Securing DevOps

Book Description

Securing DevOps teaches you the essential techniques to secure your cloud services. Using compelling case studies, it shows you how to build security into automated testing, continuous delivery, and other core DevOps processes. This experience-rich book is filled with mission-critical strategies to protect web applications against attacks, deter fraud attempts, and make your services safer when operating at scale. You’ll also learn to identify, assess, and secure the unique vulnerabilities posed by cloud deployments and automation tools commonly used in modern infrastructures.

Table of Contents

  1. Titlepage
  2. Copyright
  3. Dedication
  4. preface
  5. acknowledgments
  6. about this book
    1. How this book is organized
    2. Roadmap
    3. About the code
    4. Book forum
  7. about the author
  8. about the cover illustration
  9. Chapter 1: Securing DevOps
    1. 1.1 The DevOps approach
      1. 1.1.1 Continuous integration
      2. 1.1.2 Continuous delivery
      3. 1.1.3 Infrastructure as a service
      4. 1.1.4 Culture and trust
    2. 1.2 Security in DevOps
    3. 1.3 Continuous security
      1. 1.3.1 Test-driven security
      2. 1.3.2 Monitoring and responding to attacks
      3. 1.3.3 Assessing risks and maturing security
    4. Summary
  10. Part 1: Case study: applying layers of security to a simple DevOps pipeline
    1. Chapter 2: Building a barebones DevOps pipeline
      1. 2.1 Implementation roadmap
      2. 2.2 The code repository: GitHub
      3. 2.3 The CI platform: CircleCI
      4. 2.4 The container repository: Docker Hub
      5. 2.5 The production infrastructure: Amazon Web Services
        1. 2.5.1 Three-tier architecture
        2. 2.5.2 Configuring access to AWS
        3. 2.5.3 Virtual Private Cloud
        4. 2.5.4 Creating the database tier
        5. 2.5.5 Creating the first two tiers with Elastic Beanstalk
        6. 2.5.6 Deploying the container onto your systems
      6. 2.6 A rapid security audit
      7. Summary
    2. Chapter 3: Security layer 1: protecting web applications
      1. 3.1 Securing and testing web apps
      2. 3.2 Website attacks and content security
        1. 3.2.1 Cross-site scripting and Content Security Policy
        2. 3.2.2 Cross-site request forgery
        3. 3.2.3 Clickjacking and IFrames protection
      3. 3.3 Methods for authenticating users
        1. 3.3.1 HTTP basic authentication
        2. 3.3.2 Password management
        3. 3.3.3 Identity providers
        4. 3.3.4 Sessions and cookie security
        5. 3.3.5 Testing authentication
      4. 3.4 Managing dependencies
        1. 3.4.1 Golang vendoring
        2. 3.4.2 Node.js package management
        3. 3.4.3 Python requirements
      5. Summary
    3. Chapter 4: Security layer 2: protecting cloud infrastructures
      1. 4.1 Securing and testing cloud infrastructure: the deployer
        1. 4.1.1 Setting up the deployer
        2. 4.1.2 Configuration notifications between Docker Hub and the deployer
        3. 4.1.3 Running tests against the infrastructure
        4. 4.1.4 Updating the invoicer environment
      2. 4.2 Restricting network access
        1. 4.2.1 Testing security groups
        2. 4.2.2 Opening access between security groups
      3. 4.3 Building a secure entry point
        1. 4.3.1 Generating SSH keys
        2. 4.3.2 Creating a bastion host in EC2
        3. 4.3.3 Enabling two-factor authentication with SSH
        4. 4.3.4 Sending notifications on accesses
        5. 4.3.5 General security considerations
        6. 4.3.6 Opening access between security groups
      4. 4.4 Controlling access to the database
        1. 4.4.1 Analyzing the database structure
        2. 4.4.2 Roles and permissions in PostgreSQL
        3. 4.4.3 Defining fine-grained permissions for the invoicer application
        4. 4.4.4 Asserting permissions in the deployer
      5. Summary
    4. Chapter 5: Security layer 3: securing communications
      1. 5.1 What does it mean to secure communications?
        1. 5.1.1 Early symmetric cryptography
        2. 5.1.2 Diffie-Hellman and RSA
        3. 5.1.3 Public-key infrastructures
        4. 5.1.4 SSL and TLS
      2. 5.2 Understanding SSL/TLS
        1. 5.2.1 The certificate chain
        2. 5.2.2 The TLS handshake
        3. 5.2.3 Perfect forward secrecy
      3. 5.3 Getting applications to use HTTPS
        1. 5.3.1 Obtaining certificates from AWS
        2. 5.3.2 Obtaining certificates from Let’s Encrypt
        3. 5.3.3 Enabling HTTPS on AWS ELB
      4. 5.4 Modernizing HTTPS
        1. 5.4.1 Testing TLS
        2. 5.4.2 Implementing Mozilla’s Modern guidelines
        3. 5.4.3 HSTS: Strict Transport Security
        4. 5.4.4 HPKP: Public Key Pinning
      5. Summary
    5. Chapter 6: Security layer 4: securing the delivery pipeline
      1. 6.1 Access control to code-management infrastructure
        1. 6.1.1 Managing permissions in a GitHub organization
        2. 6.1.2 Managing permissions between GitHub and CircleCI
