Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Implementing DevSecOps Practices
  • Table Of Contents Toc
Implementing DevSecOps Practices

Implementing DevSecOps Practices

By : Vandana Verma Sehgal
4.6 (9)
Buy this Book
close
close
Implementing DevSecOps Practices

Implementing DevSecOps Practices

4.6 (9)
By: Vandana Verma Sehgal
Buy this Book

Overview of this book

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.
Table of Contents (25 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
1
Part 1:DevSecOps – What and How?
Icon
Part 1:DevSecOps – What and How?
Lock Free Chapter
2
Chapter 1: Introducing DevSecOps
chevron up
Icon
Chapter 1: Introducing DevSecOps
Icon
Product development processes
Icon
Understanding the shift from DevOps to DevSecOps
Icon
The new processes within DevSecOps
Icon
DevSecOps maturity levels
Icon
KPIs
Icon
DevSecOps – the people aspect
Icon
Summary
Icon
Think and act
3
Part 2: DevSecOps Principles and Processes
Icon
Part 2: DevSecOps Principles and Processes
4
Chapter 2: DevSecOps Principles
Icon
Chapter 2: DevSecOps Principles
Icon
DevSecOps principles
Icon
Challenges within the DevSecOps pipeline that principles can resolve
Icon
Summary
5
Chapter 3: Understanding the Security Posture
Icon
Chapter 3: Understanding the Security Posture
Icon
Understanding your security posture
Icon
Why and what measures we take to secure the environment
Icon
What measures can we take to monitor an environment?
Icon
Where does security stand in the whole development process?
Icon
Summary
6
Chapter 4: Understanding Observability
Icon
Chapter 4: Understanding Observability
Icon
Why do we need observability?
Icon
The key functions of observability
Icon
Linking observability with monitoring
Icon
Challenges around observability
Icon
Making organizations observable
Icon
Summary
7
Chapter 5: Understanding Chaos Engineering
Icon
Chapter 5: Understanding Chaos Engineering
Icon
Introducing chaos engineering
Icon
Techniques involved in chaos engineering
Icon
Measuring the effectiveness of performing chaos engineering
Icon
Tools involved in chaos engineering
Icon
Basic principles of chaos engineering
Icon
How chaos engineering is different from other testing measures
Icon
Summary
8
Part 3:Technology
Icon
Part 3:Technology
9
Chapter 6: Continuous Integration and Continuous Deployment
Icon
Chapter 6: Continuous Integration and Continuous Deployment
Icon
What is a CI/CD pipeline?
Icon
The benefits of CI/CD
Icon
Automating the CI/CD pipeline
Icon
The importance of a CI/CD pipeline
Icon
Summary
10
Chapter 7: Threat Modeling
Icon
Chapter 7: Threat Modeling
Icon
What is threat modeling?
Icon
The importance of threat modeling in the software development lifecycle
Icon
Why should we perform threat modeling?
Icon
Threat modeling techniques
Icon
Integrating threat modeling into DevSecOps
Icon
Open source threat modeling tools
Icon
How threat modeling tools help organizations
Icon
Reasons some organizations don’t use threat modeling
Icon
Summary
11
Chapter 8: Software Composition Analysis (SCA)
Icon
Chapter 8: Software Composition Analysis (SCA)
Icon
What is SCA?
Icon
The importance of SCA
Icon
The benefits of SCA
Icon
Detection of security flaws
Icon
Open source SCA tools
Icon
Discussing past breaches
Icon
Summary
12
Chapter 9: Static Application Security Testing (SAST)
Icon
Chapter 9: Static Application Security Testing (SAST)
Icon
Introduction
Icon
What is SAST?
Icon
Identifying vulnerabilities early in the development process
Icon
Resolving issues without breaking the build
Icon
The benefits of SAST
Icon
The limitations of SAST
Icon
Open source SAST tools
Icon
Case study 1
Icon
Case study 2
Icon
Loss due to not following the SAST process
Icon
Summary
13
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Icon
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Icon
What is IaC?
Icon
The importance of IaC scanning
Icon
IaC security best practices
Icon
IaC in DevSecOps
Icon
Open source IaC tools
Icon
Case study 1 – the Codecov security incident
Icon
Case study 2 – Capital One data breach
Icon
Case study 3 – Netflix environment improvement
Icon
Summary
14
Chapter 11: Dynamic Application Security Testing (DAST)
Icon
Chapter 11: Dynamic Application Security Testing (DAST)
Icon
What is DAST?
Icon
DAST usage for developers
Icon
DAST usage for security testers
Icon
The importance of DAST in secure development environments
Icon
Comparing DAST with other security testing approaches
Icon
Summary
15
Part 4: Tools
Icon
Part 4: Tools
16
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Icon
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Icon
Techniques used in setting up the program
Icon
Setting up the CI/CD pipeline
Icon
Implementing security controls
Icon
Managing DevSecOps in production
Icon
The benefits of the program
Icon
Summary
17
Part 5: Governance and an Effective Security Champions Program
Icon
Part 5: Governance and an Effective Security Champions Program
18
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Icon
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Icon
DevSecOps and its relevance to license compliance
Icon
The distinction between traditional licenses and security implications
Icon
Different types of software licenses
Icon
The impact of software licenses on the DevSecOps pipeline
Icon
How to perform license reviews
Icon
Fine-tuning policies associated with licenses
Icon
Case studies
Icon
Summary
19
Chapter 14: Setting Up a Security Champions Program
Icon
Chapter 14: Setting Up a Security Champions Program
Icon
The Security Champions program
Icon
Who should be a Security Champion?
Icon
The top benefits of starting a Security Champions program
Icon
What does a Security Champion do?
Icon
Security Champions program – why do you need it?
Icon
Shared responsibility models
Icon
The roles of different teams
Icon
Buy-in from the executive
Icon
Measuring the effect of the Security Champions program
Icon
Summary
20
Part 6: Case Studies and Conclusion
Icon
Part 6: Case Studies and Conclusion
21
Chapter 15: Case Studies
Icon
Chapter 15: Case Studies
Icon
Case study 1 – FinTech Corporation
Icