Security Hardening Checklist
A defense-in-depth hardening pass across identity, network, runtime, and supply chain, led by least-privilege access and backed by image hardening, OWASP application controls, vault-managed secrets, and audit logging. Threat modeling finds gaps systematically.
When to Use This Checklist
Use this checklist before exposing a system to untrusted users, after a security review, or as part of a periodic hardening cycle. Hardening is about systematically shrinking the attack surface across every layer: identity, network, runtime, and the software supply chain. No single control is sufficient; defense in depth is the goal.
How to Use This Checklist
Work outward from identity. Least privilege is the highest-leverage control: most serious breaches escalate through over-broad permissions, so removing standing admin rights and wildcard policies pays off immediately. Then secure data in transit and at rest, lock down the network with segmentation, and harden the runtime by running minimal, non-root container images under pod security restrictions.
Do not stop at infrastructure. Application-level controls, validating input, encoding output, and setting secure headers, defend against the OWASP Top 10. Finally, treat the supply chain as part of the attack surface: scan dependencies and images, and verify provenance through signing and attestation.
What Good Looks Like
Every identity has only the permissions it needs, and there is no standing admin access. Traffic is encrypted end to end, and the network is segmented so a compromised component cannot reach everything. Container images are minimal, non-root, and scanned, with provenance verified by signatures. Application code defends against injection and other OWASP risks, and secure headers plus a content security policy reduce browser-side attacks. Secrets live in a vault and rotate. Audit logging captures who did what, and there is a real, measured SLA for patching vulnerabilities.
Common Pitfalls
The dominant pitfall is over-provisioned identities: convenient wildcard permissions that become the attacker's highway. Running containers as root with full capabilities is another, turning a contained exploit into host compromise. Teams frequently scan dependencies once and never again, so newly disclosed CVEs go unnoticed. Hardcoded or never-rotated secrets, and audit logging that is enabled but never reviewed, round out the usual gaps.
Related Resources
Anchor hardening in the OWASP Top 10 and ASVS for application risks, the principle of least privilege and CIS Controls for identity and infrastructure, and container image hardening plus pod security standards for runtime. Use STRIDE threat modeling to find the gaps systematically.