A Brief Guide on Network Security, Application Security, Cloud Security & Container Security
Dr. Chidhanandham Arunachalam
Chief Program Officer at Sumeru Technology Solutions | Co-creator of Abhyaasa, Threat Meter & Boman.ai | Tech Innovator, Start-up & Cyber Security Expert
Our third article in the 'Secure Your Start-Up' series, will walk you through the next step of securing your start-up, i.e., focusing on network security, application security, cloud security,?and container security?
In the first article, we discussed the MVCSP of your organization, where we did a ‘gap analysis’ and arrived at a roadmap for your organization.
Then?in the second article,?we saw some basic and good security practices to be followed,?such as password managers, MFA, etc.
Taking the reference from the MVCSP of your organization, we begin with the essential security hygiene,?which focuses typically on the following areas?-?
Basic or Essential Security Hygiene focuses on the traditional security controls for a?company?that is just starting on security and needs the bare minimum and absolute necessary checks.??
As a start-up,?it is essential to pay attention to your security budgets and spend them?most optimally. Sumeru?helps in providing?cost-effective?solutions with a mix?of open-source and commercial tools as?needed.?
We start by engaging with the respective people from the infrastructure and the application team to understand your network, applications, & other services and map out your entire infrastructure.?
Network Security?
We establish baseline security by ensuring all the systems, such as the operating systems for servers and workstations/laptops, are hardening by default?for?which?standards?are followed.?Centre for Internet and Security (CIS) and their Controls Version 8?has about 18 controls that provide actionable ways to prevent the most common attacks and?act as a recommended set?of actions for cyber?defense.?
We?understand your network security?by doing the following?-?
As part of VAPT, we identify all the various vulnerabilities in your network, classify them based on their risk,?and remove false positives. As part of basic network security, it is essential to secure your perimeter using a firewall, harden it,?and review the rules. Along with the firewall, your other devices such as switches, routers are also to be?appropriately configured?and verified as part of the network configuration review.?
Most of the above activities can?be performed?using tools such as?-
These tools help in performing automated vulnerability scanning as well as configuration review.?You can also schedule monthly?automated?vulnerability scans to ensure any weak access controls or outdated patches are identified on an ongoing basis?as?and when updates?are made in the network.?
Sumeru Security Assessment differs from other vendors as our work typically starts when the tool stops. We use tools to?aid in our testing to speed up the basic checks and predominantly focus on manual analysis to remove false positives.?
Application Security?
With more and more applications hosted on the?cloud and exposed publicly, the traditional perimeter security controls become?an?irrelevant and easy target for attackers. Here are some of the security?tests?which we can carry out -?
We work with the developers/ product owners for business-critical applications to get a detailed walkthrough and better?understand?the applications.??
Once the necessary access and credentials are received,?a detailed Application Penetration Test, including Web Applications, Mobile Applications, Thick clients, APIs,?etc.,?are?considered part of the scope.??
We also perform?a thorough Secure Code Review?to?analyze?the backend code?and?refer to the OWASP standards.?We do that to?ensure,?as a bare minimum,?the OWASP?Top?Ten?is covered,?and?the latest version of the OWASP Testing guide,?along with our?comprehensive checklist?providing?the?entire?application scope,?is?thoroughly?tested.?Some of the most?common?tools?for application security testing?which we use?are?-?
These tools?can help automate some of the?primary?test cases.?The?Sumeru team goes beyond?the tool to manually identify vulnerabilities, especially?related to business logic,?which?is?typically missed by the tool and?provides?relevant business impact based on your specific environment.?
To ensure further hardening and best practices are followed,?we perform an application security review based on the OWASP Application Security Verification Standard?(ASVS) to remove additional gaps.??
领英推荐
We carry out?Secure Coding Practices?training to the developers to educate them on the typical security vulnerabilities which attackers find and how to mitigate them at the code level.??
Once a significant level of maturity is reached, we help automate security checks wherever possible and slowly help integrate into the typical DevOps pipeline and establish a solid?DevSecOps?cycle.?
Cloud?Security?
As a start-up,?your product is likely to have a significant presence in the?cloud,?and the most common?entry point for your start-up could very likely be through your cloud infrastructure, which makes it easy prey for casual hackers.??
Several reports have pointed that cloud misconfigurations have been one of the most common?vulnerabilities?that attackers have taken advantage of to gain?access to customer data. Hence?it becomes essential to take necessary precautions to harden your cloud infrastructure.??
Some of the activities carried out as part of Cloud?Security are?-?
It is vital to carry out a Penetration Test against your cloud infrastructure to identify any user misconfigurations or exposed unauthenticated storage such as AWS buckets or Azure?blobs.?You must also conduct?a thorough configuration review of your IAM policies and?verify?logging and alert mechanisms to ensure you stay on top of your security.??
We follow guidelines from Cloud Security Alliance?amongst other standards and ensure the cloud infrastructure is safe and secure,?and the following tools can be used to perform automated scans.?
Container Security?
The adoption of containers, especially dockers,?has?increased?in?organizations due to?benefits such as cost-effective,?quick deployments,?and the ability to run them in any environment?efficiently.?Along with these benefits,?they also introduce?some?security challenges,?such as?in the case?where?a single docker is compromised,?it can put the?other?containers and the underlying host at?risk?as well?-?
According to the recent “State of Kubernetes and Container Security Report,” 87% of organizations?manage some portion of their?container workloads using Kubernetes.?
It’s critical?to?hardening?these containers by using up-to-date images,?scanning the containers?regularly?for known vulnerabilities,?checking?for any misconfigurations, verifying the latest?patches are applied,?etc.,?and automating all these?checks as much?as possible.?
Some activities carried out as part of Container Security are?
We help identify?different vulnerabilities, fix?the issues,?and?deploy?secure containers in?your CI/CD pipeline.?Some popular open-source tools?for?performing these scans are?
To sum up
From the list of?essential security hygiene services, all may not?apply?to?your environment in?the?early stages. The?Sumeru team can?help?prioritize?based on the?MVCSP and carry?out the appropriate?activities?in a phased?manner.?
Written by:
Chidhanandham Arunachalam, Chief Program Officer at Sumeru Solutions. A passionate entrepreneurial leader & unshakable optimist dedicated to helping companies achieve remarkable results with great technology solutions.
This article is the third of our series on 'Secure Your Start-ups'. To get updated about the remaining articles of the series, please follow #sumerusecureyourstartup