Design & Implementation

1)Follow Secure by design Model, meaning designing a software system or

application to be secure from the initiation and not compromising with the security
parameters while heading towards its completion.

2)Follow standards outlined by organization like OWASP (Open Web Application

Security Project)

3)As a proactive measure, Integrate tools like Checkmarx/Sonarcube/Sonarlint into

CICD pipeline to make sure the code is validated as per the client’s security
requirements

4)Handle Top Security Risks like Injection,Broken Authentication,Sensitive Data

Exposure,XML External Entities (XEE),Broken Access Control,Security
Misconfiguration,Cross-Site Scripting,Insecure Deserialization,Using Components
With Known Vulnerabilities,Insufficient Logging And Monitoring.

5)Use rigorous Quality assurance and Testing ,Design & Integrate Security
Automation Testing & Penetration Testing to catch early security breaches.

6)Manage secrets with tools like Harshicorp Vault to keep application safe.

7)Handle Input validation for Data type , Data format , Data value Validation.

8)Include proper Auditing and Logging for recording suspicious activity.

9)Implement HTTPS to secure communication between client and Server.

10)Apply Accces Controle , Authentication , Role Management .

11)Consider data protection while storing data.

12)Train/Facilitate team on proper secure coding guidelines and security code

reviews .

Infrastructure

1)Secure web servers/storage.

a)Use security checklists.
Audit and harden configurations based on security checklists specific to each
application (e.g., Apache, MySQL) on the system.Use application allow listing and
disable modules or features that provide capabilities that are not necessary for
business needs.
b)Implement network segmentation and segregation.
Network segmentation and segregation makes it more difficult for attackers to
move laterally within connected networks. For example, placing the web server in a
properly configured demilitarized zone (DMZ) limits the type of network traffic
permitted between systems in the DMZ and systems in the internal corporate network.

2)To guard against cross-site scripting attacks (XSS), implement proper Content-

Security-Policy and Content-Security-Policy-Report-Only headers at CDN (Akamai or
other) and Web server (Apache or other) levels the user agent is allowed to load
allowed resources only for a given web page.

3) Use a firewall to filter access to your instance in order to filter access to

points of instance that might lead to denial of service (DOS) attacks if left
unprotected.

4)Configure Firewall, Intrusion prevention system (IPS), VPN, web, email.

5) Make sure Security of Physical Hardware Premises.

Maintenance

1)Avoid security misconfiguration like ,

Not protecting files/directories from being served
Not removing default, temporary, or guest accounts from the webserver
Unnecessarily having ports open on the webserver
Using old/defunct software libraries
Using outdated security level protocols
Allowing digital certificates to expire
Upgrade OS and other software whenever hotfixes/patches are released

2)Perform Adhoc Security testing/auditing proactively to find security issues .

3)Enforce regular password change to make sure both servers and applications are
secure, Enable Multi Factor Authentication, Disable all unnecessary accounts,
Change all default username and passwords.

4)Setup monitoring tools to identify/alert if any security breach happens.

Deployment

1)Introduce basic protection measures to limit access to your production secrets.

2)Inject secrets dynamically during deployment process from secret storages and
audit all human access to them.
3)Deployment process is fully automated and incorporates automated verification of
all critical milestones.