#cybersecurity

Develop comprehensive penetration testing plan. Stages: 1. Scope definition and rules of engagement. 2. Reconnaissance and information gathering (OSINT). 3. Vulnerability scanning (automated tools). 4. Exploitation phase (SQLi, XSS, privilege escalation). 5. Post-exploitation and lateral movement. 6. Data exfiltration simulation. 7. Reporting with risk severity (CVSS) and remediation steps. 8. Debriefing and re-testing. Include social engineering scenarios and physical security assessment.

Build security into product development lifecycle (secure SDLC). Security requirements: 1. Authentication: multi-factor authentication, password policies. 2. Authorization: role-based access control, principle of least privilege. 3. Data protection: encryption at rest/transit, tokenization of sensitive data. 4. Input validation: prevent injection attacks, sanitize user inputs. 5. Session management: secure cookies, session timeouts. Development practices: 1. Threat modeling: identify potential attack vectors early. 2. Secure coding standards: OWASP guidelines, code reviews. 3. Dependency scanning: monitor third-party libraries for vulnerabilities. 4. Penetration testing: regular security assessments. 5. Security training: developer education on common vulnerabilities. Monitoring and response: 1. Security information and event management (SIEM). 2. Intrusion detection systems. 3. Incident response plan: defined procedures for breaches. 4. Regular security audits and compliance checks. Tools: Snyk for dependency scanning, Veracode for static analysis, bug bounty programs for ongoing testing.