Question: Are secure deployment configurations enforced and verified across all environments?
-
Objective — Why This Matters
Insecure defaults during deployment expose hidden risks like verbose error messages, debug APIs, or exposed admin panels. -
Maturity Levels (0–5)
No environment segregation; configs copied manually.
Basic staging setup; no parameter hardening.
Deployment checklist defined per environment.
Infrastructure-as-code with security parameters enforced.
Automated configuration validation before deploy.
Continuous compliance validation and drift correction.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Segregate dev/stage/prod; disable debug. |
| 1 → 2 | Document config standards per environment. |
| 2 → 3 | Deploy via IaC with secure defaults. |
| 3 → 4 | Validate configs with scripts/policy-as-code. |
| 4 → 5 | Automate drift correction and compliance reports. |
-
People / Process / Technology Enablers
People – DevOps, AppSec, Cloud Admins.
Process – Deployment SOPs, config review cycle.
Technology – Terraform, Ansible, OPA, Checkov. -
Evidence Required
Deployment checklists, IaC templates, validation logs. -
Metrics / KPIs
• percentage of deployments passing config checks
• number of drift alerts per quarter
• average time to fix misconfiguration -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| IaC scanning | Checkov / Tfsec | Detect insecure IaC parameters. |
| Validation | OPA / Conftest | Apply config policies pre-deploy. |
| Monitoring | Grafana / Prometheus | Track drift metrics. |
-
Common Pitfalls
No environment segregation; skipping validation for hotfixes. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.9 / A.8.32. |
| NIST CSF 2.0 | PR.IP-1 / PR.DS-6. |
| CERT-In 2022 | Secure deployment requirement. |
| NIRMATA Scoring | AS-Q11 ≥ Level 4 requires automated validation in pipeline. |