A Brief Guide on Network Security, Application Security, Cloud Security & Container Security

A Brief Guide on Network Security, Application Security, Cloud Security & Container Security

Our third article in the 'Secure Your Start-Up' series, will walk you through the next step of securing your start-up, i.e., focusing on network security, application security, cloud security, and container security 

In the first article, we discussed the MVCSP of your organization, where we did a ‘gap analysis’ and arrived at a roadmap for your organization.

Then in the second article, we saw some basic and good security practices to be followed, such as password managers, MFA, etc.

Taking the reference from the MVCSP of your organization, we begin with the essential security hygiene, which focuses typically on the following areas - 

  • Network Security 
  • Application Security 
  • Cloud Security 
  • Container Security 

Basic or Essential Security Hygiene focuses on the traditional security controls for a company that is just starting on security and needs the bare minimum and absolute necessary checks.  

As a start-up, it is essential to pay attention to your security budgets and spend them most optimally. Sumeru helps in providing cost-effective solutions with a mix of open-source and commercial tools as needed. 

We start by engaging with the respective people from the infrastructure and the application team to understand your network, applications, & other services and map out your entire infrastructure. 

Network Security 

We establish baseline security by ensuring all the systems, such as the operating systems for servers and workstations/laptops, are hardening by default for which standards are followed. Centre for Internet and Security (CIS) and their Controls Version 8 has about 18 controls that provide actionable ways to prevent the most common attacks and act as a recommended set of actions for cyber defense. 

No alt text provided for this image

Image source 

We understand your network security by doing the following - 

  • Network Vulnerability Assessment & Penetration Test (VAPT) 
  • Network Configuration Review 

As part of VAPT, we identify all the various vulnerabilities in your network, classify them based on their risk, and remove false positives. As part of basic network security, it is essential to secure your perimeter using a firewall, harden it, and review the rules. Along with the firewall, your other devices such as switches, routers are also to be appropriately configured and verified as part of the network configuration review. 

Most of the above activities can be performed using tools such as -

  • Nmap 
  • OpenVAS 
  • Tenable Nessus 
  • Qualys Guard 

These tools help in performing automated vulnerability scanning as well as configuration review. You can also schedule monthly automated vulnerability scans to ensure any weak access controls or outdated patches are identified on an ongoing basis as and when updates are made in the network. 

No alt text provided for this image

Sumeru Security Assessment differs from other vendors as our work typically starts when the tool stops. We use tools to aid in our testing to speed up the basic checks and predominantly focus on manual analysis to remove false positives. 

Application Security 

No alt text provided for this image

Image source 

With more and more applications hosted on the cloud and exposed publicly, the traditional perimeter security controls become an irrelevant and easy target for attackers. Here are some of the security tests which we can carry out - 

  • Application Penetration Test 
  • Secure Code Review 
  • Application Security Verification Standard (ASVS) Review 
  • DevSecOps 

We work with the developers/ product owners for business-critical applications to get a detailed walkthrough and better understand the applications.  

Once the necessary access and credentials are received, a detailed Application Penetration Test, including Web Applications, Mobile Applications, Thick clients, APIs, etc., are considered part of the scope.  

We also perform a thorough Secure Code Review to analyze the backend code and refer to the OWASP standards. We do that to ensure, as a bare minimum, the OWASP Top Ten is covered, and the latest version of the OWASP Testing guide, along with our comprehensive checklist providing the entire application scope, is thoroughly tested. Some of the most common tools for application security testing which we use are - 

  • Burpsuit 
  • OWASP ZAP 
  • Netsparker 
  • Checkmarx 

These tools can help automate some of the primary test cases. The Sumeru team goes beyond the tool to manually identify vulnerabilities, especially related to business logic, which is typically missed by the tool and provides relevant business impact based on your specific environment. 

To ensure further hardening and best practices are followed, we perform an application security review based on the OWASP Application Security Verification Standard (ASVS) to remove additional gaps.  

We carry out Secure Coding Practices training to the developers to educate them on the typical security vulnerabilities which attackers find and how to mitigate them at the code level.  

Once a significant level of maturity is reached, we help automate security checks wherever possible and slowly help integrate into the typical DevOps pipeline and establish a solid DevSecOps cycle. 

Cloud Security 

No alt text provided for this image

Image source 

As a start-up, your product is likely to have a significant presence in the cloud, and the most common entry point for your start-up could very likely be through your cloud infrastructure, which makes it easy prey for casual hackers.  

Several reports have pointed that cloud misconfigurations have been one of the most common vulnerabilities that attackers have taken advantage of to gain access to customer data. Hence it becomes essential to take necessary precautions to harden your cloud infrastructure.  

Some of the activities carried out as part of Cloud Security are - 

  • Cloud Penetration Test 
  • Cloud configuration review  

It is vital to carry out a Penetration Test against your cloud infrastructure to identify any user misconfigurations or exposed unauthenticated storage such as AWS buckets or Azure blobs. You must also conduct a thorough configuration review of your IAM policies and verify logging and alert mechanisms to ensure you stay on top of your security.  

We follow guidelines from Cloud Security Alliance amongst other standards and ensure the cloud infrastructure is safe and secure, and the following tools can be used to perform automated scans. 

  • Cs-suite 
  • Scoutsuite 
  • Tenable Nessus 
  • Qualys Cloud Platform 

Container Security 

No alt text provided for this image

Image source 

The adoption of containers, especially dockers, has increased in organizations due to benefits such as cost-effective, quick deployments, and the ability to run them in any environment efficiently. Along with these benefits, they also introduce some security challenges, such as in the case where a single docker is compromised, it can put the other containers and the underlying host at risk as well - 

According to the recent “State of Kubernetes and Container Security Report,” 87% of organizations manage some portion of their container workloads using Kubernetes. 

It’s critical to hardening these containers by using up-to-date images, scanning the containers regularly for known vulnerabilities, checking for any misconfigurations, verifying the latest patches are applied, etc., and automating all these checks as much as possible. 

Some activities carried out as part of Container Security are 

  • Container Security Testing 
  • Container Hardening 

We help identify different vulnerabilities, fix the issues, and deploy secure containers in your CI/CD pipeline. Some popular open-source tools for performing these scans are 

  • Clair 
  • Anchor 
  • Docker bench 
  • Aqua security 

To sum up

From the list of essential security hygiene services, all may not apply to your environment in the early stages. The Sumeru team can help prioritize based on the MVCSP and carry out the appropriate activities in a phased manner. 

  • Performing regular vulnerability scans as well as configuration reviews for your network assets 
  • Carry out Application Penetration Test as well as Secure code review of your business-critical applications as well as training your developers on secure coding practices 
  • Secure your cloud infrastructure to remove common misconfiguration and access control-related issues. 
  • Hardening your containers to check for an update to images as well as scanning for known vulnerabilities. 


Written by:

Chidhanandham Arunachalam, Chief Program Officer at Sumeru Solutions. A passionate entrepreneurial leader & unshakable optimist dedicated to helping companies achieve remarkable results with great technology solutions.


This article is the third of our series on 'Secure Your Start-ups'. To get updated about the remaining articles of the series, please follow #sumerusecureyourstartup

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics