Talk:CRV2 SecDepConfig

From OWASP
Jump to: navigation, search

I've put some notes in here for expansion, I realise I'm not down as the author but wanted to share some thoughts. These are sketchy notes atm but will expand.

The aim of the process is to ensure only users with required access have permission to push to production

  • Developer pushes to version control & submits pull request
  • Lead developer performs review process
  • Lead Developer pulls changes to master

Capistrano for automated deployment

  • Create capdeploy user on $evironment with write permissions on relevant directories
  • SSH key authentication only
  • Capistrano cap deploy $environment pushes to correct environment

Comment

Sorry, I missed this comment before adding content, and I had a very different interpretation. Since this is a code review guide, I interpreted "Secure Deployment Configuration" as guidelines for reviewing web application deployment configuration to ensure the deployed configuration is secure. Secure deployment of files to production is of course also important, but I'm not sure it is a code review topic. Of course, we can revert all my additions and I can try to put some content in on authorized deployment to production. --Jerry Kickenson (talk) 22:24, 30 December 2013 (CST)