Book Image

Hands-On Security in DevOps

By : Tony Hsiang-Chih Hsu
Book Image

Hands-On Security in DevOps

By: Tony Hsiang-Chih Hsu

Overview of this book

DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization’s security at every level, rather than just focusing on protecting your infrastructure. This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security. By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.

Related Content you might be interested in

Current Title:

Small book image
Hands-On Security in DevOps
Tony Hsiang-Chih Hsu
Jul, 2018 | 356 pages
Small book image
Practical Security Automation and Testing
Tony HsiangChih Hsu
Feb, 2019 | 256 pages
Small book image
Implementing DevSecOps Practices
Vandana Verma Sehgal
Dec, 2023 | 258 pages
Small book image
Cloud Native Software Security Handbook
Mihir Shah
Aug, 2023 | 372 pages
Table of Contents (23 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
DevSecOps Drivers and Challenges
DevSecOps Drivers and Challenges
Security compliance
Legal and security compliance
New technology (third-party, cloud, containers, and virtualization)
Cloud services hacks/abuse
Rapid release
Summary
Questions
Further reading
2
Security Goals and Metrics
Security Goals and Metrics
Organization goal
Development goal/metrics
QA goal/metrics
Operation goal/metrics
Summary
Questions
Further reading
3
Security Assurance Program and Organization
Security Assurance Program and Organization
Security assurance program
Security growth with business
Role of a security team in an organization
Case study – a matrix, functional, or taskforce structure
Summary
Questions
Further reading
4
Security Requirements and Compliance
Security Requirements and Compliance
Security requirements for the release gate
Security requirements for web applications
Security requirements for big data
Privacy requirements for GDPR
Summary
Questions
Further reading
5
Case Study - Security Assurance Program
Case Study - Security Assurance Program
Security assurance program case study
Security training and awareness
Security culture
Web security frameworks
Baking security into DevOps
Summary
Questions
Further reading
6
Security Architecture and Design Principles
Security Architecture and Design Principles
Security architecture design principles
Security framework
Web readiness for privacy protection
Login protection
Cryptographic modules
Input validation and sanitization
Data masking
Data governance – Apache Ranger and Atlas
Third-party open source management
Summary
Questions
Further reading
7
Threat Modeling Practices and Secure Design
Threat Modeling Practices and Secure Design
Threat modeling practices
Threat modeling with STRIDE
Diagram designer tool
Card games
Threat library references
Case study – formal documents or not?
Secure design
Summary
Questions
Further reading
8
Secure Coding Best Practices
Secure Coding Best Practices
Secure coding industry best practices
Establishing secure coding baselines
Secure coding awareness training
Tool evaluation
Tool optimization
High-risk module review
Manual code review tools
Secure code scanning tools
Secure compiling
Common issues in practice
Summary
Questions
Further reading
9
Case Study - Security and Privacy by Design
Case Study - Security and Privacy by Design
Case study background
Secure architecture review
Privacy by design
Summary of security and privacy frameworks
Third-party component management
Summary
Questions
Further reading
10
Security-Testing Plan and Practices
Security-Testing Plan and Practices
Security-testing knowledge kit
Security-testing plan templates
Web security testing
Privacy
Security-testing domains
Thinking like a hacker
Security-Training environment
Summary
Questions
Further reading
11
Whitebox Testing Tips
Whitebox Testing Tips
Whitebox review preparation
Viewing the whole project
High-risk module
Whitebox review checklist
Top common issues
Secure coding patterns and keywords
Case study – Java struts security review
Summary
Questions
Further reading
12
Security Testing Toolkits
Security Testing Toolkits
General security testing toolkits
Automation testing criteria
Behavior-driven security testing framework
Android security testing
Securing infrastructure configuration
Docker security scanning
Integrated security tools
Summary
Questions
Further reading
13
Security Automation with the CI Pipeline
Security Automation with the CI Pipeline
Security in continuous integration
Security practices in development
Web testing in proactive/proxy mode
Web automation testing tips
Security automation in Jenkins
Summary
Questions
Further reading
14
Incident Response
Incident Response
Security incident response process
SOC team
Incident forensics techniques
Summary
Questions
Further reading
15
Security Monitoring
Security Monitoring
Logging policy
Security monitoring framework
Source of information
Threat intelligence toolset
Security scanning toolset
Malware behavior matching – YARA
Summary
Questions
Further reading
16
Security Assessment for New Releases
Security Assessment for New Releases
Security review policies for releases
Security checklist and tools
BDD security framework
Consolidated testing results
Summary
Questions
Further reading
17
Threat Inspection and Intelligence
Threat Inspection and Intelligence
Unknown threat detection
Indicators of compromises
Security analysis using big data frameworks
Summary
Questions
Further reading
18
Business Fraud and Service Abuses
Business Fraud and Service Abuses
Business fraud and abuses
Business risk detection framework
PCI DSS compliance
Summary
Questions
Further reading
19
GDPR Compliance Case Study
GDPR Compliance Case Study
GDPR security requirement
Case studies
Summary
Questions
Further reading
20
DevSecOps - Challenges, Tips, and FAQs
DevSecOps - Challenges, Tips, and FAQs
DevSecOps for security management
DevSecOps for the development team
DevSecOps for the testing team
DevSecOps for the operations team
Summary
Further reading
21
Assessments
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Chapter 18
Chapter 19
22
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Legal and security compliance

The EU GDPR, which came into force in May 2018, protects all EU citizens from privacy and data breaches. According to the GDPR FAQ:

"The GDPR not only applies to organizations located within the EU but it also applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location."

In other words, if a company is providing services to customers in the European Union, its data handling will need to comply entirely with GDPR. From a DevSecOps point of view, it's related to data collection, handling, storage, backup, modification, transport, and removal—in a secure manner. According to GDPR Article 5, there are six privacy principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitations
  • Data minimization
  • Accuracy
  • Storage limitations
  • Integrity and confidentiality

GDPR, like other security compliance policies, doesn't define the technical approach to achieve it. GDPR can still be too high-level for an engineering team. It needs to translate into software security requirements, design, threat modeling, tools, and so on. The following table summarizes typical security practices for the engineering team:

Stage

Common security practices for privacy or sensitive info handing

Design

Privacy Impact Assessment (PIA)

Coding
  • Data masking library
  • Anonymous toolbox
  • RAPPOR—privacy-preserving reporting algorithms
  • Encryption storage (RSA, ASE)
  • Secure erasure
  • Secure communication protocol (such as TLS v1.2, SSH v2, SFTP, SNMP v3)
  • Cookie consent
  • Data Vault
  • Key management

Testing

OWASP testing for weak cryptography, testing for error handling, testing for configuration, and so on

Deployment
  • OWASP configuration and deployment management testing
  • CIS secure environment configuration
  • Sensitive information in Git

Monitoring
  • ELK for log analysis
  • Integrity monitoring (IDS/IPS) to monitor any unauthorized changes
  • CIS secure configuration monitoring
  • Sensitive information leakage in Git
Previous Section
End of Section 3
Next Section