        3. 6.1.3 Signing commits and tags with Git
      2. 6.2 Access control for container storage
        1. 6.2.1 Managing permissions between Docker Hub and CircleCI
        2. 6.2.2 Signing containers with Docker Content Trust
      3. 6.3 Access control for infrastructure management
        1. 6.3.1 Managing permissions using AWS roles and policies
        2. 6.3.2 Distributing secrets to production systems
      4. Summary
  11. Part 2: Watching for anomalies and protecting services against attacks
    1. Chapter 7: Collecting and storing logs
      1. 7.1 Collecting logs from systems and applications
        1. 7.1.1 Collecting logs from systems
        2. 7.1.2 Collecting application logs
        3. 7.1.3 Infrastructure logging
        4. 7.1.4 Collecting logs from GitHub
      2. 7.2 Streaming log events through message brokers
      3. 7.3 Processing events in log consumers
      4. 7.4 Storing and archiving logs
      5. 7.5 Accessing logs
      6. Summary
    2. Chapter 8: Analyzing logs for fraud and attacks
      1. 8.1 Architecture of a log-analysis layer
      2. 8.2 Detecting attacks using string signatures
      3. 8.3 Statistical models for fraud detection
        1. 8.3.1 Sliding windows and circular buffers
        2. 8.3.2 Moving averages
      4. 8.4 Using geographic data to find abuses
        1. 8.4.1 Geoprofiling users
        2. 8.4.2 Calculating distances
        3. 8.4.3 Finding a user’s normal connection area
      5. 8.5 Detecting anomalies in known patterns
        1. 8.5.1 User-agent signature
        2. 8.5.2 Anomalous browser
        3. 8.5.3 Interaction patterns
      6. 8.6 Raising alerts to operators and end users
        1. 8.6.1 Escalating security events to operators
        2. 8.6.2 How and when to notify end users
      7. Summary
    3. Chapter 9: Detecting intrusions
      1. 9.1 The seven phases of an intrusion: the kill chain
      2. 9.2 What are indicators of compromise?
      3. 9.3 Scanning endpoints for IOCs
      4. 9.4 Inspecting network traffic with Suricata
        1. 9.4.1 Setting up Suricata
        2. 9.4.2 Monitoring the network
        3. 9.4.3 Writing rules
        4. 9.4.4 Using predefined rule-sets
      5. 9.5 Finding intrusions in system-call audit logs
        1. 9.5.1 The execution vulnerability
        2. 9.5.2 Catching fraudulent executions
        3. 9.5.3 Monitoring the filesystem
        4. 9.5.4 Monitoring the impossible
      6. 9.6 Trusting humans to detect anomalies
      7. Summary
    4. Chapter 10: The Caribbean breach: a case study in incident response
      1. 10.1 The Caribbean breach
      2. 10.2 Identification
      3. 10.3 Containment
      4. 10.4 Eradication
        1. 10.4.1 Capturing digital forensics artifacts in AWS
        2. 10.4.2 Outbound IDS filtering
        3. 10.4.3 Hunting IOCs with MIG
      5. 10.5 Recovery
      6. 10.6 Lessons learned and the benefits of preparation
      7. Summary
  12. Part 3: Maturing DevOps security
    1. Chapter 11: Assessing risks
      1. 11.1 What is risk management?
      2. 11.2 The CIA triad
        1. 11.2.1 Confidentiality
        2. 11.2.2 Integrity
        3. 11.2.3 Availability
      3. 11.3 Establishing the top threats to an organization
      4. 11.4 Quantifying the impact of risks
        1. 11.4.1 Finances
        2. 11.4.2 Reputation
        3. 11.4.3 Productivity
      5. 11.5 Identifying threats and measuring vulnerability
        1. 11.5.1 The STRIDE threat-modeling framework
        2. 11.5.2 The DREAD threat-modeling framework
      6. 11.6 Rapid risk assessment
        1. 11.6.1 Gathering information
        2. 11.6.2 Establishing a data dictionary
        3. 11.6.3 Identifying and measuring risks
        4. 11.6.4 Making recommendations
      7. 11.7 Recording and tracking risks
        1. 11.7.1 Accepting, rejecting, and delegating risks
        2. 11.7.2 Revisiting risks regularly
      8. Summary
    2. Chapter 12: Testing security
      1. 12.1 Maintaining security visibility
      2. 12.2 Auditing internal applications and services
        1. 12.2.1 Web-application scanners
        2. 12.2.2 Fuzzing
        3. 12.2.3 Static code analysis
        4. 12.2.4 Auditing Cloud Infrastructure
      3. 12.3 Red teams and external pen testing
      4. 12.4 Bug bounty programs
      5. Summary
    3. Chapter 13: Continuous security
      1. 13.1 Practice and repetition: 10,000 hours of security
      2. 13.2 Year 1: integrating security into DevOps
        1. 13.2.1 Don’t judge too early
        2. 13.2.2 Test everything and make dashboards
      3. 13.3 Year 2: preparing for the worst
        1. 13.3.1 Avoid duplicating infrastructure
        2. 13.3.2 Build versus buy
        3. 13.3.3 Getting breached
      4. 13.4 Year 3: driving the change
        1. 13.4.1 Revisit security priorities
        2. 13.4.2 Progressing iteratively
  13. Index

Product Information

  • Title: Securing DevOps
  • Author(s): Julien Vehent
  • Release date: August 2018
  • Publisher(s): Manning Publications
  • ISBN: 9781617294136