Following up on January's publication of the Top 25 Most Dangerous Programming Errors, today the SANS Institute has released Draft 1.0 of the Consensus Audit Guidelines (CAG), a set of recommendations that organizations should implement in order to improve their security posture.

Strong coding standards and following network security best practices can go a long way towards increasing your security position as an organization.  These published practices provide a solid roadmap to help you get there. 

As with the Top Programming Errors list, I do not believe that anything in the CAG is revolutionary in its thinking, but at the same time it provides a starting point for companies who are looking for a checklist of items to implement to make themselves less vulnerable to a successful attack by a cyber criminal.  One of the nice things about this list as well is that it breaks down its recommendations into several different categories from Quick Wins to Advanced.  This type of categorization is especially important for those who are just starting their security programs and wish to show quick, meaningful successes to their executive teams.  These types of small, early wins can help build executive support, a crucial element to the success of any security program.

The CAG is broken up into 20 individual controls ranging from internal hardware and software inventories to vulnerability testing and remediation and wireless device control.  Each control is introduced by a description on how hackers are utilizing the lack of implementation of best practices to their advantage.  This is followed by a categorized outline of each of the recommendations for that control and how to measure its effectiveness.  Using this information an IT Manager can start to answer the "What", "Why", and "How" questions that go into making a strong business case for implementation of these practices.

As experienced security professionals, it is important that we not take neither the CAG nor the Top 25 Programming Errors lists for granted.  These types of guidelines are not always as well known or practiced as we might expect.  That isn't to say that everyone should go out of their way to implement every single one of these practices either.  Identify the guidelines that are most pertinent to your organization, map out a plan, and hold people responsible for making sure they are carried out.  If you are just starting out in your security career or with your security program you have an increasing number of tools at your disposal to help increase your chances of success.  Use them wisely and reap the rewards of building a solid security program and culture within your organization.