[MUSIC]

We've covered a lot of information so far.

Great job pushing through.

In this final stage we're going to discuss how to maintain the security of your

existing applications, APIs and services.

We've talked about encrypting the traffic to and from your site,

adding two factor authentication, and even adding rate limiting.

But security doesn't stop there.

Security is a constant concern not a list of boxes to check.

Let's start with a story.

Imagine that you've just deployed your new application to production.

Day after day, users join more quickly than your team ever expected.

Your team continues adding more and

more features, making the application even better.

Than one day, an engineer notices some odd entries in the log.

Upon further investigation, you see that some service that you didn't create

is making requests to a server not owned by you or anyone else at your company.

Yikes, it looks like you've been hacked.

After discovering the issue, your team quickly responds,

removes the rogue malware in your system, and investigates how it all started.

After hours of looking, it turns out the hackers exploited a security flaw

in the Ruby on Rails source code.

Not even your own code.

However, no one on your team ever updated Rails,

after moths of the application running in production,

which has led to some very nasty media coverage, customer emails,

extremely harmful reputation damage and the firing of your chief security officer.

This leads us to the following key takeaway.

Keep your applications updated and

patch any security flaws as updates are released.

Patching you applications and keeping them updated means that security flaws will get

fixed as soon as they are discovered by the maintainers of the software you use.

Not keeping code up to date has led to numerous incidents at companies

across the world.

For example, the 2017 Equifax breach

was possible because of a Java web framework vulnerability.

The 2017 WannaCry ransomware attack

exploited some Microsoft Windows framework vulnerabilities.

These flaws cost hundreds of millions of people their personal information.

In the case of WannaCry,

not patching these flaws shut down entire hospitals for days on end.

It's easy to tell people to patch their software, but how do you do it?

Answering this succinctly and for all companies and

possible edge cases is impossible.

However, strategies do exist for patching and updating applications and

services over the lifetime of their deployment.

These strategies generally follow a process similar to the following.

Keep an [SOUND] inventory of all the services and

applications you have in deployment.

Also, keep an inventory of all their associated assets, libraries, and

software used.

Next, you and your team should plan away to standardize all of your production

systems to be using the same libraries, versions and operating systems.

Keep track of the various update channels.

After you have your applications documented and

tracked Next, define the security controls you have in place.

[SOUND] Now you can determine priorities.

Cross-reference your assets and security controls against the risk

associated with not updating these systems.

Once you have a prioritized list of patches and updates to make,

define a weekly, monthly, and quarterly schedule to perform these updates.

Now, follow the plan.

And most importantly, follow the plan.

This will allow you to keep your systems patched and your users safe.

Keep in mind that the strategy we just discussed is not the only one and

many others exist.

If you would like to go more in depth on patching strategies, there are great

resources at the popular SASNS Information Security site, as well as OWASP.

We will add links to these in the teacher's notes.