book

Securing DevOps

by Julien Vehent

August 2018

Intermediate to advanced

384 pages

12h 18m

English

Manning Publications

Read now

Unlock full access

prefaceacknowledgmentsabout this bookHow this book is organizedRoadmapAbout the codeBook forumabout the authorabout the cover illustration
1.1 The DevOps approach1.1.1 Continuous integration1.1.2 Continuous delivery1.1.3 Infrastructure as a service1.1.4 Culture and trust1.2 Security in DevOps1.3 Continuous security1.3.1 Test-driven security1.3.2 Monitoring and responding to attacks1.3.3 Assessing risks and maturing securitySummary
2.1 Implementation roadmap2.2 The code repository: GitHub2.3 The CI platform: CircleCI2.4 The container repository: Docker Hub2.5 The production infrastructure: Amazon Web Services2.5.1 Three-tier architecture2.5.2 Configuring access to AWS2.5.3 Virtual Private Cloud2.5.4 Creating the database tier2.5.5 Creating the first two tiers with Elastic Beanstalk2.5.6 Deploying the container onto your systems2.6 A rapid security auditSummary
3.1 Securing and testing web apps3.2 Website attacks and content security3.2.1 Cross-site scripting and Content Security Policy3.2.2 Cross-site request forgery3.2.3 Clickjacking and IFrames protection3.3 Methods for authenticating users3.3.1 HTTP basic authentication3.3.2 Password management3.3.3 Identity providers3.3.4 Sessions and cookie security3.3.5 Testing authentication3.4 Managing dependencies3.4.1 Golang vendoring3.4.2 Node.js package management3.4.3 Python requirementsSummary
4.1 Securing and testing cloud infrastructure: the deployer4.1.1 Setting up the deployer4.1.2 Configuration notifications between Docker Hub and the deployer4.1.3 Running tests against the infrastructure4.1.4 Updating the invoicer environment4.2 Restricting network access4.2.1 Testing security groups4.2.2 Opening access between security groups4.3 Building a secure entry point4.3.1 Generating SSH keys4.3.2 Creating a bastion host in EC24.3.3 Enabling two-factor authentication with SSH4.3.4 Sending notifications on accesses4.3.5 General security considerations4.3.6 Opening access between security groups4.4 Controlling access to the database4.4.1 Analyzing the database structure4.4.2 Roles and permissions in PostgreSQL4.4.3 Defining fine-grained permissions for the invoicer application4.4.4 Asserting permissions in the deployerSummary

5.1 What does it mean to secure communications?5.1.1 Early symmetric cryptography5.1.2 Diffie-Hellman and RSA5.1.3 Public-key infrastructures5.1.4 SSL and TLS5.2 Understanding SSL/TLS5.2.1 The certificate chain5.2.2 The TLS handshake5.2.3 Perfect forward secrecy5.3 Getting applications to use HTTPS5.3.1 Obtaining certificates from AWS5.3.2 Obtaining certificates from Let’s Encrypt5.3.3 Enabling HTTPS on AWS ELB5.4 Modernizing HTTPS5.4.1 Testing TLS5.4.2 Implementing Mozilla’s Modern guidelines5.4.3 HSTS: Strict Transport Security5.4.4 HPKP: Public Key PinningSummary
6.1 Access control to code-management infrastructure6.1.1 Managing permissions in a GitHub organization6.1.2 Managing permissions between GitHub and CircleCI6.1.3 Signing commits and tags with Git6.2 Access control for container storage6.2.1 Managing permissions between Docker Hub and CircleCI6.2.2 Signing containers with Docker Content Trust6.3 Access control for infrastructure management6.3.1 Managing permissions using AWS roles and policies6.3.2 Distributing secrets to production systemsSummary
7.1 Collecting logs from systems and applications7.1.1 Collecting logs from systems7.1.2 Collecting application logs7.1.3 Infrastructure logging7.1.4 Collecting logs from GitHub7.2 Streaming log events through message brokers7.3 Processing events in log consumers7.4 Storing and archiving logs7.5 Accessing logsSummary
8.1 Architecture of a log-analysis layer8.2 Detecting attacks using string signatures8.3 Statistical models for fraud detection8.3.1 Sliding windows and circular buffers8.3.2 Moving averages8.4 Using geographic data to find abuses8.4.1 Geoprofiling users8.4.2 Calculating distances8.4.3 Finding a user’s normal connection area8.5 Detecting anomalies in known patterns8.5.1 User-agent signature8.5.2 Anomalous browser8.5.3 Interaction patterns8.6 Raising alerts to operators and end users8.6.1 Escalating security events to operators8.6.2 How and when to notify end usersSummary
9.1 The seven phases of an intrusion: the kill chain9.2 What are indicators of compromise?9.3 Scanning endpoints for IOCs9.4 Inspecting network traffic with Suricata9.4.1 Setting up Suricata9.4.2 Monitoring the network9.4.3 Writing rules9.4.4 Using predefined rule-sets9.5 Finding intrusions in system-call audit logs9.5.1 The execution vulnerability9.5.2 Catching fraudulent executions9.5.3 Monitoring the filesystem9.5.4 Monitoring the impossible9.6 Trusting humans to detect anomaliesSummary
10.1 The Caribbean breach10.2 Identification10.3 Containment10.4 Eradication10.4.1 Capturing digital forensics artifacts in AWS10.4.2 Outbound IDS filtering10.4.3 Hunting IOCs with MIG10.5 Recovery10.6 Lessons learned and the benefits of preparationSummary
11.1 What is risk management?11.2 The CIA triad11.2.1 Confidentiality11.2.2 Integrity11.2.3 Availability11.3 Establishing the top threats to an organization11.4 Quantifying the impact of risks11.4.1 Finances11.4.2 Reputation11.4.3 Productivity11.5 Identifying threats and measuring vulnerability11.5.1 The STRIDE threat-modeling framework11.5.2 The DREAD threat-modeling framework11.6 Rapid risk assessment11.6.1 Gathering information11.6.2 Establishing a data dictionary11.6.3 Identifying and measuring risks11.6.4 Making recommendations11.7 Recording and tracking risks11.7.1 Accepting, rejecting, and delegating risks11.7.2 Revisiting risks regularlySummary
12.1 Maintaining security visibility12.2 Auditing internal applications and services12.2.1 Web-application scanners12.2.2 Fuzzing12.2.3 Static code analysis12.2.4 Auditing Cloud Infrastructure12.3 Red teams and external pen testing12.4 Bug bounty programsSummary
13.1 Practice and repetition: 10,000 hours of security13.2 Year 1: integrating security into DevOps13.2.1 Don’t judge too early13.2.2 Test everything and make dashboards13.3 Year 2: preparing for the worst13.3.1 Avoid duplicating infrastructure13.3.2 Build versus buy13.3.3 Getting breached13.4 Year 3: driving the change13.4.1 Revisit security priorities13.4.2 Progressing iteratively
List of TablesList of Illustrations

Content preview from Securing DevOps

8 Analyzing logs for fraud and attacks

This chapter covers

Examining the components of a logging pipeline’s analysis layer
Detecting fraud and attacks using string signatures, statistics, and historical data
Managing techniques for alerting users without overwhelming them

In chapter 7, you learned how to build a logging pipeline to collect, stream, analyze, store, and access logs across the infrastructure. A multilayered pipeline creates a flexible infrastructure where logs from different origins are used to monitor the activity of the organization’s services. Chapter 7 gave an overview of the functionalities provided by each layer of the pipeline. In this chapter, we’ll focus on the third layer, the analysis layer, and dive into techniques ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Hands-On Security in DevOps

Tony Hsiang-Chih Hsu

Kubernetes Security

Liz Rice, Michael Hausenblas

Model-Driven DevOps: Increasing agility and security in your physical network through DevOps

Josh Lothian, Mike Younkers, Jason King, Steven Carter

Operations Anti-Patterns, DevOps Solutions

Jeffrey D Smith

Publisher Resources

ISBN: 9781617294136Supplemental Content Publisher Support Other Publisher Website Errata Page Purchase Link