- Care with configuration. Misconfiguration is one of the top 5 reasons behind companies getting hacked.
- For sensitive data and functionality, consider incorporating a per-role based permissions system to reduce risk, and help track what happened in the event of an attack.
- Principle of least privilege again helps secure a system; a leaked password isn’t any use if there is no way to invoke important processes with it.
- Team must follow the internal processes for any key handling. Security developers should be completely familiar with and other team members have read
- Review any security vulnerabilities or concerns for third-party libraries. Some well known libraries have massive flaws. eg. XMLDecoder (which is core java, but the point still stands) allows XML external to trigger system processes and execute java code: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- Basic Action Points For A Team:
- Look at existing configuration, can it be made more secure? Talk to those responsible for it.
- Implement a policy of fine-grained roles/permissions, and least privilege if possible.