Application Security Checklist

Posted on Tuesday, May 28, 2019

Application and Infrastructure Security

Are secrets separated from code?

Secrets should not be stored within code but rather delivered to the application when needed. Care should be taken with secret zero; how do we deliver secrets in a secure fashion. Avoid public cloud key storage services for ultra-sensitive key material (master keys and customer video encryption keys are good examples). Note: TODO - investigate Secure Enclaves as a set of software and hardware solutions to this problem.

Are we continuously monitoring Common Vulnerabilities and Exposures (CVEs) and evaluating them against our technology stack?

Teams must be continuously aware of security advisories affecting services exposed to the public. Have a plan in place for responding to zero-days that affect services, including a response process involving customer communication. Regularly review and update edge service software (although avoid bleeding edge releases).

Have we engaged an external organisation to audit out security critical services and practices?

For highly security critical software or processes we should consider an external auditor. External auditors question established norms and can identify issues that may be easily overlooked by internal teams. An external auditor can also give customers/users additional confidence.