Book Image

Implementing DevSecOps Practices

By : Vandana Verma Sehgal

Book Image

Implementing DevSecOps Practices

By: Vandana Verma Sehgal

Overview of this book

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.

Preface

Who this book is for

What this book covers

To get the most out of this book

Conventions used

Share Your Thoughts

Download a free PDF copy of this book

Part 1:DevSecOps – What and How?

Part 1:DevSecOps – What and How?

Free Chapter

Chapter 1: Introducing DevSecOps

Chapter 1: Introducing DevSecOps

Product development processes

Understanding the shift from DevOps to DevSecOps

The new processes within DevSecOps

DevSecOps maturity levels

DevSecOps – the people aspect

Part 2: DevSecOps Principles and Processes

Part 2: DevSecOps Principles and Processes

Chapter 2: DevSecOps Principles

Chapter 2: DevSecOps Principles

DevSecOps principles

Challenges within the DevSecOps pipeline that principles can resolve

Chapter 3: Understanding the Security Posture

Chapter 3: Understanding the Security Posture

Understanding your security posture

Why and what measures we take to secure the environment

What measures can we take to monitor an environment?

Where does security stand in the whole development process?

Chapter 4: Understanding Observability

Chapter 4: Understanding Observability

Why do we need observability?

The key functions of observability

Linking observability with monitoring

Challenges around observability

Making organizations observable

Chapter 5: Understanding Chaos Engineering

Chapter 5: Understanding Chaos Engineering

Introducing chaos engineering

Techniques involved in chaos engineering

Measuring the effectiveness of performing chaos engineering

Tools involved in chaos engineering

Basic principles of chaos engineering

How chaos engineering is different from other testing measures

Part 3:Technology

Part 3:Technology

Chapter 6: Continuous Integration and Continuous Deployment

Chapter 6: Continuous Integration and Continuous Deployment

What is a CI/CD pipeline?

The benefits of CI/CD

Automating the CI/CD pipeline

The importance of a CI/CD pipeline

Chapter 7: Threat Modeling

Chapter 7: Threat Modeling

What is threat modeling?

The importance of threat modeling in the software development lifecycle

Why should we perform threat modeling?

Threat modeling techniques

Integrating threat modeling into DevSecOps

Open source threat modeling tools

How threat modeling tools help organizations

Reasons some organizations don’t use threat modeling

Chapter 8: Software Composition Analysis (SCA)

Chapter 8: Software Composition Analysis (SCA)

The importance of SCA

The benefits of SCA

Detection of security flaws

Open source SCA tools

Discussing past breaches

Chapter 9: Static Application Security Testing (SAST)

Chapter 9: Static Application Security Testing (SAST)

Identifying vulnerabilities early in the development process

Resolving issues without breaking the build

The benefits of SAST

The limitations of SAST

Open source SAST tools

Loss due to not following the SAST process

Chapter 10: Infrastructure-as-Code (IaC) Scanning

Chapter 10: Infrastructure-as-Code (IaC) Scanning

The importance of IaC scanning

IaC security best practices

IaC in DevSecOps

Open source IaC tools

Case study 1 – the Codecov security incident

Case study 2 – Capital One data breach

Case study 3 – Netflix environment improvement

Chapter 11: Dynamic Application Security Testing (DAST)

Chapter 11: Dynamic Application Security Testing (DAST)

DAST usage for developers

DAST usage for security testers

The importance of DAST in secure development environments

Comparing DAST with other security testing approaches

Part 4: Tools

Chapter 12: Setting Up a DevSecOps Program with Open Source Tools

Chapter 12: Setting Up a DevSecOps Program with Open Source Tools

Techniques used in setting up the program

Setting up the CI/CD pipeline

Implementing security controls

Managing DevSecOps in production

The benefits of the program

Part 5: Governance and an Effective Security Champions Program

Part 5: Governance and an Effective Security Champions Program

Chapter 13: License Compliance, Code Coverage, and Baseline Policies

Chapter 13: License Compliance, Code Coverage, and Baseline Policies

DevSecOps and its relevance to license compliance

The distinction between traditional licenses and security implications

Different types of software licenses

The impact of software licenses on the DevSecOps pipeline

How to perform license reviews

Fine-tuning policies associated with licenses

Chapter 14: Setting Up a Security Champions Program

Chapter 14: Setting Up a Security Champions Program

The Security Champions program

Who should be a Security Champion?

The top benefits of starting a Security Champions program

What does a Security Champion do?

Security Champions program – why do you need it?

Shared responsibility models

The roles of different teams

Buy-in from the executive

Measuring the effect of the Security Champions program

Part 6: Case Studies and Conclusion

Part 6: Case Studies and Conclusion

Chapter 15: Case Studies

Chapter 15: Case Studies

Case study 1 – FinTech Corporation

Case study 2 – Verma Enterprises

Case study 3 – HealthPlus

Case study 4 – GovAgency

Case study 5 – TechSoft

Common lessons learned and best practices

Chapter 16: Conclusion

Chapter 16: Conclusion

DevSecOps – what and how?

DevSecOps principles and processes

DevSecOps tools

DevSecOps techniques

Governance and an effective Security Champions program

Topics covered in this book

Case studies and conclusion

Index

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Download a free PDF copy of this book

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

The limitations of SAST

While SAST can identify vulnerabilities early in the software development process, it can produce false positives and false negatives, has a limited scope, and is less effective against certain types of vulnerabilities. SAST should be used in combination with other security testing techniques to ensure that software applications are secure and resilient against security risks.

Here are some of the key limitations of SAST:

False positives: SAST tools can produce false positives, which are security vulnerabilities that are reported by the tool but do not exist in the code. False positives can be time-consuming to remediate as they require additional analysis and can take resources away from more critical vulnerabilities.
False negatives: SAST tools may miss actual vulnerabilities, leading to a false sense of security.
Limited context: SAST tools analyze application source code in isolation, without considering how the code interacts with other...