This time of year offers everyone in Infosec the opportunity to set operational and strategic goals for the coming year. With the normal software cycle paused and developers on holiday, we can get the kind of serious work done that is only possible when everyone else isn’t around.
Our team is no exception.
Like anyone reading these words, they are either on-call or are working through strategic to-do lists.
The following is a list of what some of our customers are working on during their code freeze. We’re sharing it in the hope they help all you CISOs and CTOs make the most for the next week or so.
With any luck, everything will stay nice and quiet, and our end-of-year holiday code freeze won’t get spoiled like it did last year with Log4shell.
Year-End Code Freeze To-Do List: (prioritized)
1.Log4j is still out there lurking. Identify where you still have it.
- Is it still reachable in your apps?
- Decide on mitigation steps (Can you stop using the library? Can you ensure it cannot be exploited? Can you upgrade the library?)
2.Prioritize those bug-fixes you haven’t been able to get to. (Your future self will thank you)
- Nightmare scenario: What if a bug-fix causes/triggers a cascading bug condition that leads to an exploit?
- Even worse: if an attack is attempted and is successful, staff is not at full capacity to run a post-mortem/fix cycle.
- The longer your exploitable apps remain exposed, the more your risk profile is amplified.
3.Review security fixes done during the year.
- What worked?
- What didn’t?
- How can the team apply what you’ve found to the coming year?
4.Security training for devs. (nice-to-have)
- Boning up on the latest vulnerabilities outside the usual agile development cycle is a great idea.
- Refreshing knowledge of secure coding best practices.
5.Unplug for a bit
- While there are always projects that need to be completed, don’t underestimate the value of taking a little time to step away from emails and Jira reports.
ONE FINAL THOUGHT:
2023 is coming up quickly.
The most we can do as we look toward another year of serious, headline-making cyberattacks is dive in with the right tools and the right priorities. The work you put in now will put your organization ahead of the problems the organizations that didn’t put in the work will be having.