Product security has never been a simple problem to solve. Computers are subject to both the complexities of raw logic and the physics of their operation, leaving attackers with plenty of attack surface.

As we compile multiple computers into a network or a system, complexity increases even further. To go another step, many systems are secured with the help of updates deployed by other systems. And those updates are often created by upstream vendors who may not have any direct relationship with the product in question.

While it is true that long term solutions will require industry scale action, there are quick wins that even start-ups can implement in early sprints to help protect products and users.

1. Vulnerability Scanning - Network security has been an industry for decades, and there are numerous solutions that can help find low-hanging fruit in your product. If you have a commercial product like Tenable Nessus or Rapid7 Nexpose, great, those will find a lot of potential configuration issues in addition to missing patches. However, Greenbone OpenVAS is a mature open source solution that can get you started. It's important that no matter what scanning solution you use, remember that automated scanning is only the beginning of a successful network security testing program.

2. OSINT Yourself - If your product is supported by internet facing infrastructure, it's essential to know what's exposed to your fleet and the rest of the world. Does your system connect to a specific domain name? Give that domain a google and see what comes back. Do you think you're only exposing your web servers to your SaaS customers' IP addresses? Try validating that with SHODAN (and your vulnerability scanner above!)

3. Migrate Deprecated Functions - Every once in a while, functionality within a programming language or library will become deprecated for security reasons. Try auditing your code for some banned functions and score some quick wins.

4. Baseline Behavior - Did you ever set up your system in a lab and just watch it work? While we may know all the ins and outs of the code we write, we may not realize all the other functionality that our code relies on. It's important that we know about the systems' observed baseline behaviors, including all of those dependencies, so that we can spot signs of trouble. Try taking a look at your system logs, or looking at simple wireshark captures.

5. Make all of the above activities a habit, then dive deeper - Cybersecurity isn't a static goal, it is a moving target. You have to think about processes, not activities. New release? New code audit. New month? New patches means new vulnerability scans. Identify areas of the systems where you still have questions.

Once your organization has the muscle memory to conduct basic product security operations (including fixing identified problems!), a next step could be evaluating full product security frameworks to ensure more comprehensive coverage. Even with a fully implemented framework, every product or system still has residual risk, but even simple processes can make an impact and don't require an act of Congress.