Onboarding & induction
New developers should be setup with necessary knowledge of the practices and policies that the hiring organization uses so that newer developers are less likely to write risky code. Onboarding should include:
- Security briefings - developers are properly taught and told about the organizations’ security practices.
- Access control - permissions are given as they are required. Don’t give full access to new developers.
- Codebase walkthroughs - developers are walked through how security is handled in the codebase.
- Team introductions - newer developers should be told who to ask in terms of security.
Proper training
Even the most senior of developers may forget things. Ongoing training is essential and all employees should be kept up to date with cybersecurity.
Proper training on:
- common vulnerabilities, such as XSS, SQL and bad authentication
- safe coding practices and standards
- security tools
- OWASP Top 10
Risk management plans
Risk management plans are template documents that help with identifying risks.
Risk management:
- Identify the risk - what could go wrong?
- Assess the risk - how likely is it going to happen? How serious would it be?
- Plan responses - what actions would one take in response?
- Monitor - how are you going to monitor for it?
Examples of risks
- 3rd party libraries
- Poor or lack of input validation
- Poor user authentication
- Delayed patching