Skip to main content

Why this doc?

info

Well this document is basically my own experience as a Security Engineer and the approach to securing Kubernetes, containers and the applications running inside it. Working at DeepSource, I was always asked to introduce a security process right before application are pushed to staging/dev or production. After spending some time working as a security engineer now I understand why it is important to have a security process in place. When you think, it may seem like it is obvious but the why and how is what you will read here. I'll take the opportunity to also add little bit about security engineering in general. Afterall I have spent enough time and it is always good to showoff if you think you know better than others :).

Most engineering teams use Continuous Integration and Continuous Deployment (CI/CD) to build, test, and deploy applications. In my own experience, my two ex-companies were using CI/CD to build and deploy applications. With time what I realised was that Backend and Platform/DevOps generally has control over the pipeline and the security team has very limited or no visibility into the every stage of the pipeline. Asking security to find bugs when they are already in production is not a good idea. The saying Prevention is better than Cure is there for a reason.

Having a security review process after every time a code change happens is a better approach. You may have heard security is a team effort and that is why development and security should work very closely. I also understand that security adds complexity and delays in the release pipeline so be it. Because when a breach happens then you realise why it was important. Let me put it like this, if you are still not convinced. In India, generally people don't prefer buying health insurance because they think they are smart or young or will never be hospitalised. Now ask someone who was hospitalised and ask them what they think about having a health insurance or ask someone who didn't had one and ended up paying from their savings which they were saving for a very long time. You will get your answer and will understand why it is important to spend little on the security team rather than saving that little money for something else.

Enough with the Gyan(Free Knowlegde) for the first page. Let's get started.