Slide 35
Slide 35 text
Practice: Verify Artifacts, Not Just People
The controls around the source, build, and test infrastructure have limited
effect if adversaries can bypass them by deploying directly to production. It is
not sufficient to verify who initiated a deployment, because that actor may
make a mistake or may be intentionally deploying a malicious change.
Instead, deployment environments should verify what is being deployed.
- Building Secure and Reliable Systems, Chapter 14