loading...

Checklist for DevSecOps

httpsomkar profile image Omkar Yadav Updated on ・2 min read

Adding security headers

On my first security scan, this was the missing thing in my infrastructure. I missed so many headers, which can make the application more secure.

  • HTTP Strict Transport Security (HSTS)
  • Public Key Pinning Extension for HTTP (HPKP)
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Expect-CT
  • Feature-Policy

My snippet for Nginx

Implement Subresource Integrity on Web Applications

According to MDN, Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
In your web application in your bundler, implement subresource integrity. For webpack, there is a plugin https://www.npmjs.com/package/webpack-subresource-integrity, which adds the subresource integrity automatically.

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Disable TLS 1.0 and 1.1

The web server supports encryption through TLS 1.0. TLS 1.0 is not considered to be “strong cryptography” as defined and required by the PCI Data Security Standard.
When aiming for Payment Card Industry (PCI) Data Security Standard (DSS) compliance, it is recommended (although at the time or writing not required) to use TLS 1.2 or higher instead. If you disable this older browser may not support your site.

Implement mTLS in your Kubernetes cluster

Docker containers run with root privileges by default. Which this you can install the packages for your container by apt, pkg, or some other package manager. Ask your developer in my case; it is me. add this line in the end of Dockerfile

USER 1001

More info
https://engineering.bitnami.com/articles/why-non-root-containers-are-important-for-security.html

Practice secret instead of the plain text environment variables in Kubernetes

When you create any container with the environment contains some sensitive information like database connection URLs, passwords, usernames, etc. make sure it in secret.

Scan container images

In your docker registry, implement the vulnerability scanner, which can scan your docker container periodically with identified vulnerabilities. I prefer to practice https://github.com/quay/quay for the registry, which can scan container images using Clair.

Implement runtime container security

Runtime security and auditing are important in case somebody breaks into the infrastructure. I practice https://falco.org/. Falco parses Linux system calls from the kernel at runtime and asserts the stream against a powerful rules engine. If a rule is violated, a Falco alert is triggered. Read more at https://falco.org/docs/.

Implement the logging mechanism in the infrastructure

I practice https://prometheus.io/ for our infrastructure, which logs and aggregate all the data from your all cluster. Monitor all the spikes and let you understand better about any incident.

Original post

Posted on by:

httpsomkar profile

Omkar Yadav

@httpsomkar

I'm the type of person that if you ask me a question and I don't know the answer, I'm gonna tell you that I don't know. But I bet you what, I know how to find the answer and I will find the answer.

Discussion

markdown guide