O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hands-On Security in DevOps

Book Description

Protect your organization's security at all levels by introducing the latest strategies for securing DevOps

Key Features

  • Integrate security at each layer of the DevOps pipeline
  • Discover security practices to protect your cloud services by detecting fraud and intrusion
  • Explore solutions to infrastructure security using DevOps principles

Book Description

DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization's security at every level, rather than just focusing on protecting your infrastructure.

This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you'll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security.

By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.

What you will learn

  • Understand DevSecOps culture and organization
  • Learn security requirements, management, and metrics
  • Secure your architecture design by looking at threat modeling, coding tools and practices
  • Handle most common security issues and explore black and white-box testing tools and practices
  • Work with security monitoring toolkits and online fraud detection rules
  • Explore GDPR and PII handling case studies to understand the DevSecOps lifecycle

Who this book is for

Hands-On Security in DevOps is for system administrators, security consultants, and DevOps engineers who want to secure their entire organization. Basic understanding of Cloud computing, automation frameworks, and programming is necessary.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Security in DevOps
  3. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  4. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  6. DevSecOps Drivers and Challenges
    1. Security compliance
      1. ISO 27001
      2. ISO 27017 and ISO 27018
      3. Cloud Security Alliance (CSA)
      4. Federal Information Processing Standards (FIPS)
      5. Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure
      6. National Checklist Program (NCP) repository
      7. OpenSCAP tools
    2. Legal and security compliance
    3. New technology (third-party, cloud, containers, and virtualization)
      1. Virtualization
      2. Dockers
      3. Infrastructure as Code (IaC)
    4. Cloud services hacks/abuse
      1. Case study – products on sale
        1. What do hackers do?
    5. Rapid release
    6. Summary
    7. Questions
    8. Further reading
  7. Security Goals and Metrics
    1. Organization goal
      1. Strategy and metrics
      2. Policy and compliance
      3. Education and guidance
    2. Development goal/metrics
      1. Threat assessment
      2. Threat assessment for GDPR
      3. Deliverables and development team self-assessment
      4. Security requirements
    3. QA goal/metrics
      1. Design review
      2. Implementation review
        1. Third-party components
        2. IDE-plugin code review
        3. Static code review
        4. Target code review
      3. Security testing
    4. Operation goal/metrics
      1. Issue management
      2. Environment Hardening
        1. Secure configuration baseline
        2. Constant monitoring mechanism
      3. Operational enablement
        1. Code signing for application deployment
        2. Application communication ports matrix
        3. Application configurations
    5. Summary
    6. Questions
    7. Further reading
  8. Security Assurance Program and Organization
    1. Security assurance program
      1. SDL (Security Development Lifecycle)
      2. OWASP SAMM
      3. Security guidelines and processes
    2. Security growth with business
      1. Stage 1 – basic security control 
      2. Stage 2 – building a security testing team
      3. Stage 3 – SDL activities
      4. Stage 4 – self-build security services
      5. Stage 5 – big data security analysis and automation
    3. Role of a security team in an organization
      1. Security office under a CTO
      2. Dedicated security team
    4. Case study – a matrix, functional, or taskforce structure
      1. Security resource pool
      2. Security technical committee (taskforce)
    5. Summary
    6. Questions
    7. Further reading
  9. Security Requirements and Compliance
    1. Security requirements for the release gate
      1. Release gate examples
      2. Common Vulnerability Scoring System (CVSS)
    2. Security requirements for web applications
      1. OWASP Application Security Verification Standard (ASVS)
      2. Security knowledge portal
    3. Security requirements for big data
      1. Big data security requirements
      2. Big data technical security frameworks
    4. Privacy requirements for GDPR
      1. Privacy Impact Assessment (PIA)
      2. Privacy data attributes
      3. Example of a data flow assessment
      4. GDPR security requirements for data processor and controller
    5. Summary
    6. Questions
    7. Further reading
  10. Case Study - Security Assurance Program
    1. Security assurance program case study
      1. Microsoft SDL and SAMM
    2. Security training and awareness
    3. Security culture
    4. Web security frameworks
    5. Baking security into DevOps
    6. Summary
    7. Questions
    8. Further reading
  11. Security Architecture and Design Principles
    1. Security architecture design principles
      1. Cloud service security architecture reference
    2. Security framework
      1. Java web security framework
      2. Non-Java web security frameworks
