Application Deployment Checklist (Linux Systems)
Security of software applications is an important aspect which is often underestimated or ignored at the peril of malicious cyber attacks. The following list is a quick check-list of validations and/or actions to be performed before deploying any enterprise-grade application in Production:
1. Maintain at least three environments for any application build – Dev (Local machine), Test (Virtual machine or any other server) and Prod (AWS EC2 Server, Google Cloud Compute Engine or any other server).
2. Maintain version control for code in a private repository in BitBucket, GitHub, SVN or Google Drive.
3. Ensure that all patches on the production server are up-to-date.
- sudo apt-get update
- sudo apt-get upgrade
4. Monitor CPU and RAM utilization through ‘top’ (or ‘glance’) command.
5. Check free disk space on the server before deployment: df -k .
6. Hardware Security
- Ensure all unnecessary / unused ports are closed.
- Install LetsEncrypt or any other SSL certificate for all applications.
- Disable external ping service.
- Validate that only SSL traffic and SSH traffic are allowed through the firewall (UFW or any other).
- SFTP / FTP access should be disabled unless absolutely necessary.
7) Software / Application Security
- Ensure that SQL injection attacks are properly mitigated through coding best practices.
- All file permissions should be thoroughly checked and access should be restricted wherever possible.
- chmod 400 should be sufficent for credential stores / flat files. Double-check that such files are not publicly accessible.
- Shell scripts should have have permissions set as 550 in most cases. Shell script execution should not be granted to the public under any circumstance.
- An enterprise-grade web server (e.g. NGINX, Apache) should be used in Production and debug mode must be turned off.
- All errors and exceptions should be properly handled within the code.
- Ensure thorough unit testing and load testing of the application before deployment in Production.
- Use a Content Delivery Network (CDN) such as AWS CloudFront, Google Cloud CDN or CloudFlare to enhance site performance and restrict application access based on geographical location (if necessary).
- If any database is running on the same server, ensure that its credentials are well protected. Try to avoid remote access, if possible. Restricting access to localhost is recommended.