book

DevOpsSec

by Jim Bird

June 2016

Intermediate to advanced

85 pages

1h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Introduction
Speed: The Velocity of DeliveryWhere’s the Design?Eliminating Waste and DelaysIt’s in the CloudMicroservicesContainersSeparation of Duties in DevOpsChange Control
Shift Security LeftOWASP Proactive ControlsSecure by DefaultMaking Security Self-ServiceUsing Infrastructure as CodeIterative, Incremental Change to Contain RisksUse the Speed of Continuous Delivery to Your AdvantageThe Honeymoon Effect
Continuous DeliveryContinuous Delivery at London Multi-Asset ExchangeInjecting Security into Continuous DeliveryPrecommitCommit Stage (Continuous Integration)Acceptance StageProduction Deployment and Post-DeploymentSecure Design in DevOpsRisk Assessments and Lightweight Threat ModelingSecuring Your Software Supply ChainWriting Secure Code in Continuous DeliveryUsing Code Reviews for SecurityWhat About Pair Programming?SAST: in IDE, in Continuous Integration/Continuous DeliverySecurity Testing in Continuous DeliveryDynamic Scanning (DAST)Fuzzing and Continuous DeliverySecurity in Unit and Integration TestingAutomated AttacksPen Testing and Bug BountiesVulnerability ManagementSecuring the InfrastructureAutomated Configuration ManagementSecuring Your Continuous Delivery PipelineSecurity in ProductionRuntime Checks and MonkeysSituational Awareness and Attack-Driven DefenseRuntime DefenseLearning from Failure: Game Days, Red Teaming, and Blameless PostmortemsSecurity at Netflix
Defining Policies UpfrontAutomated Gates and ChecksManaging Changes in Continuous DeliverySeparation of Duties in the DevOps Audit ToolkitUsing the Audit Defense ToolkitCode Instead of Paperwork

Content preview from DevOpsSec

Chapter 6. Conclusion: Building a Secure DevOps Capability and Culture

DevOps—the culture, the process frameworks and workflows, the emphasis on automation and feedback—can all be used to improve your security program.

You can look to leaders like Etsy, Netflix, Amazon, and Google for examples of how you can do this successfully. Or the London Multi-Asset Exchange, or Capital One, or Intuit, or E*Trade, or the United States Department of Homeland Security. The list is growing.

These organizations have all found ways to balance security and compliance with speed of delivery, and to build protection into their platforms and pipelines.

They’ve done this—and you can do this—by using Continuous Delivery as a control structure for securing software delivery and enforcing compliance policies; securing the runtime through Infrastructure as Code; making security part of the feedback loops and improvement cycles in DevOps; building on DevOps culture and values; and extending this to embrace security.

Pick a place to begin. Start by fixing an important problem or addressing an important risk. Or start with something simple, where you can achieve a quick win and build momentum.

Implementing Software Component Analysis to automatically create a bill of materials for a system could be an easy win. This lets you identify and resolve risks in third-party components early in the SDLC, without directly affecting development workflows or slowing delivery.

Securing the Continuous Delivery pipeline ...