DevSecOps Pre-Launch Checklist · 62 items

A working list of what attackers look for before they get in. No opinions. No "enterprise agile synergy." Every item is something we’ve found broken in a real pentest.

Score 0 / 62

[········································]

— unstarted —

01.

Identity & access

7 items

01.1 Root / admin access requires MFA (TOTP or WebAuthn) 01.2 No long-lived human API keys in production 01.3 Service accounts follow least-privilege IAM 01.4 Zero shared accounts between humans 01.5 SSO enforced for admin consoles (IdP-backed) 01.6 Access reviews performed quarterly 01.7 Offboarding revokes all credentials within 24h

02.

Network

7 items

02.1 Firewall default-deny; only required ports ingress 02.2 Internal services not bound to public interfaces 02.3 SSH key-only auth (no passwords) 02.4 SSH access via bastion / jump host only 02.5 Separate VPC / subnets per tier (web / app / data) 02.6 VPN or Zero-Trust proxy for admin access 02.7 DDoS protection (CDN / WAF) on public endpoints

03.

Secrets & keys

6 items

03.1 Secrets stored in a vault (Vault / AWS SM / SOPS) 03.2 No secrets in git history (verified with gitleaks) 03.3 No secrets in CI logs or build artifacts 03.4 API keys auto-rotated on schedule 03.5 Secret access is audit-logged 03.6 Developer machines do not hold production secrets

04.

Data

7 items

04.1 Encryption at rest (AES-256-GCM or stronger) 04.2 TLS 1.3 in transit (1.2 minimum) 04.3 Tenant isolation enforced at API layer, not just DB 04.4 PII masked in logs and delivery reports 04.5 Backups encrypted + restore tested within last 90d 04.6 Data retention policy documented and enforced 04.7 Database credentials rotate without downtime

05.

Application

10 items

05.1 Input validation on every public endpoint 05.2 Rate limiting per account AND per IP 05.3 CSRF protection on state-changing endpoints 05.4 CSP header with nonce or strict-dynamic 05.5 HSTS with preload, min-age ≥ 1 year 05.6 X-Frame-Options / X-Content-Type-Options set 05.7 Dependencies scanned for CVEs (weekly minimum) 05.8 No known-vulnerable versions shipped to prod 05.9 File uploads validated, scanned, stored off-host 05.10 Broken access control tested (IDOR, privilege escalation)

06.

CI / CD

7 items

06.1 Branch protection on main / release branches 06.2 Required code review (≥ 2 approvers for prod) 06.3 SAST runs on every pull request 06.4 Container images scanned before deploy 06.5 Signed commits or verified signed artifacts 06.6 Rollback possible in < 5 minutes 06.7 Staging environment mirrors production

07.

Observability

7 items

07.1 Centralized logs (Loki / ELK / CloudWatch) 07.2 Structured logs (JSON with request IDs) 07.3 Request tracing across services 07.4 Metrics dashboard (latency, errors, saturation) 07.5 Alerting on error rate / latency / anomalies 07.6 Logs retained per compliance requirements 07.7 Log storage is tamper-evident

08.

Incident response

6 items

08.1 Incident runbook exists and has been tested 08.2 On-call rotation with paging system 08.3 Post-mortem template + blameless culture 08.4 Dedicated incident channel (not main Slack) 08.5 Contact list for vendors, legal, regulators 08.6 Backup owner for every single-person role

09.

Adversarial

5 items

09.1 External pentest within last 12 months 09.2 Public security.txt + responsible disclosure page 09.3 Bug bounty or private disclosure program 09.4 Phishing simulation for employees 09.5 Red-team exercise at least annually

Email me the PDF

Drop your email and we’ll send you a link to this page — open it anytime, print it as PDF, or forward it to whoever owns infra at your company.

Production readiness.— in 62 checks.

Identity & access

Network

Secrets & keys

Data

Application

CI / CD

Observability

Incident response

Adversarial

Email me the PDF

Production readiness.
— in 62 checks.