This security checklist aims to give DevOps professionals a list of DevOps security best practices they can follow to implement DevSecOps.
Audit your infrastructure on a regular basis
Series A
With cloud providers, it’s easy to start instances and forget about them. You will need to create and maintain a list of your assets (servers, network devices, services exposed etc…), and review it regularly to determine if you still need them, keep them up to date, and ensure that they benefit from your latest deployments.
http://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html
http://searchenterpriselinux.techtarget.com/tip/Creating-an-inventory-with-nmap-network-scanning
Renew your certificates on time
Series A
You should be using TLS certificates. It can be a hassle to configure and monitor but don’t forget to renew them!
https://serverlesscode.com/post/ssl-expiration-alerts-with-lambda/
Detect insider threats
Series A
The most important attacks will come from insider threats. Those can be users or attackers gaining access to privileged user accounts. Make sure you monitor your users to detect attackers before an attack happens.
Get notified when your app is under attack
Series B
You will be attacked. Make sure you have a monitoring system in place that will detect security events targeting your application before it’s too late. Knowing when your application is starting to get massively scanned is key to stop more advanced attacks.
https://www.linode.com/docs/security/using-fail2ban-for-security#email-alerts
Monitor third party vendors
Series A
You’re likely to use third party products to manage your servers / payrolls / logs or even just social media. Just like you’re likely to be hacked, they can be too. Make sure you follow the news and react immediately after a breach.
Monitor your authorizations
Series B
Be proactive and be alerted when authorizations or keys binary are changed in your production.
http://techblog.netflix.com/2017/03/netflix-security-monkey-on-google-cloud.html
Monitor your DNS expiration date
Series A
Just like TLS certificates, DNS can expire. Make sure you monitor your DNS expiration automatically.
Automatically configure & update your servers
Series B
An automated configuration management tool helps you ensure that your servers are updated and secured.
Chef: https://learn.chef.io/tutorials/
Puppet: https://www.digitalocean.com/community/tutorials/how-to-install-puppet-4-in-a-master-agent-setup-on-ubuntu-14-04
Ansible: http://docs.ansible.com/ansible/intro_getting_started.html
Salt: https://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html
Backup regularly
Series A
Your data is likely to be your business’s most precious asset. Be sure not to lose it. Implement proper backups and check for backup integrity.
MongoDB Backup: https://docs.mongodb.com/manual/core/backups/
Postgresql: https://www.postgresql.org/docs/current/static/backup.html
Linux: http://www.tecmint.com/linux-system-backup-tools/
https://www.dataone.org/best-practices/ensure-integrity-and-accessibility-when-making-backups-data
Check your SSL / TLS configurations
Series A
Use free tools to scan your infrastructure regularly and make sure the SSL configurations are correct.
https://observatory.mozilla.org/
https://diogomonica.com/2015/12/29/from-double-f-to-double-a/
Control access on your cloud providers
Series A
The best way to protect your services (database, file storage) is to not use passwords at all. Use the built-in Identity and Access Management (IAM) functions to securely control access to your resources.
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
Encrypt all the things
Post Series B
SSL performance problems are a myth and you don’t have any good reasons not to use SSL on all your public services.
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
Harden SSH configurations
Post Series B
SSH is the de facto remote login mechanism on Linux environments. It’s also the de facto penetration vector for hackers. Make sure you have proper SSH configurations.
https://devops.profitbricks.com/tutorials/secure-the-ssh-server-on-ubuntu/
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys–2
Keep your containers protected
Series B
Use Docker (or Kubernetes), and ensure that they are patched and secure. Use tools to automatically update and scan your containers for security vulnerabilities.
https://www.docker.com/docker-security
https://docs.docker.com/docker-cloud/builds/image-scan/
https://jpetazzo.github.io/2015/05/27/docker-images-vulnerabilities/
https://www.slideshare.net/MichaelCherny/security-best-practices-for-kubernetes-deployment
Log all the things
Series A
Infrastructure logs and application logs are your most precious allies for investigating a data breach. Make sure your logs are stored somewhere safe and central. Also make sure you whitelist- or blacklist-specific incoming data to avoid storing personally identifiable information (PII).
https://qbox.io/blog/welcome-to-the-elk-stack-elasticsearch-logstash-kibana
Manage secrets with dedicated tools and vaults
Post Series B
When you need to store cryptographic secrets (other than database password, TLS certificate, …) and perform encryption with them, you should use dedicated tools. This way the cryptographic secret never leaves the tool and you get auditing features.
https://github.com/square/keywhiz