Book Image

Hands-On Security in DevOps

By : Tony Hsiang-Chih Hsu

Book Image

Hands-On Security in DevOps

By: Tony Hsiang-Chih Hsu

Overview of this book

DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization’s security at every level, rather than just focusing on protecting your infrastructure. This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security. By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.

Preface

Who this book is for

What this book covers

To get the most out of this book

Free Chapter

DevSecOps Drivers and Challenges

DevSecOps Drivers and Challenges

Security compliance

Legal and security compliance

New technology (third-party, cloud, containers, and virtualization)

Cloud services hacks/abuse

Further reading

Security Goals and Metrics

Security Goals and Metrics

Organization goal

Development goal/metrics

QA goal/metrics

Operation goal/metrics

Further reading

Security Assurance Program and Organization

Security Assurance Program and Organization

Security assurance program

Security growth with business

Role of a security team in an organization

Case study – a matrix, functional, or taskforce structure

Further reading

Security Requirements and Compliance

Security Requirements and Compliance

Security requirements for the release gate

Security requirements for web applications

Security requirements for big data

Privacy requirements for GDPR

Further reading

Case Study - Security Assurance Program

Case Study - Security Assurance Program

Security assurance program case study

Security training and awareness

Security culture

Web security frameworks

Baking security into DevOps

Further reading

Security Architecture and Design Principles

Security Architecture and Design Principles

Security architecture design principles

Security framework

Web readiness for privacy protection

Login protection

Cryptographic modules

Input validation and sanitization

Data governance – Apache Ranger and Atlas

Third-party open source management

Further reading

Threat Modeling Practices and Secure Design

Threat Modeling Practices and Secure Design

Threat modeling practices

Threat modeling with STRIDE

Diagram designer tool

Threat library references

Case study – formal documents or not?

Further reading

Secure Coding Best Practices

Secure Coding Best Practices

Secure coding industry best practices

Establishing secure coding baselines

Secure coding awareness training

Tool evaluation

Tool optimization

High-risk module review

Manual code review tools

Secure code scanning tools

Secure compiling

Common issues in practice

Further reading

Case Study - Security and Privacy by Design

Case Study - Security and Privacy by Design

Case study background

Secure architecture review

Privacy by design

Summary of security and privacy frameworks

Third-party component management

Further reading

Security-Testing Plan and Practices

Security-Testing Plan and Practices

Security-testing knowledge kit

Security-testing plan templates

Web security testing

Security-testing domains

Thinking like a hacker

Security-Training environment

Further reading

Whitebox Testing Tips

Whitebox Testing Tips

Whitebox review preparation

Viewing the whole project

High-risk module

Whitebox review checklist

Top common issues

Secure coding patterns and keywords

Case study – Java struts security review

Further reading

Security Testing Toolkits

Security Testing Toolkits

General security testing toolkits

Automation testing criteria

Behavior-driven security testing framework

Android security testing

Securing infrastructure configuration

Docker security scanning

Integrated security tools

Further reading

Security Automation with the CI Pipeline

Security Automation with the CI Pipeline

Security in continuous integration

Security practices in development

Web testing in proactive/proxy mode

Web automation testing tips

Security automation in Jenkins

Further reading

Incident Response

Incident Response

Security incident response process

Incident forensics techniques

Further reading

Security Monitoring

Security Monitoring

Security monitoring framework

Source of information

Threat intelligence toolset

Security scanning toolset

Malware behavior matching – YARA

Further reading

Security Assessment for New Releases

Security Assessment for New Releases

Security review policies for releases

Security checklist and tools

BDD security framework

Consolidated testing results

Further reading

Threat Inspection and Intelligence

Threat Inspection and Intelligence

Unknown threat detection

Indicators of compromises

Security analysis using big data frameworks

Further reading

Business Fraud and Service Abuses

Business Fraud and Service Abuses

Business fraud and abuses

Business risk detection framework

PCI DSS compliance

Further reading

GDPR Compliance Case Study

GDPR Compliance Case Study

GDPR security requirement

Further reading

DevSecOps - Challenges, Tips, and FAQs

DevSecOps - Challenges, Tips, and FAQs

DevSecOps for security management

DevSecOps for the development team

DevSecOps for the testing team

DevSecOps for the operations team

Further reading

Assessments

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Rapid release

Rapid, frequent, and iterative releases are very common for cloud services. This normally drives the need for DevOps practices. This can be both an opportunity and a challenge to security. The challenge is that a short period of frequent releases may not include enough time to do a full cycle of security testing. There are three maturity levels of DevOps practices:

Maturity level	Achieved	Technology adoption
Continuous integration	Source code repository and version control CI workflow with a daily build and unit testing	Jenkins Git Unit testing
Continuous delivery	Automated deploy to the staging environment Integration testing on the staging environment Deployment to production is done manually	IaC(Puppet) Docker
Continuous deployment	Automated deployment and acceptance testing on production Production changes or configuration management	IaC (puppet) Docker Automated acceptance testing Configuration monitoring

The adoption of DevOps practices means more collaboration between development, QA, IT, and operation teams, and more in-progress adoption of continuous integration or continuous delivery tools. This provides a good foundation to move to DevSecOps. Depending on the maturity level of the existing CI/CD, security practices or tools can be added on top of the existing CI/CD framework. It's the most effective and least learning curve to introduce security is don't change existing development, QA, IT, operation team the way they work. Building security tools around the existing CI/CD is still the best approach. We will explore this more in upcoming chapters.

The diagram below shows the security involved with development, QA, and operations through the whole CI/CD lifecycle.