book

Implementing DevSecOps Practices

Name: Implementing DevSecOps Practices
Author: Vandana Verma Sehgal
ISBN: 9781803231495

by Vandana Verma Sehgal

December 2023

Intermediate to advanced

258 pages

7h 4m

English

Packt Publishing

Read now

Unlock full access

Implementing DevSecOps Practices
Contributors
About the author
About the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Part 1:DevSecOps – What and How?
Chapter 1: Introducing DevSecOps
Product development processesThe Waterfall modelThe Agile methodologyUnderstanding the shift from DevOps to DevSecOpsThe new processes within DevSecOpsDevSecOps maturity levelsMaturity level 1Maturity level 2Maturity level 3Maturity level 4KPIsDevSecOps – the people aspectSummaryThink and act
Part 2: DevSecOps Principles and Processes
Chapter 2: DevSecOps Principles
DevSecOps principlesUnifying the CI/CD pipelineFail fastAutomation and innovation in DevSecOpsIntroducing compliance checksEmpowering teams to make decisionsCross-skilling and educating teams and the cultural aspect approachProper documentationRelevant checkpointsBuilding and managing secure Dev environments and toolchainsChallenges within the DevSecOps pipeline that principles can resolveContinuous application changesThe developer knowledge gapLack of AppSec tool integrationSummary
Chapter 3: Understanding the Security Posture
Understanding your security postureRegular meetingsManaging pipelinesTesting pipelinesTools involved in pipelinesWhy and what measures we take to secure the environmentBuilding the vulnerabilities inventoryAddressing vulnerabilitiesParameters to define the security postureDiscovering the third-party componentMeasuring the effectiveness of the technologies usedManaging workflowsWhat measures can we take to monitor an environment?A positive way toward the cloud-native worldCloud-native architecturesProvisioning and configuring infrastructureAutomating controlsSecuring the toolchainsWhere does security stand in the whole development process?Compliance and auditMulti-cloud securityMonitoringIncident responseDeveloper toolsVulnerability managementSummary
Chapter 4: Understanding Observability
Why do we need observability?The key functions of observabilityLinking observability with monitoringExploring the monitoring processImplementing observability with monitoringChallenges around observabilityMaking organizations observableSummary

