4 Security layer 2: protecting cloud infrastructures
This chapter covers
- Automating the security testing of an infrastructure in continuous delivery
- Restricting network access to components of the infrastructure via security groups
- Opening administrative access via SSH without compromising security
- Enforcing strict access controls on the invoicer’s database
The environment you built in chapter 2 to host the invoicer had several security issues. In chapter 3, you fixed the security of the application layer and learned how test-driven security can be used to integrate testing directly into the CI pipeline. You addressed vulnerabilities in the application itself by making use of browser security techniques like CSP, authentication protocols like OpenID Connect, and programming techniques like CSRF tokens. In chapter 4, we’ll continue our journey to secure the invoicer at the infrastructure layer and focus on controls that strengthen the network, servers, and databases of the service. We’ll continue to apply TDS principles by adding security testing into the pipeline, this time at the continuous-delivery layer.
The security audit performed at the end of chapter 2 listed issues we’re now going to fix: