By the release phase of the DevSecOps cycle, the application code and executable should already be thoroughly tested. The phase focuses on securing the runtime environment infrastructure by examining environment configuration values such as user access control, network firewall access, and secret data management.
The principle of least privilege (PoLP) is a key concern of the release phase. PoLP means that any user, program, or process, has minimum access to perform its function. This involves auditing API keys and access tokens so that the owners have limited access. Without this audit, an attacker may find a key that has access to unintended areas of the system.
Configuration management tools are a key ingredient for security in the release phase, since they provide visibility into the static configuration of a dynamic infrastructure. The system configuration can then be audited and reviewed. The configuration becomes immutable, and can only be updated through commits to a configuration management repository. Some popular configuration management tools include Ansible, Puppet, HashiCorp Terraform, Chef, and Docker.
The security community provides guidelines and recommendations on best practices for hardening your infrastructure, such as the Center for Internet Security (CIS) benchmarks and NIST configuration checklists.