Contract security requirements before integration. Implement mTLS and OAuth with least privilege. Issue per-client keys, never shared credentials. Rotate tokens quarterly and monitor for unusual patterns. Trust your partners but verify their security.
With surface and providers governed, protect your build chain and last line of defense.
Software supply chain & recovery readiness
Compromise upstream or kill backups first; either path maximizes damage.
Code reuse & forgotten dependencies
Your app includes libraries last updated when Obama was president. Transitive dependencies hide vulnerabilities you’ve never heard of. Each component becomes an attack vector.
Generate SBOMs for everything you build. Run SCA tools that break builds on critical findings. Pin versions and update deliberately. Verify provenance and require signed artifacts. Your supply chain is only as strong as its weakest dependency.
Assumed security of backups
Backups sitting online, unencrypted, untested, are ransomware’s first target. You assume they work until you need them. Then you discover they don’t.
Implement the 3-2-1 backup strategy immediately. Create immutable, air-gapped copies. Test restores quarterly, not just “completed” logs, but actual data recovery. Restrict restore permissions more tightly than backup permissions. Encrypt everything, everywhere. Your backups are your last hope; treat them accordingly.
Earning resilience through maintenance
Resilience isn’t earned in memos. It’s earned in maintenance.
These 15 items close the most abused seams across signals, identity, configuration, trust, cloud and recovery. Here’s your 90-day action plan:
- First 30 days: Inventory and measure. Check NTP drift, assess log coverage, map service accounts, audit DNS hygiene, discover shadow SaaS and test backup restoration.
- Next 30 days: Enforce baselines. Patch firmware, harden crypto, achieve non-prod parity, deploy MDM everywhere, implement cloud tagging and lifecycle policies.
- Final 30 days: Validate resilience. Run restore drills, test detection effectiveness, review API contracts and establish SBOM governance.
Assign domain owners today. Track percentage of compliant assets, mean time to patch firmware, log coverage rates, backup restore success rates and percentage of APIs with least-privilege scopes.
Put these 15 items into your audit plan and quarterly KRIs. Close them before your adversaries open them.
The boring vulnerabilities kill you slowly, then suddenly. Don’t let them.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