Chapter 5: Understanding Chaos Engineering
Introducing chaos engineeringWhy do we need chaos engineering?Best practices while working with chaos engineeringTechniques involved in chaos engineeringSpecific systems and services that organizations use for chaos engineeringMeasuring the effectiveness of performing chaos engineeringTools involved in chaos engineeringBasic principles of chaos engineeringTeam communication strategies while performing chaos engineering experimentsDeveloping robust chaos engineering practice from failuresChallenges around chaos engineeringHow chaos engineering is different from other testing measuresSummary
Part 3:Technology
Chapter 6: Continuous Integration and Continuous Deployment
What is a CI/CD pipeline?CICD – continuous delivery and continuous deploymentThe benefits of CI/CDAutomating the CI/CD pipelineSource controlAutomated buildsContinuous testingArtifact storingDeployment automationEnvironment consistencyMonitoring and feedbackRollbacksThe importance of a CI/CD pipelineSummary
Chapter 7: Threat Modeling
What is threat modeling?The importance of threat modeling in the software development lifecycleWhy should we perform threat modeling?Threat modeling techniquesIntegrating threat modeling into DevSecOpsPre-development phaseDesign phaseDevelopment phaseTesting phaseDeployment phaseOpen source threat modeling toolsHow threat modeling tools help organizationsReasons some organizations don’t use threat modelingSummary
Chapter 8: Software Composition Analysis (SCA)
What is SCA?How does SCA work?SCA tools and their functionalitiesThe importance of SCAThe benefits of SCASAST versus SCAThe SCA processSCA metricsIntegrating SCA with other security toolsResolving the issues without breaking the buildDetection of security flawsOpen source SCA toolsDiscussing past breachesSummary
Chapter 9: Static Application Security Testing (SAST)
IntroductionWhat is SAST?SAST tools and their functionalitiesIdentifying vulnerabilities early in the development processThe SAST processSAST metricsIntegrating SAST with other security toolsResolving issues without breaking the buildThe benefits of SASTThe limitations of SASTOpen source SAST toolsCase study 1Case study 2Loss due to not following the SAST processSummary
Chapter 10: Infrastructure-as-Code (IaC) Scanning
What is IaC?The importance of IaC scanningIaC toolset functionalitiesAdvantages and disadvantages of IaCIdentifying vulnerabilities using IaCWhat is the IaC process?IaC metricsIaC versus SASTIaC security best practicesIaC in DevSecOpsUnderstanding DevSecOpsThe role of IaC in DevSecOpsThe DevSecOps process with IaCKey benefitsChallenges and mitigationConclusion and future outlookOpen source IaC toolsCase study 1 – the Codecov security incidentCase study 2 – Capital One data breachCase study 3 – Netflix environment improvementSummary
Chapter 11: Dynamic Application Security Testing (DAST)
What is DAST?Advantages and limitations of DASTThe DAST processDAST usage for developersDAST usage for security testersThe importance of DAST in secure development environmentsIncorporating DAST into the application development life cycleAdvanced DAST techniquesChoosing the right DAST toolHow to perform a DAST scan in an organizationIntegrating DAST with other security toolsIncorporating DAST into DevOps processesPrioritizing and remediating vulnerabilitiesComparing DAST with other security testing approachesSASTIASTRASPThe future of DASTSummary
Part 4: Tools
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Techniques used in setting up the programUnderstanding DevSecOpsSetting up the CI/CD pipelineThe technicalities of setting up a CI/CD pipelineImplementing security controlsIdentifying open source security toolsImplementing security policies and proceduresManaging DevSecOps in productionMonitoring and managing the DevSecOps pipeline in productionUsing open source tools for monitoring, logging, and alertingIncorporating continuous compliance and auditing into the pipelineManaging incidents and responding to security breachesThe benefits of the programSummary
Part 5: Governance and an Effective Security Champions Program
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
DevSecOps and its relevance to license complianceThe distinction between traditional licenses and security implicationsSource code accessModification and redistributionCommunity oversightVendor dependencyCost and resource allocationDifferent types of software licensesPermissive licenses (MIT, Apache)Copyleft licenses (GPL, LGPL)Proprietary licensesThe impact of software licenses on the DevSecOps pipelineHow to perform license reviewsTools and techniquesEngaging legal and security teamsDocumentation and continuous improvementFine-tuning policies associated with licensesEstablishing an organizational standardException handlingContinuous review and improvementCase studiesCase study 1 – the Redis licensing changeCase study 2 – Elastic versus AWS licensing dramaSummary
Chapter 14: Setting Up a Security Champions Program
The Security Champions programStructuring your Security Champions programThings to remember before setting up the programWho should be a Security Champion?How a Security Champions program would lookThe top benefits of starting a Security Champions programWhat does a Security Champion do?Security Champions program – why do you need it?Shared responsibility modelsThe roles of different teamsBuy-in from the executiveThe importance of executive buy-inHow to secure executive buy-inMeasuring the effect of the Security Champions programTechnical aspects to check the effectiveness of the Security Champions programStrategic aspects to check the effectiveness of the Security Champions programSummary
Part 6: Case Studies and Conclusion
Chapter 15: Case Studies
Case study 1 – FinTech CorporationChallenges faced before implementing DevSecOpsSteps were taken to transition to DevSecOpsResults and impact on the company’s software developmentLessons learnedCase study 2 – Verma EnterprisesChallenges faced by the organization in terms of securityImplementation of DevSecOps practices and toolsResults and benefits achievedCase study 3 – HealthPlusThe importance of security in healthcare data and systemsThe implementation of DevSecOps practices and tools to improve securityResults and benefits achievedCase study 4 – GovAgencySecurity requirements for government agenciesThe implementation of DevSecOps practices and tools to meet compliance and improve securityResults and benefits achievedCase study 5 – TechSoftSecurity requirements for the IT sectorThe implementation of DevSecOps practices and tools to meet compliance and improve securityResults and benefits achievedCommon lessons learned and best practicesLessons learned from implementing DevSecOps practices and toolsBest practices for implementing DevSecOps in software developmentSummary
Chapter 16: Conclusion
DevSecOps – what and how?DevSecOps principles and processesDevSecOps toolsDevSecOps techniquesGovernance and an effective Security Champions programTopics covered in this bookWhat’s next?Case studies and conclusion
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Content preview from Implementing DevSecOps Practices

10 Infrastructure-as-Code (IaC) Scanning

Infrastructure-as-Code (IaC) scanning is the process of creating the code and configuration files that are used to manage and provision infrastructure resources, such as virtual machines, networks, and storage, in a cloud environment. IaC is a method of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.

IaC should go through security checks and there are IaC security scanning tools that are designed to identify security vulnerabilities and misconfigurations in the infrastructure code, potentially exposing the environment to security threats. The scanning process is typically automated ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781803231495

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Implementing DevSecOps Practices

by Vandana Verma Sehgal

10

Infrastructure-as-Code (IaC) Scanning

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.