Book Image

Hands-On Security in DevOps

By : Tony Hsiang-Chih Hsu
Book Image

Hands-On Security in DevOps

By: Tony Hsiang-Chih Hsu

Overview of this book

DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization’s security at every level, rather than just focusing on protecting your infrastructure. This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security. By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.

Related Content you might be interested in

Current Title:

Small book image
Hands-On Security in DevOps
Tony Hsiang-Chih Hsu
Jul, 2018 | 356 pages
Small book image
Practical Security Automation and Testing
Tony HsiangChih Hsu
Feb, 2019 | 256 pages
Small book image
Implementing DevSecOps Practices
Vandana Verma Sehgal
Dec, 2023 | 258 pages
Small book image
Cloud Native Software Security Handbook
Mihir Shah
Aug, 2023 | 372 pages
Table of Contents (23 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
DevSecOps Drivers and Challenges
DevSecOps Drivers and Challenges
Security compliance
Legal and security compliance
New technology (third-party, cloud, containers, and virtualization)
Cloud services hacks/abuse
Rapid release
Summary
Questions
Further reading
2
Security Goals and Metrics
Security Goals and Metrics
Organization goal
Development goal/metrics
QA goal/metrics
Operation goal/metrics
Summary
Questions
Further reading
3
Security Assurance Program and Organization
Security Assurance Program and Organization
Security assurance program
Security growth with business
Role of a security team in an organization
Case study – a matrix, functional, or taskforce structure
Summary
Questions
Further reading
4
Security Requirements and Compliance
Security Requirements and Compliance
Security requirements for the release gate
Security requirements for web applications
Security requirements for big data
Privacy requirements for GDPR
Summary
Questions
Further reading
5
Case Study - Security Assurance Program
Case Study - Security Assurance Program
Security assurance program case study
Security training and awareness
Security culture
Web security frameworks
Baking security into DevOps
Summary
Questions
Further reading
6
Security Architecture and Design Principles
Security Architecture and Design Principles
Security architecture design principles
Security framework
Web readiness for privacy protection
Login protection
Cryptographic modules
Input validation and sanitization
Data masking
Data governance – Apache Ranger and Atlas
Third-party open source management
Summary
Questions
Further reading
7
Threat Modeling Practices and Secure Design
Threat Modeling Practices and Secure Design
Threat modeling practices
Threat modeling with STRIDE
Diagram designer tool
Card games
Threat library references
Case study – formal documents or not?
Secure design
Summary
Questions
Further reading
8
Secure Coding Best Practices
Secure Coding Best Practices
Secure coding industry best practices
Establishing secure coding baselines
Secure coding awareness training
Tool evaluation
Tool optimization
High-risk module review
Manual code review tools
Secure code scanning tools
Secure compiling
Common issues in practice
Summary
Questions
Further reading
9
Case Study - Security and Privacy by Design
Case Study - Security and Privacy by Design
Case study background
Secure architecture review
Privacy by design
Summary of security and privacy frameworks
Third-party component management
Summary
Questions
Further reading
10
Security-Testing Plan and Practices
Security-Testing Plan and Practices
Security-testing knowledge kit
Security-testing plan templates
Web security testing
Privacy
Security-testing domains
Thinking like a hacker
Security-Training environment
Summary
Questions
Further reading
11
Whitebox Testing Tips
Whitebox Testing Tips
Whitebox review preparation
Viewing the whole project
High-risk module
Whitebox review checklist
Top common issues
Secure coding patterns and keywords
Case study – Java struts security review
Summary
Questions
Further reading
12
Security Testing Toolkits
Security Testing Toolkits
General security testing toolkits
Automation testing criteria
Behavior-driven security testing framework
Android security testing
Securing infrastructure configuration
Docker security scanning
Integrated security tools
Summary
Questions
Further reading
13
Security Automation with the CI Pipeline
Security Automation with the CI Pipeline
Security in continuous integration
Security practices in development
Web testing in proactive/proxy mode
Web automation testing tips
Security automation in Jenkins
Summary
Questions
Further reading
14
Incident Response
Incident Response
Security incident response process
SOC team
Incident forensics techniques
Summary
Questions
Further reading
15
Security Monitoring
Security Monitoring
Logging policy
Security monitoring framework
Source of information
Threat intelligence toolset
Security scanning toolset
Malware behavior matching – YARA
Summary
Questions
Further reading
16
Security Assessment for New Releases
Security Assessment for New Releases
Security review policies for releases
Security checklist and tools
BDD security framework
Consolidated testing results
Summary
Questions
Further reading
17
Threat Inspection and Intelligence
Threat Inspection and Intelligence
Unknown threat detection
Indicators of compromises
Security analysis using big data frameworks
Summary
Questions
Further reading
18
Business Fraud and Service Abuses
Business Fraud and Service Abuses
Business fraud and abuses
Business risk detection framework
PCI DSS compliance
Summary
Questions
Further reading
19
GDPR Compliance Case Study
GDPR Compliance Case Study
GDPR security requirement
Case studies
Summary
Questions
Further reading
20
DevSecOps - Challenges, Tips, and FAQs
DevSecOps - Challenges, Tips, and FAQs
DevSecOps for security management
DevSecOps for the development team
DevSecOps for the testing team
DevSecOps for the operations team
Summary
Further reading
21
Assessments
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Chapter 18
Chapter 19
22
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Cloud services hacks/abuse

A CSA survey on the top cloud security concerns has identified the following 12 issues:

  • Data breaches
  • Weak identity, credentials, and access management
  • Insecure APIs
  • System and application vulnerabilities
  • Account hijacking
  • Malicious insiders
  • Advanced Persistent Threats (APTs)
  • Data loss
  • Insufficient due diligence
  • Abuse and nefarious use of cloud services
  • Denial of service
  • Shared technology issues

In addition, service abuse has also become a headache for most e-commerce or shopping sites. Let's take one example to understand how hackers or misconduct users can benefit from it.

Case study – products on sale

Assume that one online shopping store is going to have a 50% discount on one new model phone for only the first 100 customers; it will be available at 12:00 on February 1.

What do hackers do?

For this kind of sale with 50 % profit is a great attraction for malicious users to do something. What underground users typically may do involves the massive registration of user accounts. There can be more than 10,000 users accounts registered in a short period of time just before the sales. At the moment of the sale, they will use automated scripts to trigger purchase behaviors and finish the orders within seconds. Once they have ordered or occupied all the phones, they may either sell them at higher prices or even not pay for the orders.

Is this illegal? These behaviors follow the business rules for registration and purchases. Although the behavior may not be against the law, it may be considered misconduct or service abuse. Therefore, this kind of on-sale activity may require additional business rules and regulations. After all, it's not purely hacking behavior. We will discuss this in later chapters. Here, we provide an overview of alleviating measures, which can be by means of business rules or technical approaches:

  • The sale is only limited to those customers with a certain period of purchase history
  • Apply CAPTCHA to distinguish humans from machines
  • Two-factor authentication and registration via phone SMS
  • Detection and correlation of IP, phone number, email, account ID, physical address, and GeoIP location
  • Unusual page browsing behavior such as skipping products and jumping to the purchase directly
  • Unusual massive logins or registration from the same IP or devices
Previous Section
End of Section 5
Next Section