- Reviewing Application Architecture and identify application security controls to include with respect to requirements
- Threat Profiling for different functionality requirements
- Static Application Security Testing(SAST) on Application code
- Dynamic Application Security Testing(DAST) on the Application
- Manual risk assessment of the application with respect to different controls like Authentication, Authorization, Encryption, Error Management, Input validations, Data protection, Session Management, User Management, Password Management etc.
- Vulnerability Management for the application
- Have to check whether your application environment is comply with different compliance standards
- Scheduled security health checks of application
- Reviewing Network Security Architecture Diagram in which you have to check about what all devices like routers, firewalls, IDS, IPS, Ethernet, Subnets etc. can keep safe and secure.
- All perimeter interfaces like firewall, anti virus are in place properly
- Configure security rules in IDS except pre-defined rules. ex. check for specific trojans, peer to peer connections etc.
- Analyzing attacks based on inputs from surrounding security systems like SIEM, WAF, IDS.
- Prepare and follow your patching calendar
- Review Logs periodically
- Performing VA on need or planned schedule
- Design and develop Disaster recovery plan
- Test DRP periodically
- Implement DLP solution to ensure your data protection.
- Design backup policy including backup storage, restoration
- Educating new/current employee of organization/account on Information Security Domain.
Grin : stop stop stop...phewwww !!!! I am already outstruck after hearing such great stuff with which I am really unaware.
Stuart : It's like you had seen a picture of iceberg from a distance for InfoSec domain.
Grin : Will surely want to dive into the ocean of InfoSec domain to know more. Thanks to get me introduced with this :)
Authored by Mehul Shah