Book Image

Implementing DevSecOps Practices

By : Vandana Verma Sehgal
Book Image

Implementing DevSecOps Practices

By: Vandana Verma Sehgal

Overview of this book

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.

Related Content you might be interested in

Current Title:

Small book image
Implementing DevSecOps Practices
Vandana Verma Sehgal
Dec, 2023 | 258 pages
Small book image
Real-World Next.js
Michele Riva
Feb, 2022 | 366 pages
Small book image
Isomorphic JavaScript Web Development
Konstantin Tarkus | Tomas Alabes
Oct, 2017 | 226 pages
Small book image
Build Applications with Meteor
Dobrin Ganev
May, 2017 | 388 pages
Table of Contents (25 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1:DevSecOps – What and How?
Part 1:DevSecOps – What and How?
Free Chapter
2
Chapter 1: Introducing DevSecOps
Chapter 1: Introducing DevSecOps
Product development processes
Understanding the shift from DevOps to DevSecOps
The new processes within DevSecOps
DevSecOps maturity levels
KPIs
DevSecOps – the people aspect
Summary
Think and act
3
Part 2: DevSecOps Principles and Processes
Part 2: DevSecOps Principles and Processes
4
Chapter 2: DevSecOps Principles
Chapter 2: DevSecOps Principles
DevSecOps principles
Challenges within the DevSecOps pipeline that principles can resolve
Summary
5
Chapter 3: Understanding the Security Posture
Chapter 3: Understanding the Security Posture
Understanding your security posture
Why and what measures we take to secure the environment
What measures can we take to monitor an environment?
Where does security stand in the whole development process?
Summary
6
Chapter 4: Understanding Observability
Chapter 4: Understanding Observability
Why do we need observability?
The key functions of observability
Linking observability with monitoring
Challenges around observability
Making organizations observable
Summary
7
Chapter 5: Understanding Chaos Engineering
Chapter 5: Understanding Chaos Engineering
Introducing chaos engineering
Techniques involved in chaos engineering
Measuring the effectiveness of performing chaos engineering
Tools involved in chaos engineering
Basic principles of chaos engineering
How chaos engineering is different from other testing measures
Summary
8
Part 3:Technology
Part 3:Technology
9
Chapter 6: Continuous Integration and Continuous Deployment
Chapter 6: Continuous Integration and Continuous Deployment
What is a CI/CD pipeline?
The benefits of CI/CD
Automating the CI/CD pipeline
The importance of a CI/CD pipeline
Summary
10
Chapter 7: Threat Modeling
Chapter 7: Threat Modeling
What is threat modeling?
The importance of threat modeling in the software development lifecycle
Why should we perform threat modeling?
Threat modeling techniques
Integrating threat modeling into DevSecOps
Open source threat modeling tools
How threat modeling tools help organizations
Reasons some organizations don’t use threat modeling
Summary
11
Chapter 8: Software Composition Analysis (SCA)
Chapter 8: Software Composition Analysis (SCA)
What is SCA?
The importance of SCA
The benefits of SCA
Detection of security flaws
Open source SCA tools
Discussing past breaches
Summary
12
Chapter 9: Static Application Security Testing (SAST)
Chapter 9: Static Application Security Testing (SAST)
Introduction
What is SAST?
Identifying vulnerabilities early in the development process
Resolving issues without breaking the build
The benefits of SAST
The limitations of SAST
Open source SAST tools
Case study 1
Case study 2
Loss due to not following the SAST process
Summary
13
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Chapter 10: Infrastructure-as-Code (IaC) Scanning
What is IaC?
The importance of IaC scanning
IaC security best practices
IaC in DevSecOps
Open source IaC tools
Case study 1 – the Codecov security incident
Case study 2 – Capital One data breach
Case study 3 – Netflix environment improvement
Summary
14
Chapter 11: Dynamic Application Security Testing (DAST)
Chapter 11: Dynamic Application Security Testing (DAST)
What is DAST?
DAST usage for developers
DAST usage for security testers
The importance of DAST in secure development environments
Comparing DAST with other security testing approaches
Summary
15
Part 4: Tools
Part 4: Tools
16
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Techniques used in setting up the program
Setting up the CI/CD pipeline
Implementing security controls
Managing DevSecOps in production
The benefits of the program
Summary
17
Part 5: Governance and an Effective Security Champions Program
Part 5: Governance and an Effective Security Champions Program
18
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
DevSecOps and its relevance to license compliance
The distinction between traditional licenses and security implications
Different types of software licenses
The impact of software licenses on the DevSecOps pipeline
How to perform license reviews
Fine-tuning policies associated with licenses
Case studies
Summary
19
Chapter 14: Setting Up a Security Champions Program
Chapter 14: Setting Up a Security Champions Program
The Security Champions program
Who should be a Security Champion?
The top benefits of starting a Security Champions program
What does a Security Champion do?
Security Champions program – why do you need it?
Shared responsibility models
The roles of different teams
Buy-in from the executive
Measuring the effect of the Security Champions program
Summary
20
Part 6: Case Studies and Conclusion
Part 6: Case Studies and Conclusion
21
Chapter 15: Case Studies
Chapter 15: Case Studies
Case study 1 – FinTech Corporation
Case study 2 – Verma Enterprises
Case study 3 – HealthPlus
Case study 4 – GovAgency
Case study 5 – TechSoft
Common lessons learned and best practices
Summary
22
Chapter 16: Conclusion
Chapter 16: Conclusion
DevSecOps – what and how?
DevSecOps principles and processes
DevSecOps tools
DevSecOps techniques
Governance and an effective Security Champions program
Topics covered in this book
What’s next?
Case studies and conclusion
23
Index
Index
Why subscribe?
24
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

The new processes within DevSecOps

DevSecOps has changed the role of Sec in DevOps. Sec just being in the end phase and being a big hump in the way of going to production has shifted to security being in every part of the development life cycle. It entails integrating security earlier in the application development life cycle and starting to think about infrastructure and application security right away. Additionally, it entails automating a few security checkpoints to prevent a delay in the DevOps workflow. Figuring out the right tools and processes for people can assist them in achieving their goals.

Instead of security stopping the whole pipeline, it is part of each of the following phases:

  • Plan
  • Code
  • Build
  • Test
  • Release
  • Continuous deployment and decommissioning
  • Operate
  • Continuous monitoring
Figure 1.5: DevSecOps in action

Figure 1.5: DevSecOps in action

We can have the best tools that money can buy but DevSecOps will not work if your team is not working. You can have the most cooperative team, but nothing will work out if you don’t have the right set of tools.

Not all tools are DevSecOps-ready

Not all tools can fit into a pipeline

The quiet and secluded processes can not only destroy the DevOps culture but ultimately reduce the security posture of the whole organization.

We can have the best tools

We can have the best processes

We can have the best people

However, if the culture of the organization is not exercised, nothing will work

This compartmentalized way of thinking not only undermines the DevOps culture but also weakens the organization’s overall security posture. The secret is to reduce process friction to a minimum. Any organization’s processes are carried out by people.

DevSecOps processes, which aim to reduce the enterprise attack surface and enable effective management of technical security debt, are carried out by people using technologies. DevSecOps challenges the way traditional security teams integrate with the larger business, which is one of its most crucial aspects. If attitudes are to shift, it will take a top-down strategy to change behaviors and increase awareness at all levels of a company.

Previous Section
End of Section 4
Next Section