Security#
Production security is the operator’s defensive posture in the infrastructure layer. A layered set of controls (edge, network, identity, application, data, audit), each one expected to fail gracefully into the next. None is sufficient on its own; missing any of them is usually how breaches happen, and the blue-team operator who inherits the infrastructure inherits whichever ones the previous build left out. Each layer the operator hardens is a layer an attacker must defeat, and the missing one is the seam the adversary pivots through.
flowchart TB
subgraph Edge["Edge"]
WAF[WAF / DDoS]
CDN[CDN]
end
subgraph Net["Network"]
VPC[VPC / Segments]
FW[Security Groups / NetworkPolicy]
end
subgraph Id["Identity"]
SSO[SSO + MFA]
Workload[Workload Identity]
end
subgraph App["Application"]
AuthZ[Authorization]
Validation[Input Validation]
Crypto[Encryption]
end
subgraph Data["Data"]
AtRest[Encryption at Rest]
KMS[KMS / HSM]
Backup[Encrypted Backups]
end
subgraph Audit["Audit & Detect"]
Logs[Immutable Logs]
SIEM[SIEM / Detection]
IR[Incident Response]
end
Edge --> Net
Net --> Id
Id --> App
App --> Data
Audit -.-> Edge
Audit -.-> Net
Audit -.-> Id
Audit -.-> App
Audit -.-> Data
Identity#
The first layer of production security. Every action, human or workload, ties back to a strong, audited identity, never a shared credential. SSO with MFA covers people, short-lived tokens cover machines, and long-lived API keys belong nowhere. Identity is also the attacker’s prize, a stolen workload token is a foothold that looks exactly like legitimate traffic.
Control |
Practice |
|---|---|
Workforce identity |
SSO via SAML or OIDC, MFA enforced, short sessions |
Workload identity |
Short-lived tokens (IAM roles, workload identity, SPIFFE) |
No long-lived keys |
No static keys in code, images, or env; federate CI via OIDC |
Just-in-time access |
Production access auditable and time-bounded |
Secrets#
The credentials, API keys, and certificates a system needs to operate. The discipline keeps them out of source control, in a centralized store, and rotating on their own. Secrets are precisely what an attacker hunts, a key leaked in a repo or a container image is initial access.
Store |
Provider |
|---|---|
Secrets Manager |
AWS |
Secret Manager |
GCP |
Key Vault |
Azure |
Vault |
HashiCorp |
Doppler |
SaaS |
Practices:
Never commit secrets; pre-commit hooks (gitleaks, trufflehog) catch the accidents.
Rotate automatically with grace periods.
Encrypt at rest in Git via Sealed Secrets or SOPS for the GitOps case.
Separate by blast radius, per-service and per-environment.
Encryption#
Encryption in transit and at rest, with application-level encryption for the highest-sensitivity fields. It decides whether stolen data or a captured packet trace is loot or noise.
Layer |
Practice |
|---|---|
In transit |
TLS everywhere, mTLS for service-to-service |
At rest |
Provider-side encryption, bring-your-own-key for sensitive data |
Application level |
KMS-wrapped data keys for PII and financial fields |
Network Security#
The network controls that contain blast radius. Each layer protects what the others miss, and the operator audits them for the one default-allow that would open lateral movement for an attacker.
Control |
Purpose |
|---|---|
Default deny |
Security groups, NetworkPolicies, firewalld zones |
Private subnets |
Everything without public need, NAT for egress |
Private endpoints |
PrivateLink and Private Service Connect for cloud services |
Bastion / SSM / IAP |
Administrative access instead of public SSH |
WAF |
OWASP-style protection in front of public HTTP |
Application Security#
The OWASP Top 10 still describes most real-world vulnerabilities, and each one has a standard mitigation. The same ten double as an attacker’s initial-access checklist.
Risk |
Mitigation |
|---|---|
Broken access control |
Enforce on every server-side route, not just the UI |
Cryptographic failures |
Library defaults, modern algorithms, never roll your own |
Injection |
Parameterized queries and commands, escape on output |
Insecure design |
Threat model the system before it ships |
Security misconfiguration |
Default deny, least privilege, review IaC diffs |
Vulnerable components |
Automated dependency updates and CVE scanning |
Auth failures |
Proven libraries, MFA, generic errors, account lockout |
Data integrity failures |
Sign artifacts, pin dependencies by digest |
Logging failures |
Detect, alert, and retain |
SSRF |
Block private-network egress from user-controlled fetches |
Supply Chain#
The baseline for software supply chain. Each step closes a known attack vector seen in real incidents, the same vectors that let an attacker land upstream of every runtime control.
Step |
What it does |
|---|---|
Pin |
Lockfile dependencies and digest-pinned base images |
Sign |
Sign artifacts with cosign and Sigstore |
SBOM |
A software bill of materials per build (CycloneDX, SPDX) |
Provenance |
SLSA-style attestations of how the artifact was built |
Scan |
Images and dependencies in CI (Trivy, Grype, Snyk, Dependabot) |
Audit and Detection#
The visibility layer that catches what the controls miss, and the layer an attacker works to blind or stay beneath.
Control |
Detail |
|---|---|
Immutable audit logs |
Account activity, IAM changes, secret access, exported to a separate account |
Provider trail |
CloudTrail, Cloud Audit Logs, or Activity Log with multi-region trails |
Runtime detection |
Falco, GuardDuty, Defender for Cloud, OSQuery |
Alert on |
Anomalous IAM, root logins, disabled trails, unusual egress, new admin grants |
Incident Response#
The discipline that makes the inevitable incident recoverable. A slow, unrehearsed response is the dwell time an attacker counts on.
Practice |
Detail |
|---|---|
Plan |
Runbooks, on-call rotations, and contacts ready before they are needed |
Practice |
Tabletop exercises and game days |
Blast-radius limits |
Account separation, scoped roles, regional isolation |
Postmortems |
Blameless, written, and aimed at root causes |