A Brief Guide on Network Security, Application Security, Cloud Security & Container Security
Dr. Chidhanandham Arunachalam
Chief Program Officer at Sumeru Technology Solutions | Co-creator of Abhyaasa, Threat Meter & Boman.ai | Tech Innovator, Start-up & Cyber Security Expert
Our third article in the 'Secure Your Start-Up' series, will walk you through the next step of securing your start-up, i.e., focusing on network security, application security, cloud security, and container security
In the first article, we discussed the MVCSP of your organization, where we did a ‘gap analysis’ and arrived at a roadmap for your organization.
Then in the second article, we saw some basic and good security practices to be followed, such as password managers, MFA, etc.
Taking the reference from the MVCSP of your organization, we begin with the essential security hygiene, which focuses typically on the following areas -
Basic or Essential Security Hygiene focuses on the traditional security controls for a company that is just starting on security and needs the bare minimum and absolute necessary checks.
As a start-up, it is essential to pay attention to your security budgets and spend them most optimally. Sumeru helps in providing cost-effective solutions with a mix of open-source and commercial tools as needed.
We start by engaging with the respective people from the infrastructure and the application team to understand your network, applications, & other services and map out your entire infrastructure.
Network Security
We establish baseline security by ensuring all the systems, such as the operating systems for servers and workstations/laptops, are hardening by default for which standards are followed. Centre for Internet and Security (CIS) and their Controls Version 8 has about 18 controls that provide actionable ways to prevent the most common attacks and act as a recommended set of actions for cyber defense.
We understand your network security by doing the following -
As part of VAPT, we identify all the various vulnerabilities in your network, classify them based on their risk, and remove false positives. As part of basic network security, it is essential to secure your perimeter using a firewall, harden it, and review the rules. Along with the firewall, your other devices such as switches, routers are also to be appropriately configured and verified as part of the network configuration review.
Most of the above activities can be performed using tools such as -
These tools help in performing automated vulnerability scanning as well as configuration review. You can also schedule monthly automated vulnerability scans to ensure any weak access controls or outdated patches are identified on an ongoing basis as and when updates are made in the network.
Sumeru Security Assessment differs from other vendors as our work typically starts when the tool stops. We use tools to aid in our testing to speed up the basic checks and predominantly focus on manual analysis to remove false positives.
Application Security
With more and more applications hosted on the cloud and exposed publicly, the traditional perimeter security controls become an irrelevant and easy target for attackers. Here are some of the security tests which we can carry out -
We work with the developers/ product owners for business-critical applications to get a detailed walkthrough and better understand the applications.
Once the necessary access and credentials are received, a detailed Application Penetration Test, including Web Applications, Mobile Applications, Thick clients, APIs, etc., are considered part of the scope.
We also perform a thorough Secure Code Review to analyze the backend code and refer to the OWASP standards. We do that to ensure, as a bare minimum, the OWASP Top Ten is covered, and the latest version of the OWASP Testing guide, along with our comprehensive checklist providing the entire application scope, is thoroughly tested. Some of the most common tools for application security testing which we use are -
These tools can help automate some of the primary test cases. The Sumeru team goes beyond the tool to manually identify vulnerabilities, especially related to business logic, which is typically missed by the tool and provides relevant business impact based on your specific environment.
To ensure further hardening and best practices are followed, we perform an application security review based on the OWASP Application Security Verification Standard (ASVS) to remove additional gaps.
Recommended by LinkedIn
We carry out Secure Coding Practices training to the developers to educate them on the typical security vulnerabilities which attackers find and how to mitigate them at the code level.
Once a significant level of maturity is reached, we help automate security checks wherever possible and slowly help integrate into the typical DevOps pipeline and establish a solid DevSecOps cycle.
Cloud Security
As a start-up, your product is likely to have a significant presence in the cloud, and the most common entry point for your start-up could very likely be through your cloud infrastructure, which makes it easy prey for casual hackers.
Several reports have pointed that cloud misconfigurations have been one of the most common vulnerabilities that attackers have taken advantage of to gain access to customer data. Hence it becomes essential to take necessary precautions to harden your cloud infrastructure.
Some of the activities carried out as part of Cloud Security are -
It is vital to carry out a Penetration Test against your cloud infrastructure to identify any user misconfigurations or exposed unauthenticated storage such as AWS buckets or Azure blobs. You must also conduct a thorough configuration review of your IAM policies and verify logging and alert mechanisms to ensure you stay on top of your security.
We follow guidelines from Cloud Security Alliance amongst other standards and ensure the cloud infrastructure is safe and secure, and the following tools can be used to perform automated scans.
Container Security
The adoption of containers, especially dockers, has increased in organizations due to benefits such as cost-effective, quick deployments, and the ability to run them in any environment efficiently. Along with these benefits, they also introduce some security challenges, such as in the case where a single docker is compromised, it can put the other containers and the underlying host at risk as well -
According to the recent “State of Kubernetes and Container Security Report,” 87% of organizations manage some portion of their container workloads using Kubernetes.
It’s critical to hardening these containers by using up-to-date images, scanning the containers regularly for known vulnerabilities, checking for any misconfigurations, verifying the latest patches are applied, etc., and automating all these checks as much as possible.
Some activities carried out as part of Container Security are
We help identify different vulnerabilities, fix the issues, and deploy secure containers in your CI/CD pipeline. Some popular open-source tools for performing these scans are
To sum up
From the list of essential security hygiene services, all may not apply to your environment in the early stages. The Sumeru team can help prioritize based on the MVCSP and carry out the appropriate activities in a phased manner.
Written by:
Chidhanandham Arunachalam, Chief Program Officer at Sumeru Solutions. A passionate entrepreneurial leader & unshakable optimist dedicated to helping companies achieve remarkable results with great technology solutions.
This article is the third of our series on 'Secure Your Start-ups'. To get updated about the remaining articles of the series, please follow #sumerusecureyourstartup