The Core Philosophy of DevSecOps
Building a secure infrastructure is not about installing a single "magic bullet" firewall. It relies on the concept of Defense in Depth: building multiple, redundant, tightly layered security controls. If a hacker defeats your outer perimeter by stealing a password, your internal network policies, runtime monitoring, and lack of root access should aggressively halt their lateral movement.
Always adhere to these 8 foundational Best Practices.
1. Practice the Principle of Least Privilege (PoLP)
Never give a human, a server, or a microservice more permissions than it absolutely needs to do its job.
❌ Bad: Giving the frontend web server's IAM Role blanket AdministratorAccess, just to make it easier for it to read an S3 bucket.
✅ Good: Creating an IAM Role that exclusively allows s3:GetObject on the precise ARN of the specific bucket it requires, and explicitly denying all other AWS actions.
2. Eliminate Long-Lived Credentials
If an API key or password sits on a developer's laptop for 3 years, the statistical probability of it being compromised approaches 100%.
❌ Bad: Using a standard AWS Access Key and Secret Key string that never expires. ✅ Good: Integrating AWS SSO (Single Sign-On) so developers assume temporary, dynamically generated STS tokens that automatically expire and self-destruct after 60 minutes.
3. Shift-Left Aggressively
Do not wait for a quarterly penetration test to discover you have critical SQL injection flaws in your master branch.
Integrate SAST (Static Scanners), SCA (Dependency Scanners), and Secret Scanners natively into every GitHub Action or Jenkins pipeline. Block developers from merging Pull Requests until critical scanner alerts drop to zero.
4. Decouple Secrets from Code (Vaulting)
The most common way junior developers are hacked is by accidentally deploying a .env file to a public GitHub repository. Scraper bots scan GitHub continuously and will steal an exposed AWS key within roughly 4 seconds.
❌ Bad: Committing passwords to Git, even in private repositories. ✅ Good: Using a robust Secrets Manager (HashiCorp Vault, AWS Secrets Manager) and retrieving secrets exclusively at application runtime via API calls or Kubernetes Operators.
5. Implement Zero-Trust Networking
Do not trust internal traffic.
Assume the attacker is already inside your network. If the attacker breaches the Jenkins build server, what stops them from jumping directly onto the database host?
Implement strict, granular Security Groups (AWS) and Network Policies (Kubernetes). Explicitly map the allowed traffic paths mathematically inside your Terraform code. The API Gateway talks to the frontend. The frontend talks to the backend. The backend talks to the Database. Block all other transverse network routing.
6. Secure the Container Lifecycle
When adopting Docker and Kubernetes, treat images with deep skepticism.
- Scan all images automatically before pushing them to your private registry using tools like Trivy or Clair.
- Never run containers as root. Always define a bare minimum permissions user in the Dockerfile.
- Use minimal base images (like Alpine or Google Distroless) containing no shells (
/bin/sh) or curl commands that hackers could exploit.
7. Treat Infrastructure as Immutable
When a production Linux server starts behaving strangely, the legacy response was to SSH into it and run commands to debug and patch it.
This is unacceptable in modern DevSecOps. Opening port 22 for SSH access opens a massive security vector. If a server must be patched, you update the Terraform code, destroy the bad server, and automatically spin up a brand new, fully patched server.
Server operating systems should be read-only in production. This practice guarantees a known-good, auditable state.
8. Automate Compliance as Code
Do not rely on human memory or Excel spreadsheets to ensure GDPR, HIPAA, or SOC2 compliance.
Humans forget things. Humans are lazy. If a checkbox is required to encrypt a database, a human will eventually forget to check the box. Write the policy mathematically using tools like Open Policy Agent (Rego) or HashiCorp Sentinel.
Force the deployment engine itself to reject mathematically any code that attempts to violate your corporate compliance structure.