Michelangelo van Dam has a new post to his site sharing some of his ideas about the importance of documentation and how it relates to the overall security posture of a project.
In my previous post I described 10 steps we should take to improve security of web applications. In this article I'm going to describe the purpose of documenting a project and what information should be included.
He starts off with some thoughts about the purpose of documentation, how it can't ever really be considered complete, and the importance of its structure. He offers a few suggestions about effective documentation structure and how it can be formatted to make it easier to grow over time without getting too unwieldy. He then comes back around to the security aspect of project documentation. This includes information about the servers the system is running on, the services that are running and details about which secrets are used (but not the secrets themselves!).
He finishes up the post covering various technologies that can be used to help automate your project and make sure that it is well structured and easy to keep in sync with your documentation.