This document discusses the concept of layered security and provides examples of controls that can be implemented at different layers. It recommends starting security design by addressing specific problems and goals. Controls are then designed to solve those problems. Layers discussed include the edge, application, and data layers. Examples of controls for each layer are provided, such as static configuration, authentication caching, and firewalls at the edge layer and middleware like Rack Attack in the application layer. The importance of monitoring, auditing and proper logging is also discussed.
Report
Share
Report
Share
1 of 45
Download to read offline
More Related Content
Windy City Rails - Layered Security
1. Layered Security
Whoever said it was like chess never heard of Tetris
Aaron Bedra
Chief Security Officer, Eligible
@abedra
keybase.io/abedra
18. Static configuration checklist
At least a B+ rating on SSL Labs*
Reject extensions that you don’t want to accept
Reject known bad user agents
Reject specific known bad actors
Custom error pages that fit your application
Basic secure headers
36. Database checklist
Nothing uses the root user
Strong and securely stored production passwords
Separate users for runtime and migrations
Separate databases for production, staging, test, etc
Firewalls for everything but the systems that need access
Logs, logs, logs
Backups!!!