SFC: DevOps & Infrastructure | Security Alliance — Security Checklist

CI/CD security, infrastructure hardening, secrets management, and deployment controls.
Org:
Owner:
Date:

1. Governance & Development Environment

  • DevOps Security Owner
    Is there a clearly designated person or team accountable for development and infrastructure security?
  • DevOps Security Policy
    Do you maintain documented security policies governing development and infrastructure operations?
  • Development Environment Isolation
    Do you isolate development environments from production systems?
  • Development Tools Approval
    Do you evaluate and approve development tools before organizational use?
Notes:

2. Source Code & Supply Chain Security

  • Repository Security
    Do you enforce security controls on your source code repositories?
  • Secret Scanning
    Do you scan source code for accidentally committed secrets?
  • External Contributor Review
    Do you apply enhanced review for code contributions from external collaborators?
  • Dependency and Supply Chain Security
    Do you verify and manage dependencies to prevent supply chain attacks?
Notes:

3. CI/CD Pipeline Security

  • Pipeline Security Controls
    Do you control who can modify and execute your deployment pipelines?
  • Secrets Management
    Do you securely manage secrets used in pipelines and applications?
  • Security Testing Integration
    Do you integrate security testing into your development and deployment pipelines?
Notes:

4. Infrastructure & Cloud Security

  • Infrastructure as Code
    Do you manage infrastructure through code with version control and review?
  • Infrastructure Access Controls
    Do you enforce least-privilege access controls for infrastructure?
  • Backup and Disaster Recovery
    Do you maintain backup and disaster recovery procedures with periodic testing?
  • Cloud Security Monitoring
    Do you monitor cloud security configurations and respond to provider security notifications?
Notes: