⌂ Home

Security Principles for DevSecOps

Click a principle to expand layered guidance for builders and defenders.

Defense in depth (layered security)

Multiple independent controls so one failure does not equal total compromise.

Perimeter / edge (WAF, CDN, API gateway)
Application (authz, validation, TLS)
Data (encryption, backups, least-privilege DB roles)
  • Combine preventive and detective controls.
  • Segment networks; restrict east-west traffic.
  • Automate patching for known-exploited paths.

Least privilege (IAM visual)

Narrow identities and permissions to the minimum needed for the task and duration.

Account / organization guardrails (SCPs, permission boundaries)
Roles for workloads > long-lived users where possible
Resource-based policies + condition keys (source VPC, MFA, time window)
  • Prefer session credentials with automatic expiry.
  • Break-glass roles with approval workflow and alerting.
  • Regular access reviews tied to entitlements catalog.

Authentication vs authorization

AuthenticationAuthorization
QuestionWho are you?What may you do?
ExamplesMFA login, OAuth, mTLSRBAC, ABAC, IAM policies
Failure modeStolen session / credentialIDOR, privilege escalation

Authenticate once per session or token lifetime; authorize every sensitive action. Log both identity and decision outcome for audit.

Zero Trust overview

Never assume trust based on network location alone; verify explicitly, use least privilege, and assume breach.

  • Strong identity for users and machines
  • Device posture signals where available
  • Micro-segmentation and encrypted transport
  • Continuous monitoring and automated response