Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Implementing DevSecOps Practices
  • Table Of Contents Toc
  • Feedback & Rating feedback
Implementing DevSecOps Practices

Implementing DevSecOps Practices

By : Vandana Verma Sehgal
4.6 (9)
Buy this Book
close
close
Implementing DevSecOps Practices

Implementing DevSecOps Practices

4.6 (9)
By: Vandana Verma Sehgal
Buy this Book

Overview of this book

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.
Table of Contents (25 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
1
Part 1:DevSecOps – What and How?
Icon
Part 1:DevSecOps – What and How?
Lock Free Chapter
2
Chapter 1: Introducing DevSecOps
chevron up
Icon
Chapter 1: Introducing DevSecOps
Icon
Product development processes
Icon
Understanding the shift from DevOps to DevSecOps
Icon
The new processes within DevSecOps
Icon
DevSecOps maturity levels
Icon
KPIs
Icon
DevSecOps – the people aspect
Icon
Summary
Icon
Think and act
3
Part 2: DevSecOps Principles and Processes
Icon
Part 2: DevSecOps Principles and Processes
4
Chapter 2: DevSecOps Principles
Icon
Chapter 2: DevSecOps Principles
Icon
DevSecOps principles
Icon
Challenges within the DevSecOps pipeline that principles can resolve
Icon
Summary
5
Chapter 3: Understanding the Security Posture
Icon
Chapter 3: Understanding the Security Posture
Icon
Understanding your security posture
Icon
Why and what measures we take to secure the environment
Icon
What measures can we take to monitor an environment?
Icon
Where does security stand in the whole development process?
Icon
Summary
6
Chapter 4: Understanding Observability
Icon
Chapter 4: Understanding Observability
Icon
Why do we need observability?
Icon
The key functions of observability
Icon
Linking observability with monitoring
Icon
Challenges around observability
Icon
Making organizations observable
Icon
Summary
7
Chapter 5: Understanding Chaos Engineering
Icon
Chapter 5: Understanding Chaos Engineering
Icon
Introducing chaos engineering
Icon
Techniques involved in chaos engineering
Icon
Measuring the effectiveness of performing chaos engineering
Icon
Tools involved in chaos engineering
Icon
Basic principles of chaos engineering
Icon
How chaos engineering is different from other testing measures
Icon
Summary
8
Part 3:Technology
Icon
Part 3:Technology
9
Chapter 6: Continuous Integration and Continuous Deployment
Icon
Chapter 6: Continuous Integration and Continuous Deployment
Icon
What is a CI/CD pipeline?
Icon
The benefits of CI/CD
Icon
Automating the CI/CD pipeline
Icon
The importance of a CI/CD pipeline
Icon
Summary
10
Chapter 7: Threat Modeling
Icon
Chapter 7: Threat Modeling
Icon
What is threat modeling?
Icon
The importance of threat modeling in the software development lifecycle
Icon
Why should we perform threat modeling?
Icon
Threat modeling techniques
Icon
Integrating threat modeling into DevSecOps
Icon
Open source threat modeling tools
Icon
How threat modeling tools help organizations
Icon
Reasons some organizations don’t use threat modeling
Icon
Summary
11
Chapter 8: Software Composition Analysis (SCA)
Icon
Chapter 8: Software Composition Analysis (SCA)
Icon
What is SCA?
Icon
The importance of SCA
Icon
The benefits of SCA
Icon
Detection of security flaws
Icon
Open source SCA tools
Icon
Discussing past breaches
Icon
Summary
12
Chapter 9: Static Application Security Testing (SAST)
Icon
Chapter 9: Static Application Security Testing (SAST)
Icon
Introduction
Icon
What is SAST?
Icon
Identifying vulnerabilities early in the development process
Icon
Resolving issues without breaking the build
Icon
The benefits of SAST
Icon
The limitations of SAST
Icon
Open source SAST tools
Icon
Case study 1
Icon
Case study 2
Icon
Loss due to not following the SAST process
Icon
Summary
13
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Icon
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Icon
What is IaC?
Icon
The importance of IaC scanning
Icon
IaC security best practices
Icon
IaC in DevSecOps
Icon
Open source IaC tools
Icon
Case study 1 – the Codecov security incident
Icon
Case study 2 – Capital One data breach
Icon
Case study 3 – Netflix environment improvement
Icon
Summary
14
Chapter 11: Dynamic Application Security Testing (DAST)
Icon
Chapter 11: Dynamic Application Security Testing (DAST)
Icon
What is DAST?
Icon
DAST usage for developers
Icon
DAST usage for security testers
Icon
The importance of DAST in secure development environments
Icon
Comparing DAST with other security testing approaches
Icon
Summary
15
Part 4: Tools
Icon
Part 4: Tools
16
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Icon
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Icon
Techniques used in setting up the program
Icon
Setting up the CI/CD pipeline
Icon
Implementing security controls
Icon
Managing DevSecOps in production
Icon
The benefits of the program
Icon
Summary
17
Part 5: Governance and an Effective Security Champions Program
Icon
Part 5: Governance and an Effective Security Champions Program
18
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Icon
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Icon
DevSecOps and its relevance to license compliance
Icon
The distinction between traditional licenses and security implications
Icon
Different types of software licenses
Icon
The impact of software licenses on the DevSecOps pipeline
Icon
How to perform license reviews
Icon
Fine-tuning policies associated with licenses
Icon
Case studies
Icon
Summary
19
Chapter 14: Setting Up a Security Champions Program
Icon
Chapter 14: Setting Up a Security Champions Program
Icon
The Security Champions program
Icon
Who should be a Security Champion?
Icon
The top benefits of starting a Security Champions program
Icon
What does a Security Champion do?
Icon
Security Champions program – why do you need it?
Icon
Shared responsibility models
Icon
The roles of different teams
Icon
Buy-in from the executive
Icon
Measuring the effect of the Security Champions program
Icon
Summary
20
Part 6: Case Studies and Conclusion
Icon
Part 6: Case Studies and Conclusion
21
Chapter 15: Case Studies
Icon
Chapter 15: Case Studies
Icon
Case study 1 – FinTech Corporation
Icon
Case study 2 – Verma Enterprises
Icon
Case study 3 – HealthPlus
Icon
Case study 4 – GovAgency
Icon
Case study 5 – TechSoft
Icon
Common lessons learned and best practices
Icon
Summary
22
Chapter 16: Conclusion
Icon
Chapter 16: Conclusion
Icon
DevSecOps – what and how?
Icon
DevSecOps principles and processes
Icon
DevSecOps tools
Icon
DevSecOps techniques
Icon
Governance and an effective Security Champions program
Icon
Topics covered in this book
Icon
What’s next?
Icon
Case studies and conclusion
23
Index
Icon
Index
Icon
Why subscribe?
24
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book

Understanding the shift from DevOps to DevSecOps

Picture DevOps as a dynamic duo of superhero teams, with developers and operations joining forces to save the business world. Their mission? Pumping out awesome apps and updates to wow the crowd. But then, DevSecOps enters the scene – a supercharged version of our dynamic duo. This time, they’ve got a new sidekick: security (Sec). By weaving Sec into the mix, we’re not just cranking out cool features; we’re making sure they’re as safe as a bank vault.

DevSecOps is an extension of DevOps. DevSecOps was introduced to increase the speed of DevOps. By integrating security into DevOps processes, operations teams were motivated and measured to stabilize production to meet service-level agreements (SLAs). It was about making new changes, but they needed to be made quickly. This made it look like a lot of things were being left behind.

In recent years, many organizations have evolved their DevOps practices to address their business challenges more successfully. DevOps is a contemporary method for meeting the demands of the business by delivering applications more quickly and of higher quality. DevOps now spans the entire enterprise, affecting processes and data flows and bringing about significant organizational changes. This differs from the past, where it was primarily concerned with just putting the IT services for applications in place.

DevOps continues to gain momentum and evolve every passing day. New technologies are being included as part of it.

The initial idea was to make sure that the communication gap between different teams during development processes could be removed. The communication gap has always been a huge challenge for organizations. Development teams work on developing the features needed by the organization, while the operations team works to make sure the application is working smoothly. At the same time, Sec comes into the picture and becomes a big bottleneck as soon as we talk about embedding security in the different phases of development. It opens up a can of worms that never ends.

We are now observing the adoption of many of the techniques that are used by developers to support more agile and responsive processes. This aids organizations in determining their current situation and possible future directions. The most crucial component of any process or technology is people. Even with the best processes and technologies, results are impossible to achieve without people.

Since we’re talking about DevSecOps, it starts with DevOps, which involves quickly delivering higher-quality software by combining and automating the work of software development, IT operations teams, project managers, and everyone working around the development pipeline. If an organization is willing to move toward DevSecOps from its traditional model, it needs to have DevOps in place. That’s contradictory to earlier development models.

Rather than relying on human intervention, the process aids in monitoring the security workflow. Additionally, it enhances our ability to identify security flaws in the ecosystem. Employees may feel replaced by automation in this way, which could make them resent giving up their current level of administrator authority. To get around the bottlenecks in the software development and deployment process, mostly on the ops side, the initial plan was to simply de-silo dev and ops.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Implementing DevSecOps Practices
End of Section 2
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon