book

DevOpsSec

by Jim Bird

June 2016

Intermediate to advanced

85 pages

1h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Introduction
Speed: The Velocity of DeliveryWhere’s the Design?Eliminating Waste and DelaysIt’s in the CloudMicroservicesContainersSeparation of Duties in DevOpsChange Control
Shift Security LeftOWASP Proactive ControlsSecure by DefaultMaking Security Self-ServiceUsing Infrastructure as CodeIterative, Incremental Change to Contain RisksUse the Speed of Continuous Delivery to Your AdvantageThe Honeymoon Effect
Continuous DeliveryContinuous Delivery at London Multi-Asset ExchangeInjecting Security into Continuous DeliveryPrecommitCommit Stage (Continuous Integration)Acceptance StageProduction Deployment and Post-DeploymentSecure Design in DevOpsRisk Assessments and Lightweight Threat ModelingSecuring Your Software Supply ChainWriting Secure Code in Continuous DeliveryUsing Code Reviews for SecurityWhat About Pair Programming?SAST: in IDE, in Continuous Integration/Continuous DeliverySecurity Testing in Continuous DeliveryDynamic Scanning (DAST)Fuzzing and Continuous DeliverySecurity in Unit and Integration TestingAutomated AttacksPen Testing and Bug BountiesVulnerability ManagementSecuring the InfrastructureAutomated Configuration ManagementSecuring Your Continuous Delivery PipelineSecurity in ProductionRuntime Checks and MonkeysSituational Awareness and Attack-Driven DefenseRuntime DefenseLearning from Failure: Game Days, Red Teaming, and Blameless PostmortemsSecurity at Netflix
Defining Policies UpfrontAutomated Gates and ChecksManaging Changes in Continuous DeliverySeparation of Duties in the DevOps Audit ToolkitUsing the Audit Defense ToolkitCode Instead of Paperwork

Content preview from DevOpsSec

Chapter 3. Keys to Injecting Security into DevOps

Now let’s look at how to solve these problems and challenges, and how you can wire security and compliance into DevOps.

Building Security into DevOps: Etsy’s Story

Etsy, a successful online crafts marketplace, is famous for its Continuous Deployment model, where engineers (and managers and even pets) push changes out 50 times or more every day. It is also known for its blameless, “Just Culture,” in which engineers are taught to embrace failure, as long as they learn from their mistakes.

Etsy’s security culture is built on top of its engineering culture and connects with the wider culture of the organization. Some of its driving principles are:

Trust people to do the right thing, but still verify. Rely on code reviews and testing and secure defaults and training to prevent or catch mistakes. And if mistakes happen in production, run postmortems to examine and understand what happened and how to fix things at the source.
“If it Moves, Graph it.” Make data visible to everyone so that everyone can understand and act on it, including information about security risks, threats, and attacks.
“Just Ship It.” Every engineer can push to production at any time. This includes security engineers. If something is broken and you can fix it, fix it and ship the fix out right away. Security engineers don’t throw problems over the wall to dev or ops if they don’t have to. They work with other teams to understand problems and get them fixed, or ...