I have just 4 hours a month to security check a cloud based application - How to use my time?

As mentioned in the comments, I too agree 4 hours in a month is way too low. Understand, and more importantly, make your stakeholders understand that with 4h they shouldn't expect much. Considering they've given you 4h, it doesn't look like they're serious about securing this application either.

Based on the comments, answers and my own thoughts I'll try to put together something. Here's how I think your options should look like in order.

  1. Ask for more time. Make them understand if they want to secure an application in just 4h, it's practically useless.
  2. Hire an agency and spend your 4h defining their scope, prioritizing their actions and reviewing their results. (@Nelson)
  3. If you can't do the above, I'd recommend securing the low hanging fruits so you're covering more ground in 4h. Here's what I think are important
    • Set your external facing services to update. (~1h to find and set the important applications for update). Close unnecessary ports/services that you don't find useful.
    • Set up MFA (~10mins) - since you don't have much time, set up things that are quick, protect you against common attacks and alert you.
    • Review your secrets - Ensure they're stored securely, run scanners on your code to find hard-coded secrets. (~1h)
    • Disaster Recovery - I'd recommend spending some amount of your precious 4h in setting up protections for when things go wrong, because they will. Start creating backups (2 if feasible) in different zones. I'm assuming the platform will help you with this but it will still take time. During this time, you can also draft out a rough disaster recovery plan. (~1.5h)
    • Finally, with whatever little time you have left, document. Document what you've done, what you haven't done and what should be the next steps for the next time someone gets 4h to further secure the application. (~leftover)

DoS protection is good and required but I just couldn't find a way to fit it in to the above plan and neither could I swap anything out for it. Maybe that should be documented in your next steps.

Overall, it's a farfetched request to secure something in 4h. But if I were tasked with it, I'd do it with the above steps. I'm not sure if any investigations into whether the system is already hacked is feasible in those 4h. When you are given 4h to secure, you can either chose to spend it in securing the application against potential threats or investigate for attackers in your system (needs a different plan). That initial choice is yours.


Start with the Azure top security best practices so you can maintain and improve security of your Azure solution step by step:

  1. agree and upgrade your Azure subscription to Azure Security Center Standard. This will help you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics, and respond promptly to attacks;
  2. store your keys, database credentials, API keys and certificates in Azure Key Vault. Additionally make sure keys and secrets in the solution are not stored in the application source code;
  3. install a Web application firewall (WAF) that is a feature of Application Gateway and provides protection of your web application from common exploits and vulnerabilities;
  4. enforce multi-factor verification for your administrator accounts;
  5. encrypt your virtual hard disk files;
  6. connect Azure virtual machines and appliances to other networked devices by placing them on Azure virtual networks;
  7. mitigate and protect against DDoS with DDoS Protection Standard that provides additional mitigation capabilities;

When you are ready with the 1-7, focus on:

  1. managing your VM updates as Azure doesn't push Windows updates automatically
  2. making sure to setup processes for important cloud operations such as patch management, backup, incident management, change management, emergency user access, privileged access;
  3. enable password management and use appropriate security policies to prevent abuse;
  4. review your Security Center dashboard to maintain an overview of the security state of all of your Azure resources so then if required you can take action on the recommendations;

Read the Microsoft documentation on the Azure security best practices.

Documentation:

Microsoft Azure Security Fundamentals

Microsoft Azure Security Documentation


This is a very out-of-left field answer (aka it has little to do with actual security), so feel free to ignore my advice. This question itself is fairly opinion-based, so I thought I'd try a completely different "kind" of answer.

You've been put in charge of application security. This is a good thing!

Unfortunately, your employer has very unrealistic expectation of what is required to secure an application. 4 hours is no where near enough time to do this job well. To be clear, this is still better than most companies (that assign exactly 0 hours per month of dedicated security time). The reality though is that 4 hours is a pittance. So this is what you do:

  1. Run with all the suggestions that people give here
  2. Spend much more than 4 hours a month
  3. To avoid making your employer unhappy or directly disobeying orders, do the extra work on your own time. Plan on spending the next few months working a good chunk of extra hours on a regular basis.
  4. In this time you'll get to learn about things like reviewing code for security weaknesses, installing and using SEIM systems, installing and using logging systems (ELK stack is commonly used), intrusion detection systems, automatic application scanning, and more! (the full list is probably too long learn it all in a few months of work in your spare time, but do your best!)
  5. Your company is going to end up with the benefits of your free labor, which is a bit sad, but...
  6. You will be well on your way to training yourself to be a security professional (if you wanted a job title, you're on your way to being an Application Security Engineer) as part of your official duties, securing an actual web application in production use!
  7. Start applying for your next job as an Application Security Engineer. You'll probably find a better job doing work that is more fun, and you'll probably get paid better too!

Obviously I can't make any guarantees about how things would turn out, but effectively what you have been given is permission to start training yourself for a career change. An opportunity to invest in your future! Security professionals are even more in demand then engineers, so personally I'd take this and run with it. Especially if it worked out in my favor, I wouldn't even begrudge my current employer for the free work I was going to give them due to their shortsightedness.