Application and Infrastructure Security
Are secrets separated from code?
Secrets should not be stored within code but rather delivered to the application when needed. Care should be taken with secret zero; how do we deliver secrets in a secure fashion. Avoid public cloud key storage services for ultra-sensitive key material (master keys and customer video encryption keys are good examples). Note: TODO - investigate Secure Enclaves as a set of software and hardware solutions to this problem.
Teams must be continuously aware of security advisories affecting services exposed to the public. Have a plan in place for responding to zero-days that affect services, including a response process involving customer communication. Regularly review and update edge service software (although avoid bleeding edge releases).
For highly security critical software or processes we should consider an external auditor. External auditors question established norms and can identify issues that may be easily overlooked by internal teams. An external auditor can also give customers/users additional confidence.