Devops Security Checklist
Devops Security Checklist
Security Checklist
###############
The DevOps Security Checklist
A PROJECT BY
1
Culture
SERIES BAZ
https://blog.serverdensity.com/how-to-write-a-postmortem/
https://codeascraft.com/2012/05/22/blameless-postmortems/
https://blog.sqreen.io/cybersecurity-risk-assessment-for-startup-cto/
POST SERIES B
https://www.rippling.com/
https://about.gitlab.com/handbook/general-onboarding/
https://about.gitlab.com/handbook/offboarding/
SERIES B
https://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html
http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-
Security-Awareness-Programs.html
http://lifehacker.com/5933296/how-can-i-protect-against-hackers-who-use-sneaky-
social-engineering-techniques-to-get-into-my-accounts
https://aws.amazon.com/whitepapers/architecting-for-the-aws-cloud-best-practices/
https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-
practices
http://webopsweekly.com/
SERIES A
http://www.nttcomsecurity.com/us/uploads/documentdatabase/
US_Report_Risk_Value_Public_Approved_v2.pdf
http://fortune.com/2016/06/15/data-breach-cost-study-ibm/
https://www.troyhunt.com/the-emergence-of-historical-mega-breaches/
Code
POST SERIES B
https://en.wikipedia.org/wiki/Bcrypt
http://crypto.stackexchange.com/questions/43272/why-is-writing-your-own-encryption-
discouraged
https://download.libsodium.org/doc/
https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/
https://securityheaders.io/
https://myheaders.sqreen.io/
https://blog.appcanary.com/2017/http-security-headers.html
POST SERIES B
❑ Go hack yourself
If your company doesn’t have yet a structured security team, help create a
multidisciplinary Red Team to stress your application and infrastructure. Providing an
easy environment for the Red Team to attack the application should be part of the
scope of DevOps.
http://www.devsecops.org/blog/2015/12/10/red-team-pwning-the-hearts-and-minds-one-
ticket-at-a-time
SERIES B
http://www.arachni-scanner.com/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.acunetix.com/vulnerability-scanner/
SERIES A
https://www.sqreen.io/
POST SERIES B
https://wiki.jenkins-ci.org/display/JENKINS/JobConfigHistory+Plugin
https://www.slideshare.net/kponiatowski/if-cicd-teams-have-time-for-security-so-do-you
SERIES A
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://github.com/mre/awesome-static-analysis
https://docs.travis-ci.com/user/coverity-scan
Infrastructure
SERIES B
Chef: https://learn.chef.io/tutorials/
Puppet: https://www.digitalocean.com/community/tutorials/how-to-install-puppet-4-in-a-
master-agent-setup-on-ubuntu-14-04
SERIES A
❑ Backup regularly
Your data is likely to be your business’s most precious asset. Be sure not to lose it.
Implement proper backups and check for backup integrity.
SERIES A
https://observatory.mozilla.org/
https://www.ssllabs.com/
https://diogomonica.com/2015/12/29/from-double-f-to-double-a/
SERIES A
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-
instances
https://letsencrypt.org/
https://certbot.eff.org/
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-
encrypt-on-ubuntu-14-04
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-
encrypt-on-ubuntu-14-04
POST SERIES B
https://devops.profitbricks.com/tutorials/secure-the-ssh-server-on-ubuntu/
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys–2
SERIES B
https://www.docker.com/docker-security
https://docs.docker.com/docker-cloud/builds/image-scan/
https://jpetazzo.github.io/2015/05/27/docker-images-vulnerabilities/
https://www.slideshare.net/MichaelCherny/security-best-practices-for-kubernetes-
deployment
https://qbox.io/blog/welcome-to-the-elk-stack-elasticsearch-logstash-kibana
https://www.loggly.com/
POST SERIES B
https://www.vaultproject.io/
https://github.com/square/keywhiz
https://aws.amazon.com/cloudhsm/
https://aws.amazon.com/kms/
SERIES B
management
Storing passwords (like databases ones) can be done on a dedicated database with
restricted access. An other solution is to store them encrypted in your Source Code
Management (SCM) system. That way, you just need the master key to decrypt them.
Chef: https://github.com/chef/chef-vault
Puppet: https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
Salt: https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html
Ansible: http://docs.ansible.com/ansible/playbooks_vault.html
https://www.ubuntu.com/usn/
https://help.ubuntu.com/community/AutomaticSecurityUpdates
https://access.redhat.com/security/vulnerabilities
POST SERIES B
https://martinfowler.com/bliki/ImmutableServer.html
https://hackernoon.com/configuration-management-is-an-antipattern-
e677e34be64c#.n68b1i3eo
Protection
SERIES A
❑ Don’t store credit card information (if you don’t need to)
Use third-party services to store credit card information to avoid having to manage and
protect them.
https://stripe.com/
https://www.braintreepayments.com
https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
https://medium.com/@folsen/accepting-payments-is-getting-harder-1b2f342e4ea#.
897akko4q
https://duo.com/
https://auth0.com/
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-
need-to-know/
POST SERIES B
https://cloudsecurityalliance.org/
https://en.wikipedia.org/wiki/ISO/IEC_27001:2013
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
SERIES B
https://www.tripwire.com/state-of-security/vulnerability-management/launching-an-
efficient-and-cost-effective-bug-bounty-program/
https://www.hackerone.com/
https://bountyfactory.io/en/index.html
SERIES A
SERIES B
https://www.akamai.com/
https://www.cloudflare.com/ddos/
https://www.ovh.com/us/news/articles/a1171.protection-anti-ddos-service-standard
SERIES A
https://www.sqreen.io/
https://en.wikipedia.org/wiki/Web_application_firewall
SERIES A
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-
ubuntu-14-04
https://www.sqreen.io/
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
https://security.stackexchange.com/questions/94432/should-i-implement-incorrect-
password-delay-in-a-website-or-a-webservice
Monitoring
SERIES A
http://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html
http://searchenterpriselinux.techtarget.com/tip/Creating-an-inventory-with-nmap-
network-scanning
https://github.com/Netflix/security_monkey
SERIES A
https://www.ssllabs.com/
https://serverlesscode.com/post/ssl-expiration-alerts-with-lambda/
https://www.sqreen.io/
SERIES B
https://www.linode.com/docs/security/using-fail2ban-for-security#email-alerts
https://www.sqreen.io/
http://alerta.io/
SERIES A
https://haveibeenpwned.com/
https://twitter.com/SecurityNewsbot
SERIES B
http://techblog.netflix.com/2017/03/netflix-security-monkey-on-google-cloud.html
https://cloudsploit.com/events
SERIES A
############
############
The DevOps Security Checklist 14