Adding security controls early in a product life cycle isn’t interesting enough and rarely is enough to capture investment. However, adding product and infrastructure cybersecurity features now is far less expensive than adding them later.
Many of our customer stories begin with,
Our LS/IQ Virtual CISO guides engineering managers to make strategic plans for implementing cybersecurity features in a product. In short, the VirtualCISO makes engineers heroes when it comes to cybersecurity product features.
Here are four quick tips on features to add right now that have both engineering and cybersecurity value.
Implement encryption on everything from the beginning
At one point in time, engineering could make reasonable arguments not to implement encryption everywhere. For example, it was once accurate to state encryption caused processing overhead, and certificates were too expensive. Both statements are precise rarely anymore. It is far less costly to add encryption now than later. Using encryption also helps to reduce the risk of data exfiltration.
Use 2-factor authentication on everything
Enforcing 2-factor authentication on all systems is one of the least expensive and most valuable methods to strengthen user access authentication. Besides, with so many reputable 2-factor authentication products and services on the market, implementation costs are relatively low.
On day 1 of any new project, set a standard configuration where all systems and applications log all information to a centralized source. Centralized logs aid in the development and error handling processes. Also, having centralized logging creates a significant benefit in the detection of potential nefarious activities.
Recalling the adage of “that which is measured improves,” it’s essential to start measuring day 1. From an engineering management perspective, track standard metrics such as the effort to build features and the team’s velocity. As far as cybersecurity-related metrics, try measuring: number of bugs, number of vulnerabilities found in open source tools you may be using, how many commits are peer-reviewed, how much of the code has passing tests.