DevSecMesh is BoxyHQ’s upcoming product to automate security in all parts of your tech stack. By combining Security as Code, security playbooks, compliance controls and some incredible open-source security tools DevSecMesh provides complete automation of your product security. Think of it as an extension of your security team or your security team if you don’t have one.
In the meantime we have curated a list of awesome developer-first security principles for your product. And a set of free OSS tools to use for it where applicable. It is heavily inspired by MVSP, a minimum security baseline for enterprise-ready products and services. Our missions align and we have recently joined their working group.
Designed with simplicity in mind the checklist contains security controls, their description, relevance to popular compliance certifications (like ISO27001, SOC2, MVSP, etc.) and open-source tools you can readily use to automate it.
Shift-left security allows developers to keep pace with agile development and continuous deployment but it’s simply not enough to provide tools that are designed for security teams. What is needed instead is developer tools built for security, allowing developers to built secure products without adding additional work.
We’d love your feedback and contributions to this list. Please submit an issue, PR or reach out to us at [email protected]
We have also consolidated a list of popular compliance frameworks and certifications that you might find interesting.
If you are interested in Developer Security and DevSecOps in general, we invite you to join our Discord community and share more.
Business controls |
|||
---|---|---|---|
Control |
Description |
Compliance Controls |
Tools (if applicable) |
Vulnerability reports |
|
|
|
Customer testing |
|
|
|
External testing |
Contract a security vendor to perform annual, comprehensive penetration tests on your systems |
|
|
Training |
Implement role-specific security training for your personnel that is relevant to their business function |
|
|
Compliance |
|
|
|
Incident management |
|
|
|
Application design controls |
|||
Control |
Description |
Compliance Controls |
Tools (if applicable) |
Single Sign-On |
Implement single sign-on using modern and industry standard protocols |
|
|
Access Control |
|
|
|
HTTPS-only |
|
|
|
Dependency Patching |
Apply security patches with a severity score of "medium" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release |
|
|
Logging |
Keep logs of:
Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads. |
|
|
Backup and Disaster recovery |
|
|
|
Encryption |
Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups |
|
|
Application implementation controls |
|||
Control |
Description |
Compliance controls |
Tools (if applicable) |
List of sensitive data |
Maintain a list of sensitive data types that the application is expected to process |
|
|
Data flow diagram |
Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored |
|
|
Vulnerability prevention |
Train your developers and implement development guidelines to prevent at least the following vulnerabilities:
|
|
|
Infrastructure and cloud security |
Perform audits, continuous monitoring, hardening and forensics readiness for your infrastructure and cloud assets. |
|
|
Code security |
|||
Control |
Description |
Compliance controls |
Tools (if applicable) |
Data leakage prevention |
Protect secrets from leaking into code, logs and unwanted systems. |
|