Cybersecurity Reference Guide

Cyber Hygiene

  • Thu 08 February 2024
  • misc

Mitigates against

  • Cryptographic failures
  • Security misconfigurations
  • Injection
  • Vulnerable and outdated components
  • Broken access control
  • Security logging and monitoring failures

Just as we discard outdated tools at the gym, strategic decommissioning trims excess, eliminating obsolete elements and streamlining our codebase.

Effective dependency management and the intentional removal of outdated components are the dynamic duo of our cyber fitness. They not only shield our projects from vulnerabilities but also enhance their agility, making them resilient in the face of evolving cyber threats. It's a holistic approach to ensuring our digital creations stay fit, robust, and ready for whatever the coding gym throws at them.

Use Package Managers

Employ package managers such as npm, pip, or Maven to streamline the installation, updating, and removal of dependencies. These tools provide a centralized and organized approach to dependency management.

Vet Your Dependencies

Before incorporating external code into your project, conduct a thorough evaluation. Opt for well-maintained libraries with an active community, positive reviews, and a developer with a solid reputation. Of course, although it is wise to maintain good practices when selecting and putting dependencies into use in your project, you're not alone in carrying this responsibility.

There are myriad tools to assist you with this task. Although each of these has its unique pros and cons, you may consider taking a look at any of the following:

Utilize Managed Repositories

If - in addition to this - you would like to maintain further control over the lifecycle of your dependencies, managing your own repository might be a good next step. A good starting point for this could be SonaType Nexus.

Some highlights of the benefits of using a solution like this:

  • Centralized Control: Managed repositories provide a centralized platform for hosting and managing dependencies. Nexus Cloud, for example, allows you to maintain strict control over the artifacts your project relies on, ensuring version consistency and security.
  • Efficient Collaboration: These repositories facilitate efficient collaboration by offering a shared space where team members can access, contribute to, and synchronize dependencies. This collaborative environment promotes consistency across development environments.
  • Caching for Efficiency: Managed repositories often employ caching mechanisms, reducing the need to repeatedly download dependencies from external sources. This not only enhances build efficiency but also ensures a more stable and reliable development process.
  • Proxying External Repositories: Nexus Cloud and similar tools can act as proxies for external repositories, mitigating the risks associated with relying directly on external sources. This minimizes exposure to potential security threats while maintaining a seamless development experience.
  • Access Control and Security Policies: Managed repositories enable the implementation of access controls and security policies. This ensures that only authorized individuals have access to specific dependencies, adding an extra layer of security to your development workflow.

Regularly Update Dependencies

In addition to maintaining a firm grasp on the dependencies you use and any issues associated with them, it is wise to stay as up-to-date as possible. Not only does updating your dependencies assure that you have the latest patches and fixes for the software you rely on, it also supports the long term health of your project by reducing tech debt. If a newly surfaced critical exploit relies on a version of a dependency that your environment has not yet reached compatibility with, this may hinder your response and create urgency where it need not exist.

Stay proactive by checking for updates on your dependencies. Applying updates promptly ensures that your project is fortified against known vulnerabilities and benefits from improved stability.

Keep a Lean Codebase

Minimize dependencies to only those essential for your project. A concise codebase reduces the potential attack surface, making your project less susceptible to exploits. Consider native code alternatives for non-crucial dependencies.

When utilizing a dependency, do not only consider its benefits, but also the long term burden of maintaining it. Dependency creep can severely hinder your project if left unchecked. Choose wisely when taking on this burden.

Check for Security Advisories

Stay informed about potential vulnerabilities by subscribing to security mailing lists or utilizing tools like GitHub's security advisory features in addition to dependency checking tools already discussed previously. Timely awareness enables you to address threats before they escalate. The specifics of this practice greatly depend on the specificities of your project and environment.

Personal favourites of the author include:

Audit Code for Vulnerabilities

Conduct regular code audits using tools like static code analyzers and security scanners. This step ensures the identification and resolution of potential vulnerabilities, contributing to an enhanced overall security posture.

The Scanning topic goes into a little more detail on this subject.

Quality gates

All of these interventions are useful, but depending on your team's maturity you may find that output of any tools may simply be ignored, leading to a severely reduced impact within on your development process and thereby the resulting output of your team. As such, it can be worthwhile configuring quality gates within your release process. While the specificities of this differ on a platform by platform basis, in a very basic sense a quality gate is a pipeline step that checks whether certain conditions have been satisfied. If so, the deployment may continue. If not, a deployment is halted until it is ready for the limelight (after solving any issues). For optimal results, determine your team's exact needs, balancing strict enforcement with the ability to maintain your codebase productively. Too strict, and the team might encounter unnecessary roadblocks while not significantly benefiting the project's security. When set up appropriately, this can enforce the quality requirements that the team determines are right for them, their application and the landscape it operates in.

In the intricate world of coding, cyber hygiene is our project's tailored wellness routine. Picture dependency management as selecting precise nutritional supplements for your digital diet. It involves meticulous updates and integrations, ensuring our codebase thrives on the latest and most secure external elements.