book

DevOpsSec

by Jim Bird

June 2016

Intermediate to advanced

85 pages

1h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Introduction
Speed: The Velocity of DeliveryWhere’s the Design?Eliminating Waste and DelaysIt’s in the CloudMicroservicesContainersSeparation of Duties in DevOpsChange Control
Shift Security LeftOWASP Proactive ControlsSecure by DefaultMaking Security Self-ServiceUsing Infrastructure as CodeIterative, Incremental Change to Contain RisksUse the Speed of Continuous Delivery to Your AdvantageThe Honeymoon Effect
Continuous DeliveryContinuous Delivery at London Multi-Asset ExchangeInjecting Security into Continuous DeliveryPrecommitCommit Stage (Continuous Integration)Acceptance StageProduction Deployment and Post-DeploymentSecure Design in DevOpsRisk Assessments and Lightweight Threat ModelingSecuring Your Software Supply ChainWriting Secure Code in Continuous DeliveryUsing Code Reviews for SecurityWhat About Pair Programming?SAST: in IDE, in Continuous Integration/Continuous DeliverySecurity Testing in Continuous DeliveryDynamic Scanning (DAST)Fuzzing and Continuous DeliverySecurity in Unit and Integration TestingAutomated AttacksPen Testing and Bug BountiesVulnerability ManagementSecuring the InfrastructureAutomated Configuration ManagementSecuring Your Continuous Delivery PipelineSecurity in ProductionRuntime Checks and MonkeysSituational Awareness and Attack-Driven DefenseRuntime DefenseLearning from Failure: Game Days, Red Teaming, and Blameless PostmortemsSecurity at Netflix
Defining Policies UpfrontAutomated Gates and ChecksManaging Changes in Continuous DeliverySeparation of Duties in the DevOps Audit ToolkitUsing the Audit Defense ToolkitCode Instead of Paperwork

Content preview from DevOpsSec

Chapter 2. Security and Compliance Challenges and Constraints in DevOps

Let’s begin by looking at the major security and compliance challenges and constraints for DevOps.

Speed: The Velocity of Delivery

The velocity of change in IT continues to increase. This became a serious challenge for security and compliance with Agile development teams delivering working software in one- or two-week sprints. But the speed at which some DevOps shops initiate and deliver changes boggles the mind. Organizations like Etsy are pushing changes to production 50 or more times each day. Amazon has thousands of small (“two pizza”) engineering teams working independently and continuously deploying changes across their infrastructure. In 2014, Amazon deployed 50 million changes: that’s more than one change deployed every second of every day.¹

So much change so fast...

How can security possibly keep up with this rate of change? How can they understand the risks, and what can they do to manage them when there is no time to do pen testing or audits, and no place to put in control gates, and you can’t even try to add a security sprint or a hardening sprint in before the system is released to production?

Where’s the Design?

DevOps builds on Agile development practices and extends Agile ideas and practices from development into operations.

A challenge for many security teams already working in Agile environments is that developers spend much less time upfront on design. The Agile manifesto emphasizes “working ...