CTOs can secure their applications against the OWASP top 10.
Today, let’s move forward by considering four further steps which you can take to protect your application.
Make Security a Priority and Implement a Security Culture
It’s essential that security is a priority within your organization.
This is the absolute foundation of a secure application.
Without it, security will always be seen as an after-thought, something which can be bolted on later, if and when there’s time to do so.
As we all know, when something is left so low on the priority list, the chances of it ever being done are quite minimal.
Hardly anyone in the business will take it seriously.
Moreover, those that do are only accepted, if there’s no competing priority.
Given that, integrate a culture of security into your organization.
Make it a part of the development toolchain.
Make it a core criteria, just as testing and continuous deployment already are.
I’d even go so far as to suggest making one of your existing team a security evangelist.
This person will educate the team on all aspects of security and encourage them to keep at it.
From how to write more secure code and integration into your continuous deployment pipeline, to best practices, this person is invaluable.
Code Audits and Tools
Even if your team knows and applies software development best practices, carry out periodic, independent, security audits.
There are also tools, such as Sqreen, which help you to stay abreast of and actively defend against attacks as they happen.
I strongly encourage you to use both.
Through doing so, your team can:
- Continually refine the baseline benchmark by which they measure themselves
- Know if what they’re doing is working
- Get a practical sense of how much they know, and how much they still have to learn
- Receive guidance on where they need to give more focus and attention
- Gain confidence when speaking about their applications to clients and customers
Use Existing Tools And Frameworks
I hope this goes without saying, but don’t roll your own security!
Instead, rely on independently algorithms, frameworks, and tools, ones held up to international — peer-reviewed — scrutiny.
I don’t have enough space to delve all the reasons.
Suffice to say that, besides the implications of creating your own systems — and having to support them — it’s not necessary.
From encryption algorithms such as bcrypt, to development frameworks and tools, such as those from OWASP, rolling your own isn’t necessary.
Make use of tools that have stood the test of time.
Take advantage of the thousands of hours which countless people contribute to improving them.
Moreover, be a part of these movements, and help everyone be more secure.
Stay Up To Date / Continuing Education
The final step is perhaps a cliché: never stop learning.
Just like any other skill, whether that be testing, deployment, or application design, security is no different.
New attacks are always happening; whether because of the creation of new technologies or the discovery of new weaknesses in an existing one.
So, stay up to date.
What’s reassuring is that there are a host of ways to do this
If you love blogs here’s six excellent ones:
If you love conferences, here’s six top ones:
- Appsec Europe
- Black Hat USA
- Def Con
- RSA Conference
- Hack in the Box Security (HITBSecConf).
If you’re pushed for time, or just love to consume podcasts, there’s:
- The Secure Developer
- The OWASP Security Podcast
- The Social-Engineering.org Podcast
- Risky Business
- The Eurotrash Security Podcast
I don’t usually recommend books, as it’s so easy for them to rapidly fall out of date.
However, four that are worth reading are:
- The Tangled Web
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
- Malware, Rootkits & Botnets: A Beginner’s Guide
- Hacking: The Art of Exploitation, 2nd Edition
There is a wealth of information available.
Make a continuing investment in it, and stay up to date.
In this article, we saw four core security recommendations for startup CTOs.
As a startup CTO, business priorities are often prioritized over security. This leads to applications being vulnerable and breached.
Security is a complex and time-consuming job that needs to be done continuously to be effective.
About the Author
Matthew Setter is an independent software developer and technical writer. He specializes in creating test-driven applications and writing about modern software practices, including continuous development, testing, and security.