    3. Web readiness for privacy protection
    4. Login protection
    5. Cryptographic modules
    6. Input validation and sanitization
    7. Data masking
    8. Data governance – Apache Ranger and Atlas
    9. Third-party open source management
    10. Summary
    11. Questions
    12. Further reading
  12. Threat Modeling Practices and Secure Design
    1. Threat modeling practices
    2. Threat modeling with STRIDE
    3. Diagram designer tool
    4. Card games
    5. Threat library references
    6. Case study – formal documents or not?
    7. Secure design
    8. Summary
    9. Questions
    10. Further reading
  13. Secure Coding Best Practices
    1. Secure coding industry best practices
    2. Establishing secure coding baselines
    3. Secure coding awareness training
    4. Tool evaluation
    5. Tool optimization
    6. High-risk module review
    7. Manual code review tools
    8. Secure code scanning tools
    9. Secure compiling
    10. Common issues in practice
    11. Summary
    12. Questions
    13. Further reading
  14. Case Study - Security and Privacy by Design
    1. Case study background
    2. Secure architecture review
      1. Authentication
      2. Authorization
      3. Session management
      4. Data input/output
    3. Privacy by design
    4. Summary of security and privacy frameworks 
    5. Third-party component management
    6. Summary
    7. Questions
    8. Further reading
  15. Security-Testing Plan and Practices
    1. Security-testing knowledge kit
    2. Security-testing plan templates
      1. Security-testing objective
      2. Security-testing baseline
      3. Security-testing environment
      4. Testing strategy
      5. High-risk modules
      6. Recommended security-testing tools
    3. Web security testing
    4. Privacy
    5. Security-testing domains
    6. Thinking like a hacker
      1. Exploits and CVE
      2. Hacker techniques
      3. Malware Information
    7. Security-Training environment
    8. Summary
    9. Questions
    10. Further reading
  16. Whitebox Testing Tips
    1. Whitebox review preparation
    2. Viewing the whole project
    3. High-risk module
    4. Whitebox review checklist
    5. Top common issues
    6. Secure coding patterns and keywords
    7. Case study – Java struts security review
      1. Struts security review approaches
      2. Struts security checklist
      3. Struts security strings search in struts.xml and API
    8. Summary
    9. Questions
    10. Further reading
  17. Security Testing Toolkits
    1. General security testing toolkits
    2. Automation testing criteria
    3. Behavior-driven security testing framework
    4. Android security testing
    5. Securing infrastructure configuration
    6. Docker security scanning
    7. Integrated security tools
    8. Summary
    9. Questions
    10. Further reading
  18. Security Automation with the CI Pipeline
    1. Security in continuous integration
    2. Security practices in development
      1. IDE plugins to automate the code review
      2. Static code analysis
      3. Secure compiler configuration
      4. Dependency check
    3. Web testing in proactive/proxy mode
    4. Web automation testing tips
    5. Security automation in Jenkins
    6.  Summary
    7. Questions
    8. Further reading
  19. Incident Response
    1. Security incident response process
      1. Preparation
      2. Detection and analysis
      3. Containment and recovery
      4. Post-incident activity
      5. Security incident response platforms (SIRP)
    2. SOC team
    3. Incident forensics techniques
    4. Summary
    5. Questions
    6. Further reading
  20. Security Monitoring
    1. Logging policy
    2. Security monitoring framework
    3. Source of information 
    4. Threat intelligence toolset
    5. Security scanning toolset
    6. Malware behavior matching – YARA
    7. Summary
    8. Questions
    9. Further reading
  21. Security Assessment for New Releases
    1. Security review policies for releases
    2. Security checklist and tools
    3. BDD security framework
    4. Consolidated testing results
    5. Summary
    6. Questions
    7. Further reading
  22. Threat Inspection and Intelligence
    1. Unknown threat detection
    2. Indicators of compromises
    3. Security analysis using big data frameworks
      1. TheHive 
      2. MISP – an Open Source Threat Intelligence Platform
      3. Apache Metron
    4. Summary
    5. Questions
    6. Further reading
  23. Business Fraud and Service Abuses
    1. Business fraud and abuses
    2. Business risk detection framework
    3. PCI DSS compliance
    4. Summary
    5. Questions
    6. Further reading
  24. GDPR Compliance Case Study
    1. GDPR security requirement
    2. Case studies
      1. Case 1 – personal data discovery
      2. Case 2 – database anonymization
      3. Case 3 – cookie consent
      4. Case 4 – data-masking library for implementation
      5. Case 5 – evaluating website privacy status
    3. Summary
    4. Questions
    5. Further reading
  25. DevSecOps - Challenges, Tips, and FAQs
    1. DevSecOps for security management 
    2. DevSecOps for the development team 
    3. DevSecOps for the testing team
    4. DevSecOps for the operations team
    5. Summary
    6. Further reading
  26. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
    16. Chapter 16
    17. Chapter 17
    18. Chapter 18
    19. Chapter 19
  27. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think