The DevSecOps Security Checklist

DevSecOps is a practice that better aligns security, engineering, and operations and infuses security throughout the DevOps lifecycle. This checklist shares some best practices to help you secure the development environment and processes, produce secure code and applications, and move towards realizing DevSecOps.

your progress
0% complete


Get the PDF version




  • Secure and monitor your entire physical and virtual environment

    Security needs to be integrated across your environment. Take steps to secure your entire infrastructure, including on-premise and cloud environments, networks, CI/CD pipeline, code, data, operating systems, applications, and software. Use sustainable processes and tools to identify and block internal and external attacks, and malicious traffic and files.

    Apps: Sqreen

    Infrastructure: ThreatStack

    Network: Cloudflare

  • Gather metrics to gauge success

    Security is a journey that never ends, so focus on making progress. Collect and act on security and compliance information from on-premise and cloud environments. Use both the high-value and supporting metrics to get insights and determine the effectiveness of your security processes. Iterate whenever things change.

    DevSecOps Guide

    Security metrics that matter in a DevSecOps world

  • Secure and harden your containers

    Follow best container security best practices. Secure authentication and authorization. Inspect, scan, and provide file, image and container security. Use private registries such as GCR or quay. Also, build from trusted and verified container images.

    Docker Security Best Practices

    Kubernetes Security Best Practices

    Integrating Docker Solutions Into Your CI/CD Pipeline

  • Isolate Dockers and Kubernetes

    Secure and isolate your containers early, often, and continuously. Isolate and segment containers using tools such as Apparmor, Seccomp, SELinux. Create isolation layers between different applications as well as between applications and hosts. This reduces the host’s surface area, hence restricting access and protecting it as well as the co-located container.

    Isolate containers with a user namespace

    Docker Container: isolation and security

  • Perform threat modeling exercises

    A threat modeling exercise identifies the design flaws and components that are most at risk, and should provide the security team with the opportunity to prioritize and address flaws according to their impact. In particular, threat modeling helps teams to understand the type of assets they are protecting, the sensitivity levels, potential threats, and their impact.

    How to measure risk with a better OKR

    Threat modeling in: The Ultimate DevSecOps

  • Automate infrastructure configuration and management

    Automate and simplify the configuration and management of servers, infrastructure, compliance, and applications. Use tools such as Puppet, Chef, and Azure Automation Desired State Configuration and other DSCs. These tools can help you further DevSecOps through functionality like automatically provisioning an environment, applying security settings, and deploying apps.

    Simplify and expedite server management

    What is the Puppet configuration management tool and how does it work?

    Azure Automation DSC

  • Harden your cloud deployments

    Cloud environments can provide a secure infrastructure if implemented properly. Review the teams and individual roles and permissions you’ve allocated. Grant access to only what each individual or team needs to perform their jobs. Enforce two-factor authentication for everyone. Check the security groups, standard AMIs, IAM roles, MFA tokens, etc.

    AWS security

    Azure security best practices


  • Code security into your apps

    Create secure code from the start of development all the way to the deployed application. Ensure that security is integrated into the code instead of adding it as an afterthought. This requires involving the security teams throughout the development process. Keeping the code and implementations as simple as possible avoids complexities that may compromise security. Implement processes and best practices that make it easy and straightforward for developers to make secure decisions.

    Building Security into Code and Culture

    When DevOps met Security — DevSecOps in a nutshell

  • Continuously review code at every stage

    Review the code and standards at each stage to ensure that they comply with security best practices. Use SAST and DAST to analyze code, and other automatic tools to track dependencies and scan all third party and open source codes. Perform pre-commit, commit-time, build-time, test-time, and deploy-time checks in your CICD pipeline.

    Let’s Talk About Code Reviews

    Codacy - Automated Code Reviews

    The best open-source DevOps security tools, and how to use them

  • Introduce chaos in the comfort zone

    Use chaos engineering to test how prepared your systems are to respond to security threats under unfamiliar operational environments. Run scripts to randomly shut down server instances, take down containers in a random manner, disrupt some services, or create unexpected outages in the applications and infrastructure. This helps the teams to provide a moving target defense that protects your systems in a wide range of conditions and ensures that something unexpected won’t bring everything tumbling down.

    What is chaos engineering and why does it matter?

    Chaos Engineering

    Chaos Monkey Unleash the Chaos Monkey

  • Maintain an inventory of your applications and components

    Create and maintain an up-to-date inventory of your application assets. Get visibility into what’s being deployed and what your organization has out there. Maintaining an up-to-date inventory will help you uncover new security insights and prevent you from being caught off guard when something unsecure gets deployed or when security vulnerabilities are uncovered in something old and forgotten.

    Sqreen App Inventory

    AWS System Manager and AWS Config

  • Scan and secure your open source and third-party components

    Stay on top of your open source and third-party dependencies. Make sure that they are always up-to-date, and that you regularly verify that they aren’t vulnerable.

    DevSecOps: The Open Source Way



  • Start a security analytics program on your code

    Use threat modeling, penetration tests, and vulnerability testing to confirm that your code is secure. Determine the number of severe vulnerabilities, and how long they persist before your team resolves them. Analyze the frequency and scope of automated tests as well as the number and type of attacks on your applications.

    Communicating risk across complex teams

    Security analytics: It’s all about the data


  • Secure your APIs

    APIs enable interaction and sharing of data between applications and therefore are more exposed and prone to security risks. Secure all the APIs the company consumes as well as those it exposes to the public. Use encryption to protect request information in transit while limiting the amount of information in the API error messages.

    DevSecOps for your APIs

    What is DevSecOps: Secure your APIs

  • Authenticate and authorize API users

    Use API IDs and API keys to identify and authenticate users, devices, or applications. Use an access control framework such as the OAuth to control the APIs that authenticated users or specific API keys can access.

    REST Security Cheat Sheet


  • Apply security policies to APIs

    Approach API security from both the consumption and exposure perspectives. Manage identity, security keys, tokens, certificate policies, authentication, and authorization policies. Do not forget to log and audit keys, policies, and logs stores.

    API attacks

    State of API security

  • Secure all your transmission paths

    Secure your transmission paths to prevent data loss and security breaches. Encrypt all connections to prevent Man-in-the-Middle attacks. Enforce SSL/TLS.

    SSL Server Test

    Observatory by Mozilla

  • Validate input data, content types, and responses

    Validate all data to prevent application layer attacks. Ensure safe input data from users, database systems, external sources, as well as infrastructure. In addition, perform integrity checks as data crosses the boundary between a trusted and less trusted environment. This ensures that compromised data does not enter into your systems indirectly.

    Data Validation

    Testing for input validation

  • Use RBAC to manage access to resources and operations

    Role-Based Access Control (RBAC) is a flexible process that simplifies the tasks of assigning users and developers the access rights to resources. Instead of assigning each individual user specific rights, the administrator creates roles which can then be given to a group of users. This is useful in organizations with many users to manage and a present need to manage and control API usage.

    Role-based access control

    Simple, Secure Role-Based Access Control (RBAC) For REST APIs

  • Prevent API parameter tampering, attacks, and hijacks

    Tampering enables the reverse engineering of the API, such that it exposes data or becomes vulnerable to DDoS attacks. Protecting them ensures that your web, cloud, and mobile applications are secure and safe. Monitor the APIs, infrastructure, and external services to detect and prevent DDoS attacks.

    Understanding API Connectivity to Resolve App DDoS Attacks

    Automated security for your web apps


  • Use security best practices and tools

    Observe the standard security best practices. Reduce your attack surface (harden the infrastructure and services), encrypt your data and communications channels, and filter and block bad traffic and malware. Don’t forget to perform regular security audits, logging and analyzing your events and assets.

