- Having a validated list of components and software sources
- Using automatic processes to build it, less people, more services/machines
- Having regular software security checks and reports
- Having regular automatic vulnerability checks for every process
- Having clear what is a vulnerability or not
- Having a list of authoring and manufacturing authors, so we know exactly where that piece of software/hardware came from
- Restricting, analyzing and controlling the use of third-party software and services
- Reporting the vulnerabilities, describing exactly what they are and what are it's consequences
- Knowing where all your product dependencies come from
- Documenting everything, what OS did we use, the compiler, the IDE version, languages, packages versions, everything!
- Automating everything
- Using signed software
- Being fast, solving the reported vulnerabilities as soon as we can, before they are exploited
- In 2017, an exploit would take 2 days to be made public and used against us, now, it takes only 2 seconds
- Re-thinking our trust levels
- Being careful with the opensourse software we use, not using software isn't being maintained and can't provide regular updates and has security policies, dependencies lists and valid licenses
- Writing clean code
- Testing the dependencies
- Throwing exceptions when we are supposed to
- Writing clean and useful error messages
- Having code reviews
- Not making public, code that disables security checking, and not consuming software that has those embedded "features"
- Not turning off the security features on the OS
- Reading the documentation of what we want to use, before trying to use it
What if we are contributing to open source
- Take the above list in consideration and make it safer
Discussion (0)