My notes from the DevOps Handbook

by Gene Kim, Jez Humble, Patrick Debois, John Willis

65. Ensure security of the application

Development testing focuses on the correctness of functionality by looking at positive logic flows. This type of testing is often referred to as the happy path.

Effective QA, Infosec, and Fraud practitioners will otter focus on the sad paths, which happen when things go wrong, especially in relation to security related error conditions.

Instead of performing these tests manually, we would ideally generate them as part of our automated unit or functional tests so that they can be run continuously in our deployment pipeline. As part of our testing, we will want to include the following:

Ensure security of our software supply chain

When we use components or libraries in our software, we not only inherit their functionality, but also any security vulnerabilities they contain.

When selecting software, we detect when our software projects are relying on components or libraries that have known vulnerabilities, and help developers choose the components they use deliberately and with due care,

Ensure security of the environment

we should do whatever is required to help ensure that environments are in a hardened, risk reduced state. Put in monitoring ensure that all production instances match these known good states.

We do this by generating automated tests to ensure that all appropriate settings have been correctly applied for configuration hardening, database security settings, key lengths.