Secret weapon against vulnerabilities
Recently there have been confronted with a number of vulnerabilities.
Whenever a vulnerability is found, it is important to act swiftly. This is a moment where it becomes (sometimes painfully) visible how good or bad your development process is:
How long did it take you to find out about the vulnerability?
How quickly can you identify apps that are vulnerable?
How quickly can you update an app?
How quickly can you make sure that the update does not break anything?
How quickly can you deploy the app?
Is this all a matter of minutes or days? Are you vulnerable? Which apps are vulnerable? Do you have a list of all the apps you are running? Do you have to check everything manually? How long will it take to apply the fix?
Some things you might want to look into:
Subscribe to the different security related mailing lists. This allows you to roll out fixes before most people know they exist.
Have an automated way of determining which of your apps are vulnerable. We can do this in a matter of seconds across ALL our apps. If you use provisioning tools, writing a script that queries all apps should be trivial to implement.
Have your code always ready for deployment. Use a SCM like Git and have a stable branch ready for deploy (usually master). Applying a fix should, in general, take a couple of minutes.
Write tests and make sure they are green. Use real TDD and don't try to cheat by writing only a few high level tests afterwards. Your tests should cover all aspects of your app and should always be green.
Write tests and make sure they are fast. Test suites that run 30 minutes are usually an indication of poor test and/or code quality.
Automate your deployment and deploy often. Deploying should be a matter of seconds and you should never be afraid to deploy. If you have no confidence, find deployment scary, something is wrong with your code and/or tests and/or deployment process.
If you do all the above right, you are basically ready for doing continuous deployment. This is a great weapon for combating vulnerabilities.
Applying a fix for a vulnerability will then no longer be something special, just business as usual. That is a great position to be in.