Close the entry gates: vulnerabilities, phishing, web apps

Why these three doors dominate

Uncomfortable but true: attackers don’t need exotic exploits. In an above-average number of cases, open vulnerabilities, unrealistic awareness, and web applications with weak input validation are enough. The rest is speed. Defenders don’t lose “intelligence” — they lose discipline: missing patching SLOs, half-hearted MFA rollouts, no binding secure-coding standard. When IT security is treated as a project instead of an operation, gaps remain open — sometimes for years.

Closing vulnerabilities: from “patching” to SLO-driven hygiene

“We patch regularly” is not a quality metric. What matters is how fast critical gaps at the internet perimeter are closed — and provably so.
Mandatory controls:

• Inventory & exposure: Complete asset inventory incl. internet exposure (system, version, owner, business relevance).
• Risk-based SLOs: Critical internet-facing vulnerabilities in days, internal ones in defined weeks. SLO breach ⇒ automatic escalation (change slot, management ping, approval enforcement).
• Canary & staged rollout: Test ring first, then phased deployment. Rollback plan documented and rehearsed.
• Exception governance: Every deviation has an owner, a deadline, and compensation (e.g., additional hardening/monitoring).

KPIs: Patch SLO compliance (internet vs. internal), MTTD/MTTR by criticality, share of systems with current agent/scanner, Mean Exposure Time (MET) for critical CVEs.

Phishing neutralization: technology + behavior, grounded in reality

Email is attackers’ favorite tool — not because defenders are “stupid,” but because day-to-day pressure, delegation, and mobile approvals invite mistakes.
Mandatory controls:

• Phishing-resistant MFA (passkeys/FIDO2) for all critical roles; disable legacy flows.
• Email authentication (SPF/DKIM/DMARC) plus anomaly detection and link/attachment policies.
• Session protection against AitM (e.g., re-challenge on risk signals, token binding).
• Realistic drills: Scenarios with time pressure, executive context, supplier narratives. No “don’t click” theater — process training instead (e.g., call-back verification, four-eyes principle, out-of-band approvals).

KPIs: MFA coverage (phishing-resistant), rate of blocked high-risk emails, time to alert confirmation (SecOps), share of positive verifications for payment/identity changes.

Securing web applications: from the SDLC to the front door

Insecure web applications are not a “developer problem” — they’re a business risk. Shipping features without a security gate saves money in the wrong place.
Mandatory controls:

• Secure SDLC: Binding coding standard, code reviews with security checks, secret scanning, dependency management (SBOM, Renovate/Dependabot equivalent).
• Pre-prod testing: DAST/SAST on critical flows (auth, upload, payment), abuse cases (rate limits, enumeration, CSRF).
• Around the app: WAF/reverse proxy with clear rules, hardened TLS/headers, bot management for login endpoints.
• Operations: Versioned configurations, reproducible deployments, emergency switches (feature flags), telemetry all the way to the business event.

KPIs: “Time-to-fix” for findings, percentage of critical endpoints with WAF policies, open vs. resolved findings per sprint, rate-limit hits vs. legitimate usage.

90-day plan: from good intentions to lived control

Day 0–15 – transparency & baseline

• Complete asset and vulnerability inventory with internet exposure.
• MFA posture: which critical roles use phishing-resistant methods?
• Catalog web applications: critical flows, dependencies, test coverage.
• KPI baseline: patch SLO compliance, MFA coverage, MTTD/MTTR, open app findings.

Day 16–45 – hardening & SLO enforcement

• Sharpen SLO policy (internet-critical in days). Enforce escalation logic technically.
• Roll out phishing-resistant MFA; disable legacy protocols; session re-challenge on risk.
• SDLC mandatory path: security review & tests before every go-live. WAF baseline for login/payment/upload.

Day 46–75 – automate & rehearse

• Automated ticketing for critical CVEs; canary deployment pipelines.
• Realistic phishing drills (executive/supplier narratives) with a clear call-back policy.
• App drills: abuse scenarios (credential stuffing, mass download, enumeration) including rate-limit fine-tuning.

Day 76–90 – anchor impact

• KPI review vs. baseline; sharpen measures.
• “Never go alone” principle: no production change without a security checkpoint.
• Quarterly steering: budget follows demonstrable risk reduction (SLO adherence, time to containment, fix rate per sprint).

Minimal architecture: less friction, more impact

• Central findings backlog: Security findings from scanners, reviews, WAF in one system — prioritized by business impact.
• Telemetry mandate: endpoints, identities, web applications — one consistent data path.
• Standard automations: isolate, lock account, create ticket, notify stakeholders — without manual click-orgies.
• Exit plan: Documented migration path for every core component, so a vendor failure doesn’t stall the program.

Conclusion: discipline beats hope

Attackers win with speed and simplicity. Defenders win with SLO-driven hygiene, phishing-resistant authentication, and an SDLC that enforces security as a gate. If you close these three doors consistently, attack surface, response times, and costs go down — measurably, not emotionally.

FAQ about blog post