Security
It is impossible to make a system secure. Always assume that you will be hacked. Do everything to make it as difficult as possible for the attackers and to keep the damage as small as possible.
Make the honey pot as small as possible.
Development & build
- GIT repositories with protected main branch (pull-request required)
- Static code analysis for source-code with optional build-breaker
- SCA for dependencies to show vulnerabilities
- Container signing process in pipeline
- Recommend hardened Docker base images
- SBOM generation for artifacts
- Credential scanner for whole repository
- Malware detection for repositories (in implementation)
- SBOM generation for container (planned)
Runtime
- Separated prod und non-prod environments
- Databases are not accessible from outside of a k8s cluster
- APIs are secured by openAPI spec and only signed JWT tokens are allowed
- Only signed containers are allowed
- Prisma scan results in ODJ (GCP only)
- Cost anomaly detector
- Restrict k8s pod inbound ports to HTTPS
- Malware detection of public cloud buckets (GCP and Azure only)