SOFSEC1 – Software Security

M7- Deployment and Maintenance

Securing Systems Beyond Development

Prof. Justin Pineda

Mar 2026

Motivation

• Software is most vulnerable after deployment
• Real users + real attackers = real risk
• Poor maintenance = silent failure

​

​

“Which is riskier: bad code or unmaintained code?”

Learning Objectives

By the end, you should be able to:

• Explain secure deployment principles
• Identify risks in production environments
• Apply maintenance and patching strategies

What is Deployment?

Process of releasing software to production

​

Includes:

• Infrastructure setup
• Configuration
• Integration

Transition from controlled → uncontrolled environment

Deployment Environments

• Development
• Testing / QA
• Staging
• Production

​

Key Risk:

❗ Configuration mismatch

Common Deployment Risks

Secure Deployment Principles

• Least privilege
• Secure defaults
• Environment isolation
• Secrets management

Configuration Management

• Standardized configurations
• Version-controlled infrastructure

Secrets Management

Avoid:

• Hardcoded API keys
• Plaintext credentials

​

Use:

• Vaults (e.g., HashiCorp Vault)
• Environment variables

CI/CD and Security

Pipeline includes:

• Build
• Test
• Security scanning
• Deployment

​

Security Integration:

• SAST
• DAST
• SCA

DevOps vs DevSecOps

• DevOps: Speed
• DevSecOps: Speed + Security

​

Shift Left:

• Security early in pipeline

Monitoring in Production

• Logs
• Metrics
• Alerts

​

Examples:

• Failed logins
• Traffic spikes
• Unusual behavior

Logging and Visibility

• Centralized logging
• SIEM integration
• Audit trails

Incident Detection

Detection sources:

• IDS/IPS
• Logs
• User reports

​

Indicators:

• Unauthorized access
• Suspicious activity

Patch Management

• Regular updates
• Fix vulnerabilities
• Reduce attack surface

​

Challenges:

• Downtime
• Compatibility

Maintenance Activities

• Bug fixes
• Performance tuning
• Security updates
• Dependency updates

Technical Debt vs Security Debt

• Technical Debt → affects performance
• Security Debt → affects risk

​

Examples:

• Outdated libraries
• Weak encryption

Real-World Scenario

Scenario:

• App deployed successfully
• Logs disabled
• Patch delayed

​

Result:

• Undetected breach

​

​

Where did the failure occur?

Summary

• Deployment introduces real-world risk
• Misconfiguration is a major threat
• Continuous monitoring is critical
• Maintenance = security lifecycle

Knowledge Check 1

Which is the biggest deployment risk?

A. Code complexity

B. Misconfiguration

C. UI design

D. Documentation

​

Knowledge Check 2

What does DevSecOps emphasize?

​

A. Removing testing

B. Security integration

C. Slower releases

D. Manual processes

Knowledge Check 3

Why is logging important?

A. UI design

B. Debugging only

C. Detection and evidence

D. Storage

​

Knowledge Check 4

What is security debt?

A. Performance issue

B. Design flaw

C. Accumulated risk

D. Coding style

​

Knowledge Check 5

What is the goal of patching?

A. Improve UI

B. Add features

C. Fix vulnerabilities

D. Increase storage

​

Key Takeaways

• Deployment is where systems become exposed
• Security failures are often operational, not technical
• Monitoring + patching = survival
• Secure systems require continuous effort