Cyber Security

The core zero-trust principle is: "Never Trust, Always Verify."

To implement this principle, We should apply the following practices:

1. Integrate SAST tools at the pipeline, like SonarCloud

2. Automated Security Testing  (OWASP ZAP, Burp Suite )

3. WAF as the umbrella for your solution, which detects the following:

• XSS

• Rate limiting

• Anomaly detection

• Injections

• Block malicious payloads

4. Strong Authentication (OAuth 2.0, OpenID Connect, JWT) 

5. Enable CORS restrictions

6. Configure and implement CSRF tokens 

7. MFA: Multi-factor authentication, authentication at first login

8. Implement Role-Based Access Control (RBAC) to prevent access to improper services

9. Encrypt payload

10. Use secret keys

11. Auto-Rotate secret keys

12. Use a secret key for each channel

13. Never expose secret key in the front-end layer

14. Obfuscation of frontend

15. Add HSTS and XSS headers at the frontend

16. Add HSTS and XSS headers at the backend

17. Continuous authentication on core activities:

• Payment

• Asset transfer

18. Encrypt traffic

• SSL

• TLS 1.2 or higher

19. Prevent data crawling

20. Infrastructure security

21. API versioning deprecation model for old APIs

Will mention approach, Description, example, and related Best Practices / Standards, as following:

• Defense-in-Depth

  1. Multiple layers of security controls across the stack

  2. Firewall + MFA + EDR + encrypted storage

  3. NIST SP 800-53, ISO 27001

• Risk-Based Approach

  1. Focus on threats with the highest business impact

  2. Prioritize patching exposed servers over internal apps

  3. ISO 27005, NIST RMF

• Least Privilege

  1. Users/systems get only the access they need

  2. Developer can’t access production DB

  3. NIST 800-53 (AC-6), CIS Controls v8

• Security by Design

  1. Integrate security from the start of development lifecycle

  2. Threat modeling in app design phase

  3. OWASP SAMM, Secure SDLC

• Segmentation

  1. Divide systems/networks to limit breach impact

  2. Separate finance network from guest Wi-Fi

  3. PCI DSS, NIST CSF

• Monitoring & Detection

  1. Continuous logging and anomaly detection

  2. SIEM alerts for failed logins or unusual traffic

  3. MITRE ATT&CK, NIST 800-92

• Patch Management

  1. Timely updating of software and systems

  2. Monthly OS/app updates, CVE patching

  3. NIST 800-40, CIS Control 7

• Awareness & Training

  1. Educating users to recognize threats

  2. Phishing simulation and response training

  3. ISO 27001 A.7, NIST NICE Framework

• Incident Response

  1. Defined process to detect, respond, and recover from incidents

  2. IR plan triggered during ransomware attack

  3. NIST 800-61, ISO 27035