Short and sweet post today!
While I regularly talk about new security things such as predictive analytics, machine learning and making security a profit centre, we must never forget the basics!
I was recently asked how I would spend a limited security budget, by a vendor after I suggested HSMs were possibly not the best investment vs. other capabilities if your physical environment is secure, but that is definitely another topic!
My response was that regardless of the latest new security trend or capability, getting the basics right has to come first. I don’t recall where I first heard it, and it’s certainly not original but the mantra;
“Be brilliant at the basics”
This definitely applies to security as much as many other areas.
I’m not going to list what I consider to be the basics here, I have talked about them before, and there are plenty of great sites covering this topic already. Two places I would recommend looking are;
SANS / CIS critical security controls for a general list of key basic controls you really must have in place;
OWASP top 10 for a more application specific list of the basics you need to be getting right in relation to applications, with a focus on web applications, but many of the points can be applied to pretty much any development;
Happy reading, and remember while the latest tool or solution is likely more interesting, without a solid base of the security basics no matter what you do you will likely be breached via a very simple method! Fix the ‘low hanging fruit’ first, then do more advanced security.