With time, unconsciously you’ll start mind security in every design decision and every code lineExamples:Try OWASP ZAP — a rich assessment & penetration tool that allows even newbies explore the security level of applicationRead my list of Node.js Security best practices which contains 23+ attack ideas including JavaScript code examplesConduct a monthly threats analysis meeting where the team tries to look at the application design and propose attacks..sound boring?.not necessarily if you add some gamification and reward members that find an exploit, or run a competition between a blue team that designs a module vs the read team which tries to find exploits11..Have a package update strategy..A lesson learned in 2018: updating too soon is a dangerous practiceTeams usually hold of one of the two npm/Yarn package update strategy: (1) update as soon as possible, sometimes even using an automated process (2) no update strategy at all, sometimes someone updates based on goodwill..While the 1st approach seems superior, surprisingly it turned out to be the riskiest approach in 2018: all the malicious packages incidents like flat-stream were discovered by the community within 40 days, those who waited and didn’t update too soon were saved..Consider formalizing the update strategy using automated tools and find the sweet spot between not updating at all to updating too soonExamples:npq by Liran Tal is a great advisory package installer that minds also the release dateCommercial tools like greenkeeper will PR once a package is updated..Unfortunately, none is still capable of suspending the update until a release is proven safe12..Perform gradual installations, separate between the deploy and release phasesIn 2019 you might find it useful to perform safer deployments that are not rolled-out in a single shot and leaving your heart beating like a hammer..On the safer side, granular deployment (a.k.a canary) suggests to separate into 3 phases: (1) Deployment — send a new code to an isolated and new production area (e.g. a new Kubernetes service or a new machine instance)..At this stage, it serves nobody so no fear attached (2) Test — few people can now work against and test the new code in its most realistic environment, the production (3) Release — gradually allow more users to hit the new version (e.g. the entire east coast) and once you feel enough confident enough you can fade out the older versionA word of caution: performing full-blown canary deployments in 2019 is still very expensive as it requires to orchestrate many infrastructure parts like routing, and monitoring..Therefore, consider starting with simple and semi-manual canary deployments (e.g. manually spin-up more machines with the new version based on the monitoring metrics)Examples:Learn more about Canary releasesIf you’re willing to go all the way to fancy canary deployments, Spinnaker is a robust deployment platform to look at13.. More details