Best Practices Playbooks Cheat Sheet

Curated top 5 security practices across domains. Practical, high-impact, and automation-friendly.

Web Application Security — Top 5

  • Centralize auth with SSO/OIDC and enforce MFA; implement least-privilege scopes and short-lived tokens with rotation.
  • Validate and sanitize inputs server-side; adopt allowlists; use context-aware output encoding to prevent XSS.
  • Secure session management: SameSite=strict, HttpOnly, Secure cookies; CSRF protections; replay detection.
  • Dependency hygiene: pin versions, enable SCA, use sigstore/SLSA provenance; block known-bad via admission rules.
  • Security headers: CSP (default-src 'none'), HSTS, X-Frame-Options=DENY, Referrer-Policy, Permissions-Policy.

Tip: add a baseline CSP and tighten per-route. Example: Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'none'

Docker & Container Security — Top 5

  • Use minimal, distroless images; run as non-root; drop unnecessary Linux capabilities and set seccomp profiles.
  • Scan images pre-merge and at deploy (CI + registry); enforce signed images (cosign) and policy (OPA Conftest/Kyverno).
  • Read-only root FS; mount secrets via runtime store (KMS/Secrets Manager) not env vars; no hostPath unless required.
  • Resource limits and ulimits; separate network namespaces; disable privileged mode; restrict sysctls.
  • Continuously patch base images; rebuild on CVE feed triggers; maintain SBOMs (SPDX/CycloneDX).

Network Security — Top 5

  • Zero Trust segmentation: authenticate/authorize every connection; micro-segment using SDN or service mesh policies.
  • Encrypt in-transit by default (TLS 1.2+); mutual TLS for east-west; rotate certs with short lifetimes and ACME.
  • Principle of least privilege on firewalls/NACLs; deny-all defaults; explicit egress controls; per-app allowlists.
  • Centralized logging and NDR; baseline normal behavior and detect anomalies; sinkhole and DNS filtering.
  • Harden edge: WAF + DDoS protection; BCP38 egress filtering; secure BGP/route policies; periodic attack simulations.

DevSecOps — Top 5

  • Shift-left with automated SAST, SCA, IaC scanning on PR; break-the-build on critical issues with risk-based thresholds.
  • Define paved roads: reusable secure pipelines, templates, and golden images; enforce via policy-as-code.
  • Secrets management: no secrets in code; use sealed secrets/KMS; pre-commit secret scanning and PR checks.
  • Threat modeling as code (e.g., pytm, IriusRisk API) integrated into CI; track mitigations as backlog items.
  • Continuous compliance: evidence collection from pipelines (attestations, SBOMs, test artifacts) mapped to controls.

Cloud Security — Top 5

  • Multi-account/landing zone with SCP guardrails; least-privilege IAM; deny wildcards; use identity federation.
  • Encrypt data at rest with KMS/HSM; rotate keys; enforce bucket/object policies; block public by default.
  • IaC with drift detection; pre-deploy checks (tfsec/checkov/cfn-nag); mandatory change reviews and approvals.
  • Service-to-service auth via short-lived credentials (OIDC workload identity); remove long-lived access keys.
  • Centralized logging, cloud-native threat detection (GuardDuty/SCC/Sentinel); automated remediation for common findings.

Mobile Security — Top 5

  • Secure local data: Keychain/Keystore; no secrets in app bundle; enable hardware-backed storage if available.
  • Certificate pinning with update strategy; TLS 1.2+; block cleartext traffic with network security config.
  • Runtime protections: jailbreak/root detection, anti-tamper, obfuscation; protect debugging interfaces.
  • Use platform auth flows (ASWebAuthenticationSession/Custom Tabs) with PKCE; avoid embedded webviews for OAuth.
  • Automate MAST/OWASP MASVS checks in CI; ensure secure logging and crash reports with data minimization.

AI/ML Security — Top 5

  • Data pipeline controls: validate/train data provenance; hash/sign datasets; detect drift and poisoning attempts.
  • Model artifact integrity: sign models, keep SBOM of dependencies, verify at load-time; restrict deserialization.
  • Inference hardening: strict input validation, rate limiting, abuse/throttling; isolate GPU workloads.
  • Access control and secrets isolation for feature stores and vector DBs; monitor PII leakage and outputs.
  • Red-teaming for prompt injection and jailbreaks; guardrails and content filters; monitor for model exfiltration.

Community & Outreach

  • ISAC Foundation — COP Connect member: Cyber Crime Intervention Officer handling Level‑1 cyber crime issues; first responder coordination and escalation.
  • Public awareness: safe-by-default practices for citizens and SMEs; guidance on reporting and preserving digital evidence.
  • Volunteer threat intel sharing and basic takedown coordination with appropriate authorities.
  • Workshops on secure-by-design patterns and DevSecOps for engineering teams.
  • Mentoring early-career security professionals on incident triage and response etiquette.

Contact

Email: anshuman.goswami@gmail.com • LinkedIn: /in/agos

Available for general discussions and consulting on secure architecture, threat modeling, DevSecOps integration etc., and Level‑1 cyber crime first response.

© AG • Built with love for secure systems.