▶Book Description
DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization’s security at every level, rather than just focusing on protecting your infrastructure.
This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security.
By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.
▶What You Will Learn
⦁ Understand DevSecOps culture and organization
⦁ Learn security requirements, management, and metrics
⦁ Secure your architecture design by looking at threat modeling, coding tools and practices
⦁ Handle most common security issues and explore black and white-box testing tools and practices
⦁ Work with security monitoring toolkits and online fraud detection rules
⦁ Explore GDPR and PII handling case studies to understand the DevSecOps lifecycle
▶Key Features
⦁ Integrate security at each layer of the DevOps pipeline
⦁ Discover security practices to protect your cloud services by detecting fraud and intrusion
⦁ Explore solutions to infrastructure security using DevOps principles
▶Who This Book Is For
Hands-On Security in DevOps is for system administrators, security consultants, and DevOps engineers who want to secure their entire organization. Basic understanding of Cloud computing, automation frameworks, and programming is necessary.
▶What this book covers
⦁ Chapter 1, DevSecOps Drivers and Challenges, we will cover external factors that drive the need for security such as security compliance, regulations, and the market.
⦁ Chapter 2, Security Goals and Metrics, we will discuss security practices from different perspectives based on the OWASP SAMM framework. We will also cover security activities in different roles such as security management, development, QA, and operation teams.
⦁ Chapter 3, Security Assurance Program and Organization, will cover how different organization structures may relate to the execution of a security assurance program. The role, responsibility and relationship of the security team in the organization structure also impact the success execution of a security assurance program. We will discuss these factors by case study.
⦁ Chapter 4, Security Requirements and Compliance, will cover security requirements covering four aspects: the security requirements for each release quality gate, the security requirements for general web applications, the security requirements for big data, and the security requirements for compliance with General Data Protection Regulation (GDPR).
⦁ Chapter 5, Case Study - Security Assurance Program, we will cover two case studies looking at the security assurance program and security practices in the DevOps process. Microsoft SDL and SAMM were introduced to apply to the security assurance program. In addition to the process, the non-technical parts, security training, and culture are also critical to the success of the security program. We will also give an example of how security tools and web security framework can help during the whole DevOps process.
⦁ Chapter 6, Security Architecture and Design Principles, will cover security architecture and design principles. For security architects and developers, building software on a mature security framework will greatly reduce not only security risks with industry best practices but also implementation efforts. Therefore, this chapter introduces the key security elements of a cloud service architecture and some mature security frameworks, which can be applied based on the scenario
⦁ Chapter 7, Threat Modeling Practices and Secure Design, we will cover the importance of the whole team's involvement with threat modeling practices and the STRIDE examples (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege).
⦁ Chapter 8, Secure Coding Best Practices, we will cover secure coding industry best practices, such as CERT, CWE, Android secure coding, OWASP Code Review, and the Apple secure coding guide. Based on those secure coding rules, we will establish secure coding baselines as part of the security policy and release criteria.
⦁ Chapter 9, Case Study - Security and Privacy by Design, we will examine a case study to discuss the implementation of security by design and privacy by design. The case study will show us the common challenges a DevOps team may have to face when applying security practices, and how the security team may help to provide best practices, tools, a security framework, and a training kit.
⦁ Chapter 10, Security-Testing Plan and Practices, will give an overview of a security-testing plan, security-testing domains, and the minimum set of security-testing scope. We will discuss a security testing plan, testing approaches, risk analysis, security domains, and industry practices, to build your security-testing knowledge base. In addition, we will introduce some industry best practices, testing approaches, and security tools, for security testing.
⦁ Chapter 11, Whitebox Testing Tips, will focus on whitebox testing tips. Whitebox code review can be most effective to identify certain specific security issues, such as XXE, deserialization, and SQL injection. However, a whitebox review can be timeconsuming if there are no proper tools or strategies. To have an effective whitebox test, we need to focus on specific coding patterns and high-risk modules. This chapter will give tips, tools, and key coding patterns to identify high-risk security issues.
⦁ Chapter 12, Security Testing Toolkits, we will cover common (but not a comprehensive) set of security testing tools. The major elements of a network that involve security testing include web and mobile connections, configuration, communication, third-party components, and sensitive information. We will look at the testing tips and tools for each element. Furthermore, we will also learn how these tools can be executed both automatically and as tools that are built into continuous integration.
⦁ Chapter 13, Security Automation with the CI Pipeline, will focus on security practices in the development phases, as well as how to integrate tools such as Jenkins into continuous integration. In the development phases, we explored the techniques of using IDE plugins to secure code scanning, and suggested some static code analysis tools. For the build and package delivery, secure compiler configurations and dependency vulnerability checks will also be introduced. Finally, web security automation testing approaches and tips will also be discussed in this chapter.
⦁ Chapter 14, Incident Response, will cover incident responses for a security operation team. We will mainly discuss the key activities in the key phases of the incident response process: preparation, containment, detection, and post-incident analysis. The field of incident response includes how to handle public CVE vulnerability, how to respond to white hat or security attacks, how we evaluate each security issue, the feedback loop to the development team, and the tools or practices we may apply in incident response.
⦁ Chapter 15, Security Monitoring, will cover some security monitoring techniques. The objective of this chapter is to prepare our security monitoring mechanism to protect and prevent our cloud services from being attacked. To be prepared for this, our security monitoring procedures should include logging, monitoring the framework, threat intelligence, and security scanning for malicious programs.
⦁ Chapter 16, Security Assessment for New Releases, we will cover security assessment for new releases in this chapter. Cloud services may have frequent releases and updates. It's a challenge for the development, operations, and security teams to release their work within a short time frame and to finish the minimum required security testing before releases. In this chapter, we will look at the security review policies and the suggested checklist and testing tools for every release. For testing integration, the BDD security framework and other integrated security testing framework will also be introduced in this chapter.
⦁ Chapter 17, Threat Inspection and Intelligence, will cover threat inspection and intelligence. This chapter focuses on how to identify and prevent known and unknown security threats, such as backdoors and injection attacks, using various kinds of log correlation. We will introduce the logs that are needed, how those logs are connected, and the potential symptoms of attacks. Some open source threat detection will be introduced. Finally, we will introduce how to build your own in-house threat intelligence system.
⦁ Chapter 18, Business Fraud and Service Abuses, will cover business fraud and service abuses. Cloud services introduce new types of security risks, such as transaction fraud, account abuses, and promotion code abuses. This online fraud and abuse may result in financial losses or gains, depending on which side of the fence you sit. It will also provide guidelines and rules on how to detect these kinds of behaviors. We will discuss typical technical frameworks and technical approaches needed to build a service abuse prevention or online fraud detection system.
⦁ Chapter 19, GDPR Compliance Case Study, will cover GDPR compliance as a case study to apply to software development. It discusses the GDPR software security requirements it should include in coming releases. We will also explore some practical case studies, such as personal data discovery, data anonymization, cookie consent, data-masking implementation, and web privacy status.
⦁ Chapter 20, DevSecOps - Challenges, Tips, and FAQs, will cover some hands-on tips, challenges, and FAQs based on a functional roles perspective.
