This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:CRV2 SecDepConfig
I've put some notes in here for expansion, I realise I'm not down as the author but wanted to share some thoughts. These are sketchy notes atm but will expand.
The aim of the process is to ensure only users with required access have permission to push to production
- Developer pushes to version control & submits pull request
- Lead developer performs review process
- Lead Developer pulls changes to master
Capistrano for automated deployment
- Create capdeploy user on $evironment with write permissions on relevant directories
- SSH key authentication only
- Capistrano cap deploy $environment pushes to correct environment
Comment
Sorry, I missed this comment before adding content, and I had a very different interpretation. Since this is a code review guide, I interpreted "Secure Deployment Configuration" as guidelines for reviewing web application deployment configuration to ensure the deployed configuration is secure. Secure deployment of files to production is of course also important, but I'm not sure it is a code review topic. Of course, we can revert all my additions and I can try to put some content in on authorized deployment to production. --Jerry Kickenson (talk) 22:24, 30 December 2013 (CST)
