Full Report
An update on our commitments to customer security.
Analysis Summary
# Best Practices: Secure-by-Design Software Development and Operations
## Overview
These practices summarize security commitments focused on building software products that are secure by design, transparent to customers, and actively mitigate systemic security risks across authentication, development, supply chain, and vulnerability management.
## Key Recommendations
### Immediate Actions
1. **Enforce Mandatory MFA for Direct Access:** Require Multi-Factor Authentication (MFA) for all users who authenticate directly to the product/platform, regardless of licensing tier.
2. **Eliminate Default Credentials:** Ensure that absolutely no default passwords or credentials exist for any user or service access points to the product. All credentials must be unique and provisioned securely.
3. **Provide Baseline Audit Logs:** Make detailed, security-relevant audit logs available to all customers in the baseline product offering at no extra cost.
### Short-term Improvements (1-3 months)
1. **Implement Comprehensive SSO Integration:** Integrate support for all major SAML 2.0 compliant Single Sign-On (SSO) providers (e.g., Okta, Microsoft Entra ID, Google Workspace) for tenant access management.
2. **Adopt Memory-Safe Languages:** Prioritize the use of memory-safe languages (e.g., Go, Rust) for new back-end services and runtime components to systematically mitigate entire classes of vulnerabilities like buffer overflows.
3. **Enforce Secure API Endpoints:** Restrict all web-based or programmatic interaction exclusively to authenticated GraphQL endpoints that enforce strong typing, schema validation, and only accept POST requests with user-bound signed cookies.
### Long-term Strategy (3+ months)
1. **Establish Robust Supply Chain Governance:** Formalize and implement policies, procedures, and training for developers governing the secure utilization and contribution to third-party and open-source software components, including continuous risk assessment of external dependencies.
2. **Automate Vulnerability Class Remediation:** Institute a mandatory Root Cause Analysis (RCA) process for significant vulnerabilities. This RCA must define and implement preventative tasks across engineering teams to eliminate future occurrences of similar defect classes.
3. **Customer Defense-in-Depth Controls:** Develop and offer customers configurable defense-in-depth mechanisms for identity and access, such as mandatory domain restrictions, IP restrictions for logins, and independently configurable session lifespan and timeout settings.
## Implementation Guidance
### For Small Organizations
- **Focus on Authentication Baseline:** Prioritize enabling SSO integration (if applicable) and enforcing MFA for all administrative access immediately.
- **Leverage Existing Tools for Supply Chain:** Utilize readily available tools within CI/CD pipelines (if possible) to gain initial visibility into software component inventory (SBOM) for authorized third-party libraries.
### For Medium Organizations
- **Formalize Logging Retention:** Establish a process to ingest provided baseline audit logs into a centralized SIEM or warehouse solution for retention beyond the minimum required period (e.g., extending beyond 180 days).
- **Document Responsibility:** Formalize and document an internal/external Shared Responsibility Model related to logging, monitoring, and incident response for the product ecosystem.
- **Service Account Maturity:** If using APIs, immediately implement secure patterns for service accounts, favoring short-lived, per-request tokens over long-lived static keys.
### For Large Enterprises
- **Systemic Language Migration:** Develop a multi-year roadmap for migrating critical legacy components written in memory-unsafe languages to memory-safe alternatives to eliminate entire vulnerability classes proactively.
- **Advanced API Hardening:** For all API interactions, enforce granular permissions and mandatory, short expiry dates for any newly created Service Accounts used by internal or external integrations.
- **Continuous Vetting Program:** Implement a continuous Third-Party Risk Management (TPRM) program that assigns risk tiers to all supporting products and technologies and dictates ongoing assessment cadence.
- **Transparency Artifact Delivery:** Ensure that reports from third-party security assessments (e.g., penetration tests) are readily available via a self-service portal (Trust Center).
## Configuration Examples
### Service Account (SA) Credential Management
- **Token Lifespan:** Enforce a maximum token lifespan of less than 1 hour for API interactions, preferably utilizing refresh flows or a per-request signed JWT/token model.
- **Granular Permissions:** When creating SAs for integrations:
* **Define Least Privilege:** Scopes must be strictly limited to the minimum necessary operations (e.g., `read_findings` only, not `write_configuration`).
* **Apply Expiration:** Set custom, non-default expiration dates for all integration Service Accounts.
### Web Interface Hardening (GraphQL Endpoint)
- **Request Type:** Configure the API gateway or web server to **reject** all HTTP methods other than `POST` directed towards the primary GraphQL endpoint.
- **Input Validation:** Ensure schema validation runs *before* any business logic processing to prevent injection attacks via malformed input structures.
## Compliance Alignment
- **NIST CSF:** Identify relevant controls in the Identify (ID.SC), Protect (PR.AC, PR.DS), Detect (DE.AE), and Respond (RS.RP) functions, particularly related to supply chain risk management and access control configuration.
- **ISO 27001/27002:** Aligns closely with Annex A controls related to access control (A.9), cryptography (A.10), supplier relationships (A.15), and system acquisition, development, and maintenance (A.14).
- **CIS Benchmarks (Application/API Security):** Practices related to input validation, enforcing TLS, and logging map to various application-specific benchmarks.
## Common Pitfalls to Avoid
- **Treating MFA as Optional:** Do not allow administrators or privileged users to bypass mandatory MFA, even if they are accessing via SSO (ensure SSO session enforcement includes MFA checks).
- **Static/Long-Lived API Keys:** Avoiding the pattern of generating static, long-lived API keys for integrations; this significantly increases the blast radius upon compromise.
- **Ignoring "Classes" of Defects:** Releasing fixes for individual buffer overflows without fundamentally addressing the root cause (e.g., by switching to a memory-safe language) ensures that similar bugs will reappear in other components.
- **Incomplete Responsibility Sharing:** Failing to clearly document what the vendor handles (e.g., platform code patches) versus what the customer must handle (e.g., log retention/SIEM forwarding) leads to security gaps post-deployment.
## Resources
- CISA Secure by Design Initiative Pledge documentation.
- Documentation detailing SAML 2.0 implementation requirements for SSO integration.
- Internal Wiz vulnerability management SLAs and bug bounty program scope documentation.
- Shared Responsibility Model documentation provided to customers regarding logging and monitoring.