Loading...
Security integrated into every stage of the delivery pipeline — from threat modelling and SAST to Kubernetes runtime defence and compliance automation.
Security baked in from the start costs 10× less than security bolted on at the end. This stage is about internalising that before touching any tooling.
Shift-left security
Moving security checks earlier in the lifecycle — code review, PR gates, and pre-commit hooks instead of perimeter scanning.
Threat modelling
STRIDE and attack trees: systematically identifying what can go wrong before writing a line of code.
CIA triad in practice
Confidentiality, Integrity, Availability — and how each maps to concrete infra decisions (encryption, checksums, redundancy).
OWASP Top 10
The ten most critical web application security risks and their infrastructure/pipeline implications.
Secure SDLC
Embedding security gates at design, code, build, test, deploy, and operate phases without killing delivery velocity.
Vulnerabilities introduced at the code and dependency layer are the cheapest to fix. Automated gates mean developers never need to think about most of them.
SAST (Static Analysis)
Semgrep, CodeQL, and SonarQube — scanning code for known vulnerability patterns without running it.
Dependency scanning
Trivy, Snyk, and Dependabot for CVE detection in third-party packages. Understand CVSS scores and when to block vs warn.
Secret scanning
Preventing credentials from entering git history: GitLeaks, truffleHog, and GitHub push protection.
Hash GeneratorPre-commit security hooks
Automated checks at commit time — secret detection, dependency audits, and IaC linting before code leaves the developer's machine.
Secure code review checklist
Input validation, output encoding, authentication flows, and the five questions every security-aware code reviewer asks.
The container image is the attack surface that ships to production. Harden it at build time so the runtime has nothing to exploit.
Image vulnerability scanning
Trivy and Grype for CVE detection in OS packages and language dependencies. Integrating scans into the build pipeline.
Dockerfile Best PracticesMinimal & distroless bases
Scratch, distroless, and Alpine — reducing attack surface by removing everything the application doesn't need.
Dockerfile GeneratorNon-root containers
USER directives, read-only root filesystems, and dropping Linux capabilities — the three Dockerfile security primitives.
Image signing & provenance
Cosign and Sigstore for signing images, verifying supply chain provenance, and enforcing signature policies at admission.
Container runtime security
Falco for detecting anomalous syscalls at runtime — the last line of defence when prevention fails.
SBOM generation
Software Bill of Materials with Syft — knowing exactly what's in every image for audit, compliance, and incident response.
Kubernetes has many security levers. Most clusters use fewer than half of them. This stage covers the ones that actually matter in production.
Pod Security Standards
Privileged, Baseline, and Restricted profiles — enforcing them via Pod Security Admission and understanding what each permits.
RBAC hardening
Least-privilege service accounts, binding audit, and removing wildcards from ClusterRoles.
Blog: RBAC in PracticeNetwork policies
Default-deny-all ingress and egress, then explicitly allow — the only sane starting point for multi-tenant clusters.
Network Policy GeneratorSecrets encryption at rest
EncryptionConfiguration for etcd, envelope encryption with KMS, and why base64 in a Secret is not encryption.
Admission controllers & policy-as-code
OPA/Gatekeeper and Kyverno for enforcing security policies at the API server before resources are persisted.
Runtime threat detection
eBPF-based security with Cilium and Tetragon — kernel-level visibility into process execution, file access, and network calls.
Blog: eBPF & Platform EngineeringThe pipeline has privileged access to everything. A compromised pipeline is a compromised environment. Treat it accordingly.
OIDC-based pipeline auth
Eliminating long-lived static credentials from CI/CD using OIDC federation — GitHub Actions to AWS IAM with no secrets stored.
GitHub Actions Workflow BuilderPipeline hardening
Pinning action versions to commit SHAs, restricting permissions to minimum required, and auditing third-party actions.
DAST in pipelines
OWASP ZAP and Nuclei for dynamic testing against a live instance — catching what SAST misses at runtime.
Dependency & image gates
Blocking builds when a CVE above a severity threshold is found — and knowing when to use block vs warn to avoid alert fatigue.
Artifact signing & verification
Signing container images and build artifacts with Cosign, and verifying signatures at deploy time with policy enforcement.
Supply chain: SLSA levels
Supply chain Levels for Software Artifacts — what level your pipeline achieves and what it takes to reach L3.
Cloud misconfigurations are the leading cause of breaches. Most are preventable with IAM discipline, network segmentation, and automated posture checks.
IAM hardening
Least-privilege policies, no wildcard actions, SCPs for organisation-wide guardrails, and regular permission boundary audits.
AWS CLI: IAM & STSNetwork security posture
Private subnets for workloads, security group discipline, VPC flow logs, and why 0.0.0.0/0 in an inbound rule is a finding.
CIDR CalculatorCloud Security Posture Management
AWS Security Hub, GuardDuty, and Prowler — continuous misconfiguration detection across the entire account.
IaC security scanning
Checkov and tfsec for catching misconfigurations in Terraform before they reach apply — shift-left for infrastructure.
Audit logging
CloudTrail, S3 access logs, and VPC flow logs — the evidence trail for every incident investigation and compliance audit.
WAF & DDoS protection
AWS WAF rule groups, Shield Advanced, and rate limiting — distinguishing volumetric attacks from application-layer exploits.
Secrets sprawl is silent and lethal. Every hardcoded credential, every overshared token, is a breach waiting for its trigger.
Vault architecture
Storage backends, auth methods, dynamic secrets, and lease TTLs — Vault as the central secrets broker.
Blog: Vault vs External SecretsExternal Secrets Operator
Syncing secrets from AWS Secrets Manager and Parameter Store into Kubernetes without Vault — when ESO is the pragmatic choice.
Workload identity (IRSA / WIF)
Kubernetes service accounts bound to IAM roles — zero static credentials for pods running on EKS.
Certificate lifecycle
cert-manager for automated issuance and rotation, OpenSSL for inspection and debugging when things go wrong.
OpenSSL Cheat SheetTLS everywhere
mTLS between services, certificate pinning, and HSTS — making plaintext communication structurally impossible.
TLS/SSL Cheat SheetSecret rotation strategy
Automated rotation cadence, zero-downtime rotation patterns, and what to do in the first 30 minutes of a credential compromise.
Compliance is not security, but it forces documentation of controls that make you more secure. Get ahead of it before an auditor does.
SOC 2, HIPAA, PCI-DSS
What each framework actually requires from infra teams — encryption, access control, audit logging, and incident response.
Compliance for DevOpsPolicy as code at scale
OPA and Kyverno policies as the single source of truth for compliance controls — version-controlled, tested, and auditable.
Vulnerability management programme
SLA by severity (P0: 24h, P1: 7d, P2: 30d), tracking, and the process for accepting risk on findings you won't fix.
Audit logging & evidence collection
Correlating CloudTrail, Kubernetes audit logs, and application logs into a coherent evidence trail for auditors.
Security incident response
Runbooks for credential compromise, data exfiltration, and cryptomining — the three most common cloud incidents.
Security posture metrics
Mean Time to Remediate by severity, open CVE age, secrets rotation coverage — the numbers that show whether the programme is working.
The toolkit has certificate checkers, RBAC generators, network policy builders, and TLS references for the stages above — no account required.