    5 ways to reduce your attack surface

    Best practices for encrypting data

    Pentest best practices

  • Detect and block unusual behavior

    Monitor your application in production to detect and block unusual behavior, including account takeovers, and suspicious actors. This helps to prevent attacks from your user base.

    Uncover and block bad actors

    Enhance security using behaviour-based indicators of compromise (BIOCs)

  • Automate security testing and protection

    Perform automatic security scanning for vulnerabilities in the code, infrastructure, and applications in staging. Use a security solution that can detect and block attacks in production in real time, such as SQL injections, NoSQL injections, and XSS. Ensure that your solution limits false positives and doesn’t block benign traffic.

    Sqreen: block attacks in real time

    Automate security testing within your pipeline

  • Automate data policy management

    Use an automated policy enforcement to manage the data lifecycle and flow. Create audit logs before and after any security issue. Address all the audit and compliance issues you uncover.

    Audit Logs

    Why every company needs a data policy

  • Automate security tasks and practices

    Use existing DevOps tools to automate some security functions. For example;

    • Chef – to automate security testing
    • Puppet – test compliance and enforce security policies
    • Ansible – to define and automate security best practices such as applying custom policies, configuring firewall rules, locking out certain users, etc.
    • SaltStack – to automate security practices

    Combine common tools with a continuous security monitoring platform.

    Chef InSpec

    Compliance and auditing with Puppet

  • Complement automatic testing with creative manual tests

    Automatic testing scripts may fail to recognize or identify visual issues that a human eye can pick up. In addition, a human tester will interact with the software and discover if there are usability or interface issues. Another challenge is when the automated tests scripts contain errors or bugs that give false negatives or positives.

    Reasons Why Manual Testing Can Never Be Replaced

    Why Automated Testing Will Never Replace Manual Testing

  • Follow post-production protection best practices

    Automate scanning and collect application-level metrics upon deployment. You can use a tool such as Chef to automate the configuration management as well as the provisioning of the run-time environment. Use runtime protection solutions to monitor and protect your applications in production.

    Getting runtime application self-protection launched

    Sqreen: Application Security Management

  • Limit your attack surface

    Integrate protection and detection measures in the architecture to limit your attack surface, and reduce exposure and your internal and external threats. Focus on high-risk areas, such as web forms, internet-facing code, access control, session management codes, data from external sources, and other entry points that interface with external networks.

    Attack Surface Analysis Cheat Sheet

    5 ways to reduce your attack surface

  • Use security tools that continue to evolve

    The security solutions you put in place must keep pace with changing application environments and infrastructure, as well as with your own growth. These should have the ability to protect your system in real time and automatically send alerts when security issues arise.

    Automated security for your apps

Employee Behavior

  • Encourage secure employee behavior

    Implement data protection program that combines security best practices and user education. Create awareness for employees towards improving personal security and preventing attacks like spear-phishing incidences. Always update and patch operating systems and application software, preferably automatically.

    Employee Security Training

  • Check employee security behavior

    Simulate a malicious attack in a controlled way to identify and fix real-world vulnerabilities. Use on-premise attacks to test desktop security and visitor controls. Use red teaming or pentests to identify vulnerabilities and their impact on businesses and employees.

    Use red teaming to find real-world vulnerabilities

    Pentest best practices checklist

  • Do a spear-phishing campaign

    Perform a spear-phishing campaign to test employees’ behaviors and responses. You can also try hacking your employees in a controlled manner to assess and address internal risky behavior and preparedness.

    Spear phishing

    Create user awareness and training to prevent phishing attacks

Trusted by security teams, loved by developers.

Monitoring and protection platform made to be incredibly powerful yet very easy to use.

Want this handbook as a PDF?

Scan the QR-code, or go to:

Paper plan illustration

Get your bi-weekly security dose!

Hand-picked security content for Developers, DevOps and Security.
No Spam. Just awesome content.

Ready to protect your apps?

Get started for free · 5 min installation · No credit card required.