Security Check Lists
CTO Security Check List
Список мер по безопасности (какая-то компания составила, можно взять как ориентир): https://www.goldfiglabs.com/guide/saas-cto-security-checklist/
Отдельные пункты, близкие к AppSec:
Your employees
Enforce a secure code review checklist
Use centralized account management
Your code
Keep secrets away from code
Use a pre-production analysis tool (SAST)
Perform security-oriented test sessions (DAST)
Automate security within your SDLC
Onboard your software engineers with a security training
Your application
Automate security once your app is in production (and check infra, containers, ...)
Keep track of your dependencies (SCA)
Run it unprivileged
Use a real-time protection service, like a RASP (WAF)
Hire an external penetration testing team
Your infrastructure
Backup, test your backups, then backup again
Check your website's basic security
Isolate assets at the network level
Keep your OS & Docker images up to date
Enable automatic security scanning of your container images
Use encryption on all your websites and APIs
Centralize and archive your logs and make them meaningful
Monitor exposed services
Protect your application from DDoS attacks
Restrict internal services by IP addresses
Watch for unusual patterns in your metrics
Know how to redeploy your infrastructure from scratch
Monitor internal services (Nessus)
Your company
Be honest and transparent about any data you collect
Make sure all your critical services are secured
Ensure that your domain names are protected
Have a public security policy
Set up a bug bounty program
Have a security incident response plan
Create an inventory of your company’s assets
Have an internal security policy
Protect against domain name phishing (Brand Protection)
API Security Check List
Last updated