You are pushing code to production every day. You have CI/CD, containers, Kubernetes, automation. But how many of those pipelines integrate real security controls? At Meteora Web we see it often: companies invest in cloud but neglect security in the software delivery chain. The result is misconfigurations that open doors to anyone, secrets left in repositories, vulnerabilities in containers waiting to be exploited.
This pillar guide is written for those who want to move from "deploy fast and secure? maybe" to "secure by design deployments". We cover DevSecOps, IAM, secrets management, container security, SAST/DAST, Kubernetes hardening, Zero Trust, SIEM, and cloud compliance. No abstract theory: each section ends with a concrete action you can take right now.
DevSecOps: Embed Security into CI/CD Without Slowing Down
DevSecOps is not a tool. It's a mindset shift: security becomes a requirement in the development lifecycle, not a final gate check. We have seen projects where security tests arrive three days before release, and guess what? They get cut, postponed, and then you pay the price. The key is to shift left, automating controls in every CI/CD stage.
Multi-stage security pipeline
A mature DevSecOps pipeline has automated gates at each phase:
- Pre-commit: linting, secret scanning (e.g., git-secrets, Talisman).
- Build: SAST on code, dependency scanning (SCA).
- Test: DAST on staging environment, container scanning.
- Deploy: policy as code (OPA, Kyverno) for Kubernetes, image signing.
- Runtime: continuous monitoring, SIEM, anomaly detection.
Concrete action: integrate gitleaks or truffleHog in local pre-commit hooks and in your GitHub Actions pipeline. Example workflow snippet:
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Secret scanning
uses: gitleaks/gitleaks-action@v2
AWS IAM: Least Privilege and Policy Management
The most common mistake? Overly permissive policies. Action: "*" and Resource: "*" is an invitation to disaster recovery (involuntary). We always start from one principle: every role must have only the minimum permissions needed to perform its function. We enforce that with analysis tools.
Sponsored Protocol
AWS IAM best practices
- Use roles, not long-term users for services. Rotate access keys every 90 days.
- Attribute-based or condition-based policies (e.g.,
aws:SourceIp). - Apply Service Control Policies (SCPs) at organization level to restrict sensitive actions (e.g., disable IAM user creation for non-authorized accounts).
- Enable AWS IAM Access Analyzer to identify public or unintended cross-account policies.
Example of a restrictive policy for an EC2 instance that only reads from S3:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/16"
}
}
}
]
}
Immediate actions: review unused policies with IAM Last Accessed, remove excess. Deactivate access keys not used in 30 days.
Secrets Management: HashiCorp Vault, AWS Secrets Manager, GitHub Secrets
Leaving credentials in plaintext in a repo is like leaving house keys under the doormat. At Meteora Web we have seen databases compromised because a .env file ended up on GitHub. The solution is not a single tool, but an approach: centralize, rotate, encrypt. HashiCorp Vault is the mature choice for multi-cloud environments. AWS Secrets Manager is natively integrated. For CI/CD: GitHub Secrets and GitLab CI Variables.
Patterns to follow
- Never hardcode secrets in code.
- Inject secrets via environment variables, never via versioned files.
- Use OIDC to exchange tokens between GitHub Actions and AWS (avoid access keys).
- Automatic rotation every 90 days (or less for high-risk secrets).
- Audit logs of secret access.
Example Vault access from a Python app:
import hvac
client = hvac.Client(url='https://vault.example.com', token='s.xxx')
client.secrets.kv.v2.read_secret_version(path='myapp/db_password')
Immediate action: search for secret patterns in your repos using git log -p | grep -E "(password|secret|api_key)". If found, rotate and remove using git filter-branch or bfg. Then migrate to Secrets Manager.
Sponsored Protocol
Container Security: Trivy, Docker Scout, and Image Hardening
Containers are not thin secure clients by default. A base image with critical vulnerabilities is a ticking bomb. We use Trivy for local and pipeline scanning, and Docker Scout for dependency analysis. But the real step is hardening the image: multi-stage builds, non-root user, reduce attack surface.
Minimum Docker hardening
- Use official slim base images (e.g.,
python:3.11-slim). - Multi-stage build: the final container does not contain compilers or dev tools.
- Run as non-root:
USER appuser. - Do not expose unnecessary ports.
- Add HEALTHCHECK and limit resources (--memory, --cpus).
Example multi-stage Dockerfile for Node.js:
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM node:20-alpine
RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY --chown=appuser:appgroup . .
USER appuser
EXPOSE 3000
CMD ["node", "server.js"]
Immediate actions: run Trivy on all production images. If you find critical vulnerabilities, rebuild the base image. Setup mandatory scanning before any push.
SAST and DAST: Static and Dynamic Analysis in the Pipeline
SAST analyzes code without executing it (e.g., SonarQube, Semgrep). DAST tests the running application (e.g., OWASP ZAP, Burp Suite). One is not enough: code can be clean but the application exposed to SQL injection if runtime config is wrong.
Practical integration
Insert SAST in the build stage and DAST in staging. Example Docker Scout step on GitHub Actions:
- name: Analyze for vulnerabilities
uses: docker/scout-action@v1
with:
command: cves
image: myapp:latest
For DAST, we can use OWASP ZAP with a GitHub Action that generates a report:
Sponsored Protocol
- name: ZAP DAST
uses: zaproxy/action-full-scan@v0.11.0
with:
target: 'https://staging.myapp.com'
Immediate action: if you have no SAST, try Semgrep with OWASP Top 10 security rules. If no DAST, set up a staging environment mock and run ZAP. The results will surprise you (negatively).
