- Having a validated list of components and software sources
- Using automatic processes to build it, less people, more services/machines
- Having regular software security checks and reports
- Having regular automatic vulnerability checks for every process
- Having clear what is a vulnerability or not
- Having a list of authoring and manufacturing authors, so we know exactly where that piece of software/hardware came from
- Restricting, analyzing and controlling the use of third-party software and services
- Reporting the vulnerabilities, describing exactly what they are and what are it's consequences
- Knowing where all your product dependencies come from
- Documenting everything, what OS did we use, the compiler, the IDE version, languages, packages versions, everything!
- Automating everything
- Using signed software
- Being fast, solving the reported vulnerabilities as soon as we can, before they are exploited
- In 2017, an exploit would take 2 days to be made public and used against us, now, it takes only 2 seconds
- Re-thinking our trust levels
- Being careful with the opensourse software we use, not using software isn't being maintained and can't provide regular updates and has security policies, dependencies lists and valid licenses
- Writing clean code
- Testing the dependencies
- Throwing exceptions when we are supposed to
- Writing clean and useful error messages
- Having code reviews
- Not making public, code that disables security checking, and not consuming software that has those embedded "features"
- Not turning off the security features on the OS
- Reading the documentation of what we want to use, before trying to use it
What if we are contributing to open source
- Take the above list in consideration and make it safer
Are you capable of chipping in across sysadmin, ops, and site reliability work, while supporting the open source stack that runs DEV and other communities?
Top comments (0)