I read about application threat modeling which makes a software products secure from its initial stages (SDLC). But if we do something wrong in the deployment phase still that will be an issue.
For example, a sysadmin opens a port in the firewall that isn't required by the product.
So is there a methodology that we can use to identify deployment time threats?
Typically what you would do here is integrate some form of testing procedure into your deployment or post-deployment process.
This could be as lightweight as a simple port scan, which could identify ports left open inadvertently, or as large as a full 3rd party security assessment (aka penetration test) where you contract a 3rd party to review the security of the deployed system.
The biggest thing you want to do is to understand and then communicate what your expectations are. If your security model forbids opening a firewall port, is that documented? (As an aside, if you expect that you're safe because you're behind a firewall, I suggest rethinking, but I think you're using that as an example.)
You can either document in a 'security operations guide' or in code, for example, a script "check_security" or a cloud scanner to validate. Both have their uses, and a guide can be a good way to document and discuss your expectations, while code scales better.
Once you have a set of crisp expectations, there are lots of ways to validate those.
Typically, your code would be tested & remediated against vulnerabilities in pre-prod/staging environments before going in to production. Yes, not all environments are same so some measures I've taken are using Splunk (aka log correlation tools) to monitor deployments and correlating it with web activities for {x} hours after the deployment. This correlation and alerting in Splunk has helped me find unusual traffic and patterns in regards to deployments i.e. sudden spikes in errors, improper caching causing memory spikes, etc.
There are also tools out there like Contrast Security that provides Runtime Application Self-Protection (RASP). They typically integrate directly in to IIS for example and block attacks. It's different than IPS or WAF.
