This security checklist aims to give DevOps professionals a list of DevOps security best practices they can follow to implement DevSecOps.
Audit your infrastructure on a regular basisSeries A
With cloud providers, it’s easy to start instances and forget about them. You will need to create and maintain a list of your assets (servers, network devices, services exposed etc…), and review it regularly to determine if you still need them, keep them up to date, and ensure that they benefit from your latest deployments.
Renew your certificates on timeSeries A
You should be using TLS certificates. It can be a hassle to configure and monitor but don’t forget to renew them!
Detect insider threatsSeries A
The most important attacks will come from insider threats. Those can be users or attackers gaining access to privileged user accounts. Make sure you monitor your users to detect attackers before an attack happens.
Get notified when your app is under attackSeries B
You will be attacked. Make sure you have a monitoring system in place that will detect security events targeting your application before it’s too late. Knowing when your application is starting to get massively scanned is key to stop more advanced attacks.
Monitor third party vendorsSeries A
Monitor your authorizationsSeries B
Be proactive and be alerted when authorizations or keys binary are changed in your production.
Monitor your DNS expiration dateSeries A
Just like TLS certificates, DNS can expire. Make sure you monitor your DNS expiration automatically.
Automatically configure & update your serversSeries B
An automated configuration management tool helps you ensure that your servers are updated and secured.
Backup regularlySeries A
Your data is likely to be your business’s most precious asset. Be sure not to lose it. Implement proper backups and check for backup integrity.
MongoDB Backup: https://docs.mongodb.com/manual/core/backups/
Check your SSL / TLS configurationsSeries A
Use free tools to scan your infrastructure regularly and make sure the SSL configurations are correct.
Control access on your cloud providersSeries A
The best way to protect your services (database, file storage) is to not use passwords at all. Use the built-in Identity and Access Management (IAM) functions to securely control access to your resources.
Encrypt all the thingsPost Series B
SSL performance problems are a myth and you don’t have any good reasons not to use SSL on all your public services.
Harden SSH configurationsPost Series B
SSH is the de facto remote login mechanism on Linux environments. It’s also the de facto penetration vector for hackers. Make sure you have proper SSH configurations.
Keep your containers protectedSeries B
Use Docker (or Kubernetes), and ensure that they are patched and secure. Use tools to automatically update and scan your containers for security vulnerabilities.
Log all the thingsSeries A
Infrastructure logs and application logs are your most precious allies for investigating a data breach. Make sure your logs are stored somewhere safe and central. Also make sure you whitelist- or blacklist-specific incoming data to avoid storing personally identifiable information (PII).
Manage secrets with dedicated tools and vaultsPost Series B
When you need to store cryptographic secrets (other than database password, TLS certificate, …) and perform encryption with them, you should use dedicated tools. This way the cryptographic secret never leaves the tool and you get auditing features.
Store encrypted passwords in your configuration managementSeries B
Storing passwords (like database ones) can be done on a dedicated database with restricted access. An other solution is to store them encrypted in your Source Code Management (SCM) system. That way, you just need the master key to decrypt them.
Upgrade your servers regularlySeries A
Server packages and libraries are often updated when security vulnerabilities are found. You should update them as soon as a security vulnerability is detected.
Use an immutable infrastructurePost Series B
Use immutable infrastructures to avoid having to manage and update your servers.
Cover your assSeries B
It is not a question of “if” but “when”. Evaluate your risks, prepare a proper action plan in case of a breach and communicate properly after the fact.
Follow an onboarding / offboarding checklistPost Series B
This checklist should contain a list of all the steps you need to enforce when an employee, contractor, intern, etc., joins your company. A similar list should also be used when someone is leaving your team to ensure that they no longer have access to any of your company’s resources.
Gamify security and train employees on a regular basisSeries B
Humans are the weakest links in the security chain. DevOps contribute to the security awareness of all the employees in a company. By explaining how an attacker could infiltrate your company, you will increase the awareness and thus minimize the chance of a hack. Don’t forget fishing and spear-fishing attacks.
Stay on top of best practicesSeries A
DevOps is an ever-changing landscape. Ensure that you stay up to date in terms of new technologies, vulnerabilities or best practices.
Understand the riskSeries A
The cost of breaches is drastically increasing and security should be taken seriously inside an organization. As a DevOps engineer you should play an important role in advocating for better security practices
Don't implement your own cryptoPost Series B
The problem with cryptography is, that you don’t know you are wrong until you are hacked. So don’t do your own crypto. Use standards instead.
Ensure you are using security headersSeries A
Modern browsers support a set of headers dedicated to block certain types of attacks. Make sure you properly implemented all security headers. Don’t forget about the Content Security Policy (CSP).
Go hack yourselfPost Series B
If your company doesn’t have yet a structured security team, help create a multidisciplinary Red Team to stress your application and infrastructure. Providing an easy environment for the Red Team to attack the application should be part of the scope of DevOps.
Integrate security scanners in your CI pipelineSeries B
Keep your dependencies up to dateSeries A
Protect your CI/CD tools like your productPost Series B
Your continuous deployment pipeline is the backbone of your IT. Security should be checked at each step. Your CI builds should fail if you detect a security vulnerability. Store your CI configuration for traceability and audit.
Run Security tests on your codeSeries A
Static Application Security Testing (SAST) is an easy and fast way to find security vulnerabilities in your code. You can enforce SAST security checks in your CI, but be aware of the high number of false positives that can frustrate developers.
Don’t store credit card information (if you don’t need to)Series A
Use third-party services to store credit card information to avoid having to manage and protect them.
Enforce Two-factor authentication (2FA)Post Series B
Enforce 2FA on all the services used (whenever possible).
Ensure Compliance with Relevant Industry StandardsPost Series B
Comply to standards to ensure you follow industry best practices and answer your customer needs. But simple compliance will never protect your apps. Make sure you also take security seriously.
Have a public bug bounty programSeries B
A bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties program allow you to offer rewards for bugs found. A lot of the reports won’t be valuable and you need security aware people inside your development teams to evaluate the bugs you receive. These programs are good additions to other security initiatives and can’t by no means be considered as enough.
Places to start:
Have a public security policySeries A
This is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive aren’t relevant. Don’t freak out if you receive so called “critical disclosures”
Check out the Open Source Security Page
Protect against Denial Of Service (DoS)Series B
DoS attacks are meant to break your application and make it unavailable to your customers. Use a specific service to protect your app against Distributed Denial Of Service attacks.
Protect your applications against breachesSeries A
A real-time protection tool like Sqreen allows you to orchestrate your app security easily. Sqreen will enable you to get full visibility on your security, prevent data breaches, protect your customers, and stop business logic attacks. Customize your application’s response to attacks (block attack, log stack trace etc.) and get notified when something important happens.
Protect your servers and infrastructureSeries A
Your servers will be scanned in order to fingerprint your application and locate open services, misconfigurations, etc. You can setup tools to keep these scanners away from your servers.
Protect your users against account takeoversSeries A
Credential stuffing or brute force attacks are easy to setup. You should make sure your users are protected against account takeovers.