DevSecOps Pre-Launch Checklist · 62 items

A working list of the things attackers probe before they get in. No opinions, no "enterprise agile synergy." Every item came out of a real pentest finding — the stuff we found broken when we got paid to break in.

Identity & access

0 / 7

01.1 Root / admin access requires MFA (TOTP or WebAuthn) 01.2 No long-lived human API keys in production 01.3 Service accounts follow least-privilege IAM 01.4 Zero shared accounts between humans 01.5 SSO enforced for admin consoles (IdP-backed) 01.6 Access reviews performed quarterly 01.7 Offboarding revokes all credentials within 24h

Network

0 / 7

02.1 Firewall default-deny; only required ports ingress 02.2 Internal services not bound to public interfaces 02.3 SSH key-only auth (no passwords) 02.4 SSH access via bastion / jump host only 02.5 Separate VPC / subnets per tier (web / app / data) 02.6 VPN or Zero-Trust proxy for admin access 02.7 DDoS protection (CDN / WAF) on public endpoints

Secrets & keys

0 / 6

03.1 Secrets stored in a vault (Vault / AWS SM / SOPS) 03.2 No secrets in git history (verified with gitleaks) 03.3 No secrets in CI logs or build artifacts 03.4 API keys auto-rotated on schedule 03.5 Secret access is audit-logged 03.6 Developer machines do not hold production secrets

Data

0 / 7

04.1 Encryption at rest (AES-256-GCM or stronger) 04.2 TLS 1.3 in transit (1.2 minimum) 04.3 Tenant isolation enforced at API layer, not just DB 04.4 PII masked in logs and delivery reports 04.5 Backups encrypted + restore tested within last 90d 04.6 Data retention policy documented and enforced 04.7 Database credentials rotate without downtime

Application

0 / 10

05.1 Input validation on every public endpoint 05.2 Rate limiting per account AND per IP 05.3 CSRF protection on state-changing endpoints 05.4 CSP header with nonce or strict-dynamic 05.5 HSTS with preload, min-age ≥ 1 year 05.6 X-Frame-Options / X-Content-Type-Options set 05.7 Dependencies scanned for CVEs (weekly minimum) 05.8 No known-vulnerable versions shipped to prod 05.9 File uploads validated, scanned, stored off-host 05.10 Broken access control tested (IDOR, privilege escalation)

CI / CD

0 / 7

06.1 Branch protection on main / release branches 06.2 Required code review (≥ 2 approvers for prod) 06.3 SAST runs on every pull request 06.4 Container images scanned before deploy 06.5 Signed commits or verified signed artifacts 06.6 Rollback possible in < 5 minutes 06.7 Staging environment mirrors production

Observability

0 / 7

07.1 Centralized logs (Loki / ELK / CloudWatch) 07.2 Structured logs (JSON with request IDs) 07.3 Request tracing across services 07.4 Metrics dashboard (latency, errors, saturation) 07.5 Alerting on error rate / latency / anomalies 07.6 Logs retained per compliance requirements 07.7 Log storage is tamper-evident

Incident response

0 / 6

08.1 Incident runbook exists and has been tested 08.2 On-call rotation with paging system 08.3 Post-mortem template + blameless culture 08.4 Dedicated incident channel (not main Slack) 08.5 Contact list for vendors, legal, regulators 08.6 Backup owner for every single-person role

Adversarial

0 / 5

09.1 External pentest within last 12 months 09.2 Public security.txt + responsible disclosure page 09.3 Bug bounty or private disclosure program 09.4 Phishing simulation for employees 09.5 Red-team exercise at least annually

TAKE IT WITH YOU

Email me the PDF.

Drop your email and we'll send a link to this page — open it anytime, print to PDF, or forward to whoever owns infra at your company. No drip campaign. No SDR follow-up.

Production readiness, stripped to what attackers look for.

Identity & access

Network

Secrets & keys

Data

Application

CI / CD

Observability

Incident response

Adversarial

Email me the PDF.