Security#

Production security is the operator’s defensive posture in the infrastructure layer. A layered set of controls (edge, network, identity, application, data, audit), each one expected to fail gracefully into the next. None is sufficient on its own; missing any of them is usually how breaches happen, and the blue-team operator who inherits the infrastructure inherits whichever ones the previous build left out. Each layer the operator hardens is a layer an attacker must defeat, and the missing one is the seam the adversary pivots through.

        flowchart TB
  subgraph Edge["Edge"]
    WAF[WAF / DDoS]
    CDN[CDN]
  end
  subgraph Net["Network"]
    VPC[VPC / Segments]
    FW[Security Groups / NetworkPolicy]
  end
  subgraph Id["Identity"]
    SSO[SSO + MFA]
    Workload[Workload Identity]
  end
  subgraph App["Application"]
    AuthZ[Authorization]
    Validation[Input Validation]
    Crypto[Encryption]
  end
  subgraph Data["Data"]
    AtRest[Encryption at Rest]
    KMS[KMS / HSM]
    Backup[Encrypted Backups]
  end
  subgraph Audit["Audit & Detect"]
    Logs[Immutable Logs]
    SIEM[SIEM / Detection]
    IR[Incident Response]
  end

  Edge --> Net
  Net --> Id
  Id --> App
  App --> Data
  Audit -.-> Edge
  Audit -.-> Net
  Audit -.-> Id
  Audit -.-> App
  Audit -.-> Data
    

Identity#

The first layer of production security. Every action, human or workload, ties back to a strong, audited identity, never a shared credential. SSO with MFA covers people, short-lived tokens cover machines, and long-lived API keys belong nowhere. Identity is also the attacker’s prize, a stolen workload token is a foothold that looks exactly like legitimate traffic.

Control

Practice

Workforce identity

SSO via SAML or OIDC, MFA enforced, short sessions

Workload identity

Short-lived tokens (IAM roles, workload identity, SPIFFE)

No long-lived keys

No static keys in code, images, or env; federate CI via OIDC

Just-in-time access

Production access auditable and time-bounded

Secrets#

The credentials, API keys, and certificates a system needs to operate. The discipline keeps them out of source control, in a centralized store, and rotating on their own. Secrets are precisely what an attacker hunts, a key leaked in a repo or a container image is initial access.

Store

Provider

Secrets Manager

AWS

Secret Manager

GCP

Key Vault

Azure

Vault

HashiCorp

Doppler

SaaS

Practices:

  • Never commit secrets; pre-commit hooks (gitleaks, trufflehog) catch the accidents.

  • Rotate automatically with grace periods.

  • Encrypt at rest in Git via Sealed Secrets or SOPS for the GitOps case.

  • Separate by blast radius, per-service and per-environment.

Encryption#

Encryption in transit and at rest, with application-level encryption for the highest-sensitivity fields. It decides whether stolen data or a captured packet trace is loot or noise.

Layer

Practice

In transit

TLS everywhere, mTLS for service-to-service

At rest

Provider-side encryption, bring-your-own-key for sensitive data

Application level

KMS-wrapped data keys for PII and financial fields

Network Security#

The network controls that contain blast radius. Each layer protects what the others miss, and the operator audits them for the one default-allow that would open lateral movement for an attacker.

Control

Purpose

Default deny

Security groups, NetworkPolicies, firewalld zones

Private subnets

Everything without public need, NAT for egress

Private endpoints

PrivateLink and Private Service Connect for cloud services

Bastion / SSM / IAP

Administrative access instead of public SSH

WAF

OWASP-style protection in front of public HTTP

Application Security#

The OWASP Top 10 still describes most real-world vulnerabilities, and each one has a standard mitigation. The same ten double as an attacker’s initial-access checklist.

Risk

Mitigation

Broken access control

Enforce on every server-side route, not just the UI

Cryptographic failures

Library defaults, modern algorithms, never roll your own

Injection

Parameterized queries and commands, escape on output

Insecure design

Threat model the system before it ships

Security misconfiguration

Default deny, least privilege, review IaC diffs

Vulnerable components

Automated dependency updates and CVE scanning

Auth failures

Proven libraries, MFA, generic errors, account lockout

Data integrity failures

Sign artifacts, pin dependencies by digest

Logging failures

Detect, alert, and retain

SSRF

Block private-network egress from user-controlled fetches

Supply Chain#

The baseline for software supply chain. Each step closes a known attack vector seen in real incidents, the same vectors that let an attacker land upstream of every runtime control.

Step

What it does

Pin

Lockfile dependencies and digest-pinned base images

Sign

Sign artifacts with cosign and Sigstore

SBOM

A software bill of materials per build (CycloneDX, SPDX)

Provenance

SLSA-style attestations of how the artifact was built

Scan

Images and dependencies in CI (Trivy, Grype, Snyk, Dependabot)

Audit and Detection#

The visibility layer that catches what the controls miss, and the layer an attacker works to blind or stay beneath.

Control

Detail

Immutable audit logs

Account activity, IAM changes, secret access, exported to a separate account

Provider trail

CloudTrail, Cloud Audit Logs, or Activity Log with multi-region trails

Runtime detection

Falco, GuardDuty, Defender for Cloud, OSQuery

Alert on

Anomalous IAM, root logins, disabled trails, unusual egress, new admin grants

Incident Response#

The discipline that makes the inevitable incident recoverable. A slow, unrehearsed response is the dwell time an attacker counts on.

Practice

Detail

Plan

Runbooks, on-call rotations, and contacts ready before they are needed

Practice

Tabletop exercises and game days

Blast-radius limits

Account separation, scoped roles, regional isolation

Postmortems

Blameless, written, and aimed at root causes