Kubernetes Security: RBAC, Network Policy, and Pod Security Standards
K8s is complex: configuration errors can expose the entire cluster. We often see ServiceAccounts with excessive permissions (cluster-admin for a web pod) or missing NetworkPolicies. Security in K8s rests on three pillars: RBAC, Network Policy, Pod Security.
Restrictive RBAC
Don't use default tokens. Create roles scoped to specific namespaces with limited verbs. Example Role that allows only reading pods and services:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
Network Policy
Default deny ingress and egress, then open only what's needed. Example policy that allows traffic only from a monitoring namespace:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-except-monitoring
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
project: monitoring
Pod Security Standards
Apply security context: runAsNonRoot: true, readOnlyRootFilesystem: true, seccompProfile. Use Pod Security Admission (built into K8s 1.23+) to enforce baseline/restricted policies at namespace level.
Immediate actions: audit ServiceAccount permissions with kubectl auth can-i. Check for existing NetworkPolicies: kubectl get networkpolicy --all-namespaces. If none, start with a default deny.
Cloud Misconfigurations: Common Errors and How to Avoid Them
A Gartner study states that over 80% of cloud breaches are due to misconfigurations. We confirm: public S3 buckets, security groups open to 0.0.0.0/0, exposed RDS databases, IAM policies with write on all resources. The solution is a combination of policy as code and continuous scanning.
Sponsored Protocol
Prevention tools
- CloudFormation Guard or Terraform Sentinel for IaC validation before deploy.
- AWS Config with compliance rules (e.g., s3-bucket-public-read-prohibited).
- Scanners like ScoutSuite, Prowler (open source) for periodic audits.
Example Terraform control with Open Policy Agent (OPA):
package terraform
violations[msg] {
resource = input.resource.aws_s3_bucket[_]
resource.acl = "public-read"
msg := sprintf("Bucket %s must not be public", [resource.bucket])
}
Immediate action: run Prowler on your AWS account: prowler aws. Examine the first critical errors. Fix public buckets and open security groups immediately.
Zero Trust Architecture: Principles and Practical Implementation
Zero Trust means "never trust, always verify". It doesn't matter if the request comes from the internal network or a trusted IP. We apply it with:
- Strong authentication (MFA for all, SSO with OIDC).
- Microsegmentation: each service talks only to what it must.
- Just-in-time access for admins: temporary permissions on demand.
- Continuous device checking: not just user, device must also be compliant.
Implementation with BeyondCorp
A practical way is to use a service mesh (e.g., Istio) with mandatory mTLS, and an API gateway with authentication at every request. Google released BeyondCorp Enterprise; on AWS you can replicate with AWS Verified Access.
Immediate action: enforce MFA for all human accounts. For machines, use certificates with rotation.
SIEM and Security Monitoring: Elastic Security and Alerts
Prevention is not enough: real-time detection is key. A SIEM (Security Information and Event Management) centralizes logs from cloud, containers, applications. We have experience with Elastic Security (based on Elasticsearch) for correlating events and generating alerts. Alternatives: Splunk, Wazuh (open source).
Essential logging
- CloudTrail (AWS) or equivalents.
- Kubernetes logs (fluentd → Elastic).
- Firewall and intrusion detection (Snort, Suricata).
- Anomaly alerts: unauthorized access attempts, traffic spikes, policy modifications.
Example Elastic alert on SSH login failures from multiple IPs in 5 minutes:
Sponsored Protocol
rules:
- rule_id: 'ssh_brute_force'
type: query
query: 'source.ip:* AND event.action: "ssh_failed"'
group_by: ['host.name']
timespan: '5m'
threshold: 10
actions:
- slack: '#security'
Immediate action: ensure logs are centralized. If you have no SIEM, start with Wazuh: it installs in Docker and aggregates system and cloud logs.
Cloud Compliance: SOC2, ISO27001, and GDPR
Certifications are not just paperwork. They demonstrate that controls are in place. We help clients prepare: asset inventory, documented policies, audit evidence. Cloud platforms offer compliance reports (AWS Artifact, Azure Compliance Manager).
Getting started
- Map required controls (e.g., ISO 27001:2022 Annex A) to native cloud controls.
- Configure Config rules + GuardDuty for continuous evidence.
- Document incident response and change management processes.
- Run penetration tests annually.
- Retain logs for at least 90 days (longer for GDPR).
Immediate action: download the AWS Compliance Whitepaper and compare your configuration with baseline controls. Identify gaps.
Summary – What to Do Next
- Pipeline scan: enable secret scanning and SAST on your repos. Now.
- IAM audit: reduce excessive permissions. Apply least privilege.
- Container hardening: multi-stage builds and Trivy in CI.
- K8s security: restrictive RBAC and NetworkPolicy.
- Cloud misconfiguration: run Prowler and fix critical issues.
- Zero Trust: mandatory MFA and microsegmentation.
- SIEM: if absent, install Wazuh or Elastic Security.
- Compliance: create a gap analysis backlog.
At Meteora Web we offer full audits and DevSecOps implementation for companies that want real security, not just checklists. We come from accounting and code: every policy has a cost and a return. If you want a conversation, contact us.
