| description |
|---|
Best practices in software development operations from operations management and system administration perspectives |
The DevSecOps audit is an examination of the deployment strategies, security measures, and operational best practices to ensure a secure and efficient delivery and operation of the application.
The audit starts with a thorough review of the manual installation methods detailed in the platform's documentation. This review is necessary to understand the complexities and requirements of setting up the application from scratch. The audit reviews hardware and software recommendations, and considers what environments support the package versions required. The testing also explores alternative installation methods such as server tools with Ansible and Bash scripts, as well as containerization approaches like Docker and Kubernetes, highlighting the flexibility and various options available for different organizational needs.
The audit extensively examines the application’s security configuration options, particularly focusing on database configuration, file store configuration, and authentication options for single-sign-on capabilities. The use of an industry-standard database allows for potential integration into existing database clusters, while file storage is examined for compatibility with common object storage solutions. Authentication options provide robust support for identity management, enhancing the security of user authentication processes.
Operationally, the audit highlights the importance of updating public documentation to accurately reflect supported operating systems. Best practices for managing the database are detailed, emphasizing performance tuning and secure configuration. The audit also covers encryption practices used within the application, noting the use of modern algorithms for most data encryption and the potential security risks associated with the use of outdated algorithms in some configurations.
The monitoring capabilities of the application are evaluated, with a particular focus on the integration of services for observing system metrics and logs. The update process is also reviewed, noting the ease of applying security patches through package managers and the steps required for application upgrades via the server. The documentation for system administrators is considered, and how it can better support the setup, monitoring, and troubleshooting processes.
The audit concludes with several recommendations aimed at enhancing the security posture and operational efficiency of deployments. These might include updates to system documentation, improved secrets management practices, and recommendations for network architecture to safeguard the application environment. The audit stresses the importance of robust disaster recovery procedures and the need for comprehensive backup strategies to ensure data integrity and availability in the event of system failures or security incidents.