Book Image

Hands-On Security in DevOps

By : Tony Hsiang-Chih Hsu
Book Image

Hands-On Security in DevOps

By: Tony Hsiang-Chih Hsu

Overview of this book

DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization’s security at every level, rather than just focusing on protecting your infrastructure. This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security. By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.
Table of Contents (23 chapters)

Whitebox review preparation

Whitebox testing or source code review can be most effective to identify hidden security issues in the source code. Before we begin our whitebox source code review, there are some preparation and input will help us to judge how (approaches, tools) and what (which modules) to do the security source code review.

The following is a list we may check before performing the source code review; take a look at this table:

Whitebox testing input

Considerations

Source code

  • Do we need a full buildable source code?
  • Does the source code include related import modules or headers?
  • These dependency source codes will help when we would like to trace the definition of certain APIs. However, if the whole source code is not available, it may require reverse engineering.

Threat-modeling documents

The threat-modeling provides a good reference to identify...