Page 88 - GiGW3
P. 88

5. Guidelines









             associated with each pod).
             (x)     Check the code – Scan the code and use static analysis to ensure automation security. Source
             code  must  be  scanned  for  all  application  code  in  Kubernetes  to  identify  vulnerabilities  and
             hard-coded errors.

             (y)     Use RBAC policies based on the principle of least privilege – Role-based access control
             (RBAC)  helps  manage  access  policies  at  a  granular  level  to  protect  resources.  A  centralised
             authentication  and  authorization  system  like  single  sign-on  throughout  the  organisation  makes
             onboarding and offboarding easier.



             Developer action: Following activities are to be ensured by the developer, which in this case would
             mean its system administrator, or/and DevOps:
             (a)          Restrict  the  admin  access  and  implement  the  principle  of  least  privilege  and  disable

             unnecessary accounts and privileges;
             (b)     Disable all unnecessary ports opened on the web server, i.e., deny all access by default;
             (c)     Remove default, temporary or guest accounts from the web server; and
             (d)          Change  the  default  login  credentials  and  implement  strong  password  enforcement  with

             password expiration policy on the web server.
                   Note: With there being so many websites/apps, databases and programs needing passwords,
                   it is hard to keep track. A lot of people end up using the same password in all places, to
                   remember their login information. But this is a significant security mistake. Create a unique

                   password for every new login request. Come up with complicated, random and difficult to
                   guess passwords. Then, store them outside the website directory. For example, a 14-character
                   combination  of  letters  and  numbers  may  be  used  as  a  password.  The  password  may  be
                   stored in an offline file, a smartphone, or a different computer. When CMS prompts the user

                   to log in, the user must choose a smart password. The user should refrain from using personal

                   information in the password. The user should not use her/his birthday or a pet’s name and it
                   should not be guessable. After every three months or sooner, the password may be changed.
                   Smart passwords are long and should be at least 12 characters. Besides numbers and letters,

                   a  password  should  also  include  symbols.  The  uppercase  and  lowercase  letters  may  be
                   alternated. The same password should not be repeated and nor should it be shared with
                   others. The system administrators should ensure that organisation employees change their
                   passwords frequently.

             (e)     Whitelist the application in use and disable the unused features or modules.
             (f)     Use of Secure FTP (SFTP) to transfer files over an encrypted channel.
             (g)     Disable Hypertext Transfer Protocol (HTTP) and enforce Hypertext Transfer Protocol Secure
             (HTTPS) & HTTP Strict Transport Security (HSTS). To keep a website safe, it needs a secure URL. If a





                                                             88
   83   84   85   86   87   88   89   90   91   92   93