Compensating control
• Control types
- Managerial
- Operational
- Technical
- Preventative
- Detective
- Responsive
- Corrective
• Patching and configuration
management - Testing
- Implementation
- Rollback
- Validation
• Maintenance windows
• Exceptions
• Risk management principles - Accept
- Transfer
- Avoid
- Mitigate
• Policies, governance, and servicelevel objectives (SLOs)
• Prioritization and escalation
• Attack surface management - Edge discovery
- Passive discovery
- Security controls testing
- Penetration testing and
adversary emulation - Bug bounty
- Attack surface reduction
• Secure coding best practices - Input validation
- Output encoding
- Session management
- Authentication
- Data protection
- Parameterized queries
• Secure software development
life cycle (SDLC)
• Threat modeling