Domain 10 - Application Security

[leenewcombe]

Realise this is in outline phase so just some suggested areas for consideration

i. use of cloud-based code repositories. I've had a number of clients who go to great lengths to secure their cloud infrastructures and then host all of their Infrastructure as Code on cloud-based code repositories secured via username and password!

ii. patching/fixing of consumer code. Seen a number of clients going down the PaaS route assume that they've handed off patch management completely... consumers need to patch their own code.

iii. security of deployment pipelines is key - authentication and authorisation of those that can deploy, how the pipelines retrieve crypto credentials etc when spinning up instances etc. can be messy.