11 · DevOps

DevOps Security

Security isn't a stage after deploy. It's a property of the whole pipeline: secrets, dependencies, images, transport, runtime, and people. Shift it left so the cost of a fix stays small.

Secrets

API keys, DB passwords, signing keys. Rule: never in the repo. Never in environment variables checked into Docker images. Never logged.

• Local dev: .env file in .gitignore.
• CI: provider-native secret store (GitHub Secrets, GitLab CI variables).
• Production: a vault (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager).
• Rotate regularly; revoke immediately when an engineer leaves.

Pre-commit scan: gitleaks, trufflehog. They catch the "oops, I committed AWS keys" before push.

Dependencies (supply chain)

Most production code is dependencies. A vulnerability in one library means a vulnerability in your app.

• Pin versions in lockfiles (requirements.txt with hashes, package-lock.json).
• Audit on every PR: pip-audit, npm audit, cargo audit.
• Automated updates: Dependabot, Renovate. Small PRs you can review one at a time.
• Know your SBOM — software bill of materials. It's the manifest of every dep in your image.

Container images

• Use minimal base images (alpine, distroless, slim).
• Run as a non-root user.
• Scan with trivy, grype, or your registry's built-in scanner — fail the build on HIGH/CRITICAL CVEs (or at least surface them).
• Don't bake secrets into images. Mount them at runtime.
• Sign images (Sigstore / cosign) and verify signatures at deploy time.

Transport

• HTTPS everywhere. Free certs via Let's Encrypt; auto-renew.
• HSTS header forces browsers to use HTTPS for your domain.
• Internal traffic: mTLS between services, or a service mesh (Linkerd, Istio).
• Strong ciphers only. Disable TLS < 1.2.

OWASP Top 10 (2021)

1. Broken Access Control — users accessing what they shouldn't. Enforce on the server; never trust the client.
2. Cryptographic Failures — passwords in plain text, weak hashes, missing TLS.
3. Injection — SQL, NoSQL, OS command, LDAP. Use parameterised queries; validate inputs.
4. Insecure Design — security flaws baked into requirements.
5. Security Misconfiguration — default credentials, open S3 buckets, stack traces shown to users.
6. Vulnerable & Outdated Components — see Dependencies above.
7. Identification & Authentication Failures — weak passwords, no rate-limit on login, sessions that never expire.
8. Software & Data Integrity Failures — trusting unsigned updates, deserialising untrusted data.
9. Security Logging & Monitoring Failures — can't detect a breach because you didn't log the right things.
10. SSRF — server-side request forgery. Validate that the URL your server fetches isn't pointing back at internal infrastructure.

Runtime & observability

• Rate-limit auth endpoints (login, password reset, /leads).
• Log auth events; alert on anomalies (geographic shifts, failed-login spikes).
• Use a WAF (Cloudflare, AWS WAF) for HTTP-layer protection.
• Principle of least privilege at every layer: DB users, IAM roles, container capabilities.

People

• 2FA on every account that can deploy or read production data.
• Hardware keys (YubiKey) for high-privilege accounts.
• Code review is a security control. So is pair programming.
• Phishing-aware: 90% of breaches start with a believable email.

"Security is not a product, it's a process." — Bruce Schneier. The pipeline is the product; security is what it does.

What to remember at exam time

• OWASP Top 10 — at least be able to recognise and define five of them.
• Where secrets live in each environment (local / CI / prod).
• Three container image hygiene rules.
• "Shift left" — what it means and why it's cheaper.
• HTTPS + HSTS + mTLS — what each gives you.