My notes from the DevOps Handbook

by Gene Kim, Jez Humble, Patrick Debois, John Willis

66. Integrate information security into production telemetry

Internal security controls are often ineffective because of blind spots in our monitoring or because no one in our organization is examining the relevant telemetry in their daily work.

Deploy the monitoring, logging, and alerting required to fulfill our information security objectives throughout our applications and environments, as well as ensure that it is adequately centralized to facilitate easy and meaningful analysis and response.

Integrate our security telemetry into the same tools that Development, QA, and Operations are using,

Creating security telemetry in our applications

Detect problematic user behavior with relevant telemetry in our applications.

• Successful and unsuccessful user logins
• User password resets
• User email address resets
• User credit card changes

Creating security telemetry in our environment

Create sufficient telemetry in our environments so that we can detect early indicators of unauthorized access,

Monitor and alert on these items:

• OS changes
• Security group changes
• Changes to configurations
• Cloud infrastructure changes
• XSS/SQLi attempts
• Web server errors

Protect our deployment pipeline

Mitigate the attack vectors on our deployment pipeline. our mitigation strategies may include:

• Hardening continuous build and integration servers and ensuring we can reproduce them in an automated manner,
• Reviewing all changes introduced into version control
• Instrumenting our repository to detect when test code contains suspicious API calls
• Ensuring every CI process runs on its own isolated container or VM
• Ensuring the version control credentials used by the CI system are read-only