Here is a partial list of security activities to perform to raise your project security level.
1. Basic container – use a very simple base container with a minimal number of packages as a base container for most of the projects.
2. MySQL security: do no use root user
3. MySQL security: separate database – separate database accounts (separate if possible, user account and app admin user).
4. Backup for database, file buckets
5. Use Kubernetes secrets instead of passwords in code. DO NOT place sensitive keys in environment variables.
6. Check web app for web access to a config file. For example config.ini
7. Use a web firewall for AWS / Google cloud.
8. Configure Security Groups (network access rules).
9. Ensure Kubernetes nodes are not directly accessible.
10. Script to do container process monitoring
11. Enable SSL certificates / https URLs. Block HTTP traffic.
12. Enable encryption in motion.
13. Encryption in storage.
14. Cloud HSM if needed.
15. Hashicorp Vault service.
16. Service decoupling.
17. Enable 2-factor auth.
18. Check for open ports. Check for MongoDB port, Redis port, etc…
19. Dev boxes access.
20. DB structure: think about GDPR.
21. Review application logs for clear text passwords printed. PCI standard requires that no passwords are printed in clear text in logs.
22. Kubernetes cluster – disable public IP.
23. VM hardening
23. Check if you have user’ original IP address in logs. Make sure that X-Forwarded-For HTTP header is displayed in logs.
24. For container processes use dumb-init or “–init” flag if you can control docker command line.
24. In addition to logs, make sure you have an audit for sensitive commands.
25. Review JWT implementation (if you have it). Do not use HS256 as it is susceptible to brute force attacks.
26. Remove Apache status or Nginx status pages.
27. Make sure you have no “phpinfo()” function in code as it prints environment variables. The attackers can find a log of sensitive info in this variables.