book

Securing DevOps

by Julien Vehent

August 2018

Intermediate to advanced

384 pages

12h 18m

English

Manning Publications

Read now

Unlock full access

prefaceacknowledgmentsabout this bookHow this book is organizedRoadmapAbout the codeBook forumabout the authorabout the cover illustration
1.1 The DevOps approach1.1.1 Continuous integration1.1.2 Continuous delivery1.1.3 Infrastructure as a service1.1.4 Culture and trust1.2 Security in DevOps1.3 Continuous security1.3.1 Test-driven security1.3.2 Monitoring and responding to attacks1.3.3 Assessing risks and maturing securitySummary
2.1 Implementation roadmap2.2 The code repository: GitHub2.3 The CI platform: CircleCI2.4 The container repository: Docker Hub2.5 The production infrastructure: Amazon Web Services2.5.1 Three-tier architecture2.5.2 Configuring access to AWS2.5.3 Virtual Private Cloud2.5.4 Creating the database tier2.5.5 Creating the first two tiers with Elastic Beanstalk2.5.6 Deploying the container onto your systems2.6 A rapid security auditSummary
3.1 Securing and testing web apps3.2 Website attacks and content security3.2.1 Cross-site scripting and Content Security Policy3.2.2 Cross-site request forgery3.2.3 Clickjacking and IFrames protection3.3 Methods for authenticating users3.3.1 HTTP basic authentication3.3.2 Password management3.3.3 Identity providers3.3.4 Sessions and cookie security3.3.5 Testing authentication3.4 Managing dependencies3.4.1 Golang vendoring3.4.2 Node.js package management3.4.3 Python requirementsSummary
4.1 Securing and testing cloud infrastructure: the deployer4.1.1 Setting up the deployer4.1.2 Configuration notifications between Docker Hub and the deployer4.1.3 Running tests against the infrastructure4.1.4 Updating the invoicer environment4.2 Restricting network access4.2.1 Testing security groups4.2.2 Opening access between security groups4.3 Building a secure entry point4.3.1 Generating SSH keys4.3.2 Creating a bastion host in EC24.3.3 Enabling two-factor authentication with SSH4.3.4 Sending notifications on accesses4.3.5 General security considerations4.3.6 Opening access between security groups4.4 Controlling access to the database4.4.1 Analyzing the database structure4.4.2 Roles and permissions in PostgreSQL4.4.3 Defining fine-grained permissions for the invoicer application4.4.4 Asserting permissions in the deployerSummary

5.1 What does it mean to secure communications?5.1.1 Early symmetric cryptography5.1.2 Diffie-Hellman and RSA5.1.3 Public-key infrastructures5.1.4 SSL and TLS5.2 Understanding SSL/TLS5.2.1 The certificate chain5.2.2 The TLS handshake5.2.3 Perfect forward secrecy5.3 Getting applications to use HTTPS5.3.1 Obtaining certificates from AWS5.3.2 Obtaining certificates from Let’s Encrypt5.3.3 Enabling HTTPS on AWS ELB5.4 Modernizing HTTPS5.4.1 Testing TLS5.4.2 Implementing Mozilla’s Modern guidelines5.4.3 HSTS: Strict Transport Security5.4.4 HPKP: Public Key PinningSummary
6.1 Access control to code-management infrastructure6.1.1 Managing permissions in a GitHub organization6.1.2 Managing permissions between GitHub and CircleCI6.1.3 Signing commits and tags with Git6.2 Access control for container storage6.2.1 Managing permissions between Docker Hub and CircleCI6.2.2 Signing containers with Docker Content Trust6.3 Access control for infrastructure management6.3.1 Managing permissions using AWS roles and policies6.3.2 Distributing secrets to production systemsSummary
7.1 Collecting logs from systems and applications7.1.1 Collecting logs from systems7.1.2 Collecting application logs7.1.3 Infrastructure logging7.1.4 Collecting logs from GitHub7.2 Streaming log events through message brokers7.3 Processing events in log consumers7.4 Storing and archiving logs7.5 Accessing logsSummary
8.1 Architecture of a log-analysis layer8.2 Detecting attacks using string signatures8.3 Statistical models for fraud detection8.3.1 Sliding windows and circular buffers8.3.2 Moving averages8.4 Using geographic data to find abuses8.4.1 Geoprofiling users8.4.2 Calculating distances8.4.3 Finding a user’s normal connection area8.5 Detecting anomalies in known patterns8.5.1 User-agent signature8.5.2 Anomalous browser8.5.3 Interaction patterns8.6 Raising alerts to operators and end users8.6.1 Escalating security events to operators8.6.2 How and when to notify end usersSummary
9.1 The seven phases of an intrusion: the kill chain9.2 What are indicators of compromise?9.3 Scanning endpoints for IOCs9.4 Inspecting network traffic with Suricata9.4.1 Setting up Suricata9.4.2 Monitoring the network9.4.3 Writing rules9.4.4 Using predefined rule-sets9.5 Finding intrusions in system-call audit logs9.5.1 The execution vulnerability9.5.2 Catching fraudulent executions9.5.3 Monitoring the filesystem9.5.4 Monitoring the impossible9.6 Trusting humans to detect anomaliesSummary
10.1 The Caribbean breach10.2 Identification10.3 Containment10.4 Eradication10.4.1 Capturing digital forensics artifacts in AWS10.4.2 Outbound IDS filtering10.4.3 Hunting IOCs with MIG10.5 Recovery10.6 Lessons learned and the benefits of preparationSummary
11.1 What is risk management?11.2 The CIA triad11.2.1 Confidentiality11.2.2 Integrity11.2.3 Availability11.3 Establishing the top threats to an organization11.4 Quantifying the impact of risks11.4.1 Finances11.4.2 Reputation11.4.3 Productivity11.5 Identifying threats and measuring vulnerability11.5.1 The STRIDE threat-modeling framework11.5.2 The DREAD threat-modeling framework11.6 Rapid risk assessment11.6.1 Gathering information11.6.2 Establishing a data dictionary11.6.3 Identifying and measuring risks11.6.4 Making recommendations11.7 Recording and tracking risks11.7.1 Accepting, rejecting, and delegating risks11.7.2 Revisiting risks regularlySummary
12.1 Maintaining security visibility12.2 Auditing internal applications and services12.2.1 Web-application scanners12.2.2 Fuzzing12.2.3 Static code analysis12.2.4 Auditing Cloud Infrastructure12.3 Red teams and external pen testing12.4 Bug bounty programsSummary
13.1 Practice and repetition: 10,000 hours of security13.2 Year 1: integrating security into DevOps13.2.1 Don’t judge too early13.2.2 Test everything and make dashboards13.3 Year 2: preparing for the worst13.3.1 Avoid duplicating infrastructure13.3.2 Build versus buy13.3.3 Getting breached13.4 Year 3: driving the change13.4.1 Revisit security priorities13.4.2 Progressing iteratively
List of TablesList of Illustrations

Overview

Securing DevOps explores how the techniques of DevOps and security should be applied together to make cloud services safer. This introductory book reviews the latest practices used in securing web applications and their infrastructure and teaches you techniques to integrate security directly into your product. You'll also learn the core concepts of DevOps, such as continuous integration, continuous delivery, and infrastructure as a service.

About the Technology

An application running in the cloud can benefit from incredible efficiencies, but they come with unique security threats too. A DevOps team’s highest priority is understanding those risks and hardening the system against them.

About the Book

Securing DevOps teaches you the essential techniques to secure your cloud services. Using compelling case studies, it shows you how to build security into automated testing, continuous delivery, and other core DevOps processes. This experience-rich book is filled with mission-critical strategies to protect web applications against attacks, deter fraud attempts, and make your services safer when operating at scale. You’ll also learn to identify, assess, and secure the unique vulnerabilities posed by cloud deployments and automation tools commonly used in modern infrastructures.

What's Inside

An approach to continuous security
Implementing test-driven security in DevOps
Security techniques for cloud services
Watching for fraud and responding to incidents
Security testing and risk assessment

About the Reader

Readers should be comfortable with Linux and standard DevOps practices like CI, CD, and unit testing.

About the Author

Julien Vehent is a security architect and DevOps advocate. He leads the Firefox Operations Security team at Mozilla, and is responsible for the security of Firefox’s high-traffic cloud services and public websites.

Quotes
Provides both sound ideas and real-world examples. A must-read.
- Adrien Saladin, PeopleDoc

Makes a complex topic completely approachable. Recommended for DevOps personnel and technology managers alike.
- Adam Montville, Center for Internet Security

Practical and ready for immediate application.
- Yan Guo, Eventbrite

An amazing resource for secure software development—a must in this day and age—whether or not you’re in DevOps.
- Andrew Bovill, Next Century

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781617294136Supplemental Content Publisher Support Other Publisher Website Errata Page Purchase Link

Securing DevOps

by Julien Vehent

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Hands-On Security in DevOps

Kubernetes Security

Model-Driven DevOps: Increasing agility and security in your physical network through DevOps

Operations Anti-Patterns, DevOps Solutions

Publisher Resources

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Hands-On Security in DevOps

Kubernetes Security

Model-Driven DevOps: Increasing agility and security in your physical network through DevOps

Operations Anti-Patterns, DevOps Solutions

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.