5 Security as a process

 

In this chapter

  • Why you should have two people implement changes to critical systems
  • How restricting permissions to members of your organization can keep you safe
  • How you can use automation and code reuse to prevent human error
  • Why automated testing and deployment are key to secure releases
  • Why audit trails are important in detecting security events
  • How important it is to learn from your security mistakes

The Forth Bridge is a 8,094 feet long cantilevered railway bridge over the river Forth, to the west of Edinburgh in Scotland. When built, it was considered to be an engineering marvel—the first major structure in Britain to be built from steel. The choice of materials also posed a maintenance problem: to protect the steel from the harsh Scottish winters, all 9 miles of the bridge needed to be covered in paint.

Painting began as soon as construction was complete. Given the length of the bridge, a permanent painting crew worked on upkeep continuously. For the Scots, “Painting the Forth Bridge” became a colloquial expression for a never-ending task; they came to believe that the paint crew would reach one end and then have to begin working on a full repaint at the other.

Using the four-eyes principle

Applying the principle of least privilege to processes

Automating everything you can

Not reinventing the wheel

Keeping audit trails

Writing code securely

Using source control

Managing dependencies

Designing a build process

Writing unit tests

Performing code reviews

Automating your release processes

Deploying to preproduction environments

Rolling back code

Using tools to protect yourself

Dependency analysis

Static analysis

Automated penetration testing

Firewalls

Intrusion detection systems

Antivirus software

Owning your mistakes

Summary