Privacy & Security Checklist

After relaunching our website using a more up-to-date layout, the new wordpress privacy module asked me to setup a privacy disclosure.

Having recapitulated my professional life while updating my CV just days earlier, I thought it might be a good idea to start maintaining a security checklist, as follows

  • Access via asymmetric cryptography key-pairs only
  • Only store asymmetric public keys, used to access sensitive services from our secured environment only.
  • Not allowing service access from 3rd parties via weak ‘cookies’ or ‘tokens’.
  • Web-applications may manage their own user-login database with credentials and
    • won’t send passwords via emails
    • store encrypted/hashed passwords only, not clear text
  • Database and certain other vulnerable resources are directly accessed by web-applications via intranet only
  • Web-applications are not executed with the web-server credentials, but within dedicated user space (separation, encapsulation)
  • A firewall explicitly opts-in network services as intended
  • Using a self-healing redundant filesystem and encrypted distributed replication backup strategy
  • Follows regular update procedures
  • Utilizing Warrant Canaries in our transparency report.

The list only contains the very obvious standard procedure, but even the very same seems to be too much to bother for some big industrial players, sometimes

Then there are vulnerabilities induced by the mere complexity of the system and not by sheer incompetence or even bad intend

Whatever may compromise our systems, one has to assume no component can be ultimately trusted. The latter wisdom can be utilized in systems design, allowing to safe guard against the worst outcomes.