Book Image

Hands-On Security in DevOps

By : Tony Hsiang-Chih Hsu
Book Image

Hands-On Security in DevOps

By: Tony Hsiang-Chih Hsu

Overview of this book

DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization’s security at every level, rather than just focusing on protecting your infrastructure. This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security. By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.

Related Content you might be interested in

Current Title:

Small book image
Hands-On Security in DevOps
Tony Hsiang-Chih Hsu
Jul, 2018 | 356 pages
Small book image
Practical Security Automation and Testing
Tony HsiangChih Hsu
Feb, 2019 | 256 pages
Small book image
Implementing DevSecOps Practices
Vandana Verma Sehgal
Dec, 2023 | 258 pages
Small book image
Cloud Native Software Security Handbook
Mihir Shah
Aug, 2023 | 372 pages
Table of Contents (23 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
DevSecOps Drivers and Challenges
DevSecOps Drivers and Challenges
Security compliance
Legal and security compliance
New technology (third-party, cloud, containers, and virtualization)
Cloud services hacks/abuse
Rapid release
Summary
Questions
Further reading
2
Security Goals and Metrics
Security Goals and Metrics
Organization goal
Development goal/metrics
QA goal/metrics
Operation goal/metrics
Summary
Questions
Further reading
3
Security Assurance Program and Organization
Security Assurance Program and Organization
Security assurance program
Security growth with business
Role of a security team in an organization
Case study – a matrix, functional, or taskforce structure
Summary
Questions
Further reading
4
Security Requirements and Compliance
Security Requirements and Compliance
Security requirements for the release gate
Security requirements for web applications
Security requirements for big data
Privacy requirements for GDPR
Summary
Questions
Further reading
5
Case Study - Security Assurance Program
Case Study - Security Assurance Program
Security assurance program case study
Security training and awareness
Security culture
Web security frameworks
Baking security into DevOps
Summary
Questions
Further reading
6
Security Architecture and Design Principles
Security Architecture and Design Principles
Security architecture design principles
Security framework
Web readiness for privacy protection
Login protection
Cryptographic modules
Input validation and sanitization
Data masking
Data governance – Apache Ranger and Atlas
Third-party open source management
Summary
Questions
Further reading
7
Threat Modeling Practices and Secure Design
Threat Modeling Practices and Secure Design
Threat modeling practices
Threat modeling with STRIDE
Diagram designer tool
Card games
Threat library references
Case study – formal documents or not?
Secure design
Summary
Questions
Further reading
8
Secure Coding Best Practices
Secure Coding Best Practices
Secure coding industry best practices
Establishing secure coding baselines
Secure coding awareness training
Tool evaluation
Tool optimization
High-risk module review
Manual code review tools
Secure code scanning tools
Secure compiling
Common issues in practice
Summary
Questions
Further reading
9
Case Study - Security and Privacy by Design
Case Study - Security and Privacy by Design
Case study background
Secure architecture review
Privacy by design
Summary of security and privacy frameworks
Third-party component management
Summary
Questions
Further reading
10
Security-Testing Plan and Practices
Security-Testing Plan and Practices
Security-testing knowledge kit
Security-testing plan templates
Web security testing
Privacy
Security-testing domains
Thinking like a hacker
Security-Training environment
Summary
Questions
Further reading
11
Whitebox Testing Tips
Whitebox Testing Tips
Whitebox review preparation
Viewing the whole project
High-risk module
Whitebox review checklist
Top common issues
Secure coding patterns and keywords
Case study – Java struts security review
Summary
Questions
Further reading
12
Security Testing Toolkits
Security Testing Toolkits
General security testing toolkits
Automation testing criteria
Behavior-driven security testing framework
Android security testing
Securing infrastructure configuration
Docker security scanning
Integrated security tools
Summary
Questions
Further reading
13
Security Automation with the CI Pipeline
Security Automation with the CI Pipeline
Security in continuous integration
Security practices in development
Web testing in proactive/proxy mode
Web automation testing tips
Security automation in Jenkins
Summary
Questions
Further reading
14
Incident Response
Incident Response
Security incident response process
SOC team
Incident forensics techniques
Summary
Questions
Further reading
15
Security Monitoring
Security Monitoring
Logging policy
Security monitoring framework
Source of information
Threat intelligence toolset
Security scanning toolset
Malware behavior matching – YARA
Summary
Questions
Further reading
16
Security Assessment for New Releases
Security Assessment for New Releases
Security review policies for releases
Security checklist and tools
BDD security framework
Consolidated testing results
Summary
Questions
Further reading
17
Threat Inspection and Intelligence
Threat Inspection and Intelligence
Unknown threat detection
Indicators of compromises
Security analysis using big data frameworks
Summary
Questions
Further reading
18
Business Fraud and Service Abuses
Business Fraud and Service Abuses
Business fraud and abuses
Business risk detection framework
PCI DSS compliance
Summary
Questions
Further reading
19
GDPR Compliance Case Study
GDPR Compliance Case Study
GDPR security requirement
Case studies
Summary
Questions
Further reading
20
DevSecOps - Challenges, Tips, and FAQs
DevSecOps - Challenges, Tips, and FAQs
DevSecOps for security management
DevSecOps for the development team
DevSecOps for the testing team
DevSecOps for the operations team
Summary
Further reading
21
Assessments
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Chapter 18
Chapter 19
22
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Threat modeling with STRIDE

The STRIDE threat model defines threats in six categories, which are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. It's normally used to assess the architecture design.

The threat STRIDE model and general security mitigation are summarized in the following table. In addition to STRIDE, it's also suggested to include privacy in the analysis:

STRIDE threats

Mitigation

Spoofing

Authentication such as credentials, certificates, and SSH

Tampering

Integrity (HASH256, digital signature)

Repudiation

Authentication, logging

Information Disclosure

Confidentiality (encryption, ACL)

Denial of Service

Availability (load balance, buffer, message queue)

Elevation of Privilege

Authorization (ACL)

Privacy (additionally included)

Data masking, access...

Previous Section
End of Section 3
Next Section