Here is a partial list of security activities to perform to raise your project security level.
1. Basic container – use a very simple base container with a minimal number of packages as a base container for most of the projects.
2. MySQL security: do no use root user
3. MySQL security: separate database – separate database accounts (separate if possible, user account and app admin user).
4. Backup for database, file buckets
5. Use Kubernetes secrets instead of passwords in code. DO NOT place sensitive keys in environment variables.
6. Check web app for web access to a config file. For example config.ini
7. Use a web firewall for AWS / Google cloud.
8. Configure Security Groups (network access rules).
9. Ensure Kubernetes nodes are not directly accessible.
10. Script to do container process monitoring
11. Enable SSL certificates / https URLs. Block HTTP traffic.
12. Enable encryption in motion.
13. Encryption in storage.
14. Cloud HSM if needed.
15. Hashicorp Vault service.
16. Service decoupling.
17. Enable 2-factor auth.
18. Check for open ports. Check for MongoDB port, Redis port, etc…
19. Dev boxes access.
20. DB structure: think about GDPR.
21. Review application logs for clear text passwords printed. PCI standard requires that no passwords are printed in clear text in logs.
22. Kubernetes cluster – disable public IP.
23. VM hardening
23. Check if you have user’ original IP address in logs. Make sure that X-Forwarded-For HTTP header is displayed in logs.
24. For container processes use dumb-init or “–init” flag if you can control docker command line.
24. In addition to logs, make sure you have an audit for sensitive commands.
25. Review JWT implementation (if you have it). Do not use HS256 as it is susceptible to brute force attacks.
26. Remove Apache status or Nginx status pages.
27. Make sure you have no “phpinfo()” function in code as it prints environment variables. The attackers can find a log of sensitive info in this variables.
About the author
For the past 15 years I’ve been leading the evolution of startups and enterprises to achieve the highest level of security and compliance. Throughout my career I’ve been a Cyber Security expert and advanced solutions architect with many years of hands on experience both on offensive and defensive side. Knowledgeable at the highest level in application development, networking, data and databases, web applications, large scale Software as a Service solutions, cloud security and blockchain technologies.
I’ve been working with CISO’s of international enterprises, helping them set Information Security strategy, and overseeing the implementation of these recommendations. As part of these projects, I’ve been assisting companies to achieve compliance in GDPR, PCI, HIPAA and SOX.
Among my credits, I was a founder of a database security company GreenSQL/Hexatier which was acquired by Huawei and I’ve co-founded Kesem.io, Secure multi-signature Crypto wallet.
Specialties: Software and cloud architecture, Compliance (GDPR, HIPAA, PCI, SOX), blockchain technologies, software development, secure architectures, project management and low level research.