In the 1800s, cities across the United States were on high alert. Fires in Seattle, Chicago, and San Francisco burned through buildings, devastating cities. Entire blocks of cities burned to the ground, because of a small spark.

‍

‍

Today, we face a similar threat in the security world. A single vulnerability, or a forgotten system, can turn into a large-scale breach. That breach can quickly engulf an entire organization.

‍

This week, we’re exploring the key changes that helped cities prevent fires — and how those same lessons can help us stop security breaches today.

‍

Unfortunately, many modern organizations fail to learn the lessons history teaches us. They’re missing key practices that prevent small issues from becoming massive breaches. Let’s look at why these preventable failures still occur and how we can stop them.

‍

Why Organizations Fail to Contain Incidents

‍

Lack of “Building Codes” for Development: Many organizations build apps without secure design standards or coding practices. Those apps are like old wooden buildings.

‍

No Incident Response Team: Many organizations have minimal incident response and monitoring capabilities. Without these, even a small incident can spread like wildfire.

‍

Poor Segmentation: Fire spreads when buildings have no separation between them. Without network and application segmentation attackers can also pivot between systems.

‍

Lack of Proactive Testing: Thoughtful city planners installed smoke alarms and sprinklers to address fires early. Thoughtful organizations need to find and address vulnerabilities early.

‍

We have solutions to these problems. Let’s break down how you can learn from history to secure your applications.

‍

Here’s how, step by step:

‍

Step 1: Design Applications with Security from the Start

‍

Think of this as your “building code.” Secure-by-design means embedding security in the architecture. This includes planning for resilience, threat modeling, secure code standards, and architecture reviews. Just as building with brick and steel made cities safer, secure application architecture results in safer applications.

‍

The ​OWASP Application Security Verification Standard (ASVS)​ provides guidance you can use as secure development requirements

‍

Step 2: Develop a Response Plan and Active Monitoring

‍

When a fire breaks out, you don’t wait to see if it spreads—you call in the fire department immediately. Similarly, in cybersecurity, a strong incident response plan is critical. This includes establishing alerts, monitoring systems, and training a team to respond to potential breaches quickly. Many organizations go wrong here by relying on reactive responses. Instead, plan to detect and respond to attacks in real-time, preventing minor issues from escalating.

‍

Check out the following incident response templates for inspiration:

‍

• ​SANS Incident Handling Resources​
• ​CISA Incident Response Plan Basics​

‍

Step 3: Segment and Isolate

‍

Zoning laws were a game-changer for urban fire safety. In your applications, segmentation is your zoning law. Segmenting your data and networks helps limit how far an attacker can go if they do get in. Many organizations make the mistake of treating all systems as part of a single network, which can mean one compromised system infects the rest. Segment systems and enforce strong authentication between each layer.

‍

OWASP’s ​Network Segmentation Cheat Sheet​ is a great starting point  

‍

Step 4: Automate Security Testing

‍

Automated security testing is your modern-day fire alarm and sprinkler system. Just as these systems detect smoke before it becomes a fire, automated testing tools can catch vulnerabilities before they reach production. Where many teams go wrong is relying on manual or infrequent testing. By integrating automated security checks into your CI/CD pipeline, you’re ensuring that each deployment is tested thoroughly, catching issues before they become disasters.

‍

There are many commercial and free options available. The ZAP (Zed Attack Proxy) project creates a fantastic dynamic application scan tool. And it is free. Check it out: ​ZAP​

‍

In my upcoming DevSecOps With GitHub Actions course I’ll show my students how to automate ZAP scans using GitHub Actions. I’ll announce the launch soon. Reach out if you have any questions.

‍

Finally {

By implementing these steps, you’re not only strengthening your application security but building a more resilient organization. Much like the 20th-century reforms made cities safer from fires, these measures will help protect your systems from the equivalent modern threats. In the process you will build trustworthy, secure applications that can withstand unexpected incidents and earn customer trust.

}

‍