book

DevOpsSec

by Jim Bird

June 2016

Intermediate to advanced

85 pages

1h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Introduction
Speed: The Velocity of DeliveryWhere’s the Design?Eliminating Waste and DelaysIt’s in the CloudMicroservicesContainersSeparation of Duties in DevOpsChange Control
Shift Security LeftOWASP Proactive ControlsSecure by DefaultMaking Security Self-ServiceUsing Infrastructure as CodeIterative, Incremental Change to Contain RisksUse the Speed of Continuous Delivery to Your AdvantageThe Honeymoon Effect
Continuous DeliveryContinuous Delivery at London Multi-Asset ExchangeInjecting Security into Continuous DeliveryPrecommitCommit Stage (Continuous Integration)Acceptance StageProduction Deployment and Post-DeploymentSecure Design in DevOpsRisk Assessments and Lightweight Threat ModelingSecuring Your Software Supply ChainWriting Secure Code in Continuous DeliveryUsing Code Reviews for SecurityWhat About Pair Programming?SAST: in IDE, in Continuous Integration/Continuous DeliverySecurity Testing in Continuous DeliveryDynamic Scanning (DAST)Fuzzing and Continuous DeliverySecurity in Unit and Integration TestingAutomated AttacksPen Testing and Bug BountiesVulnerability ManagementSecuring the InfrastructureAutomated Configuration ManagementSecuring Your Continuous Delivery PipelineSecurity in ProductionRuntime Checks and MonkeysSituational Awareness and Attack-Driven DefenseRuntime DefenseLearning from Failure: Game Days, Red Teaming, and Blameless PostmortemsSecurity at Netflix
Defining Policies UpfrontAutomated Gates and ChecksManaging Changes in Continuous DeliverySeparation of Duties in the DevOps Audit ToolkitUsing the Audit Defense ToolkitCode Instead of Paperwork

Content preview from DevOpsSec

Chapter 1. DevOpsSec: Delivering Secure Software through Continuous Delivery

Introduction

Some people see DevOps as another fad, the newest new-thing overhyped by Silicon Valley and by enterprise vendors trying to stay relevant. But others believe it is an authentically disruptive force that is radically changing the way that we design, deliver, and operate systems.

In the same way that Agile and Test-Driven Development (TDD) and Continuous Integration has changed the way that we write code and manage projects and product development, DevOps and Infrastructure as Code and Continuous Delivery is changing IT service delivery and operations. And just as Scrum and XP have replaced CMMi and Waterfall, DevOps is replacing ITIL as the preferred way to manage IT.

DevOps organizations are breaking down the organizational silos between the people who design and build systems and the people who run them—silos that were put up because of ITIL and COBIT to improve control and stability but have become an impediment when it comes to delivering value for the organization.

Instead of trying to plan and design everything upfront, DevOps organizations are running continuous experiments and using data from these experiments to drive design and process improvements.

DevOps is finding more effective ways of using the power of automation, taking advantage of new tools such as programmable configuration managers and application release automation to simplify and scale everything from design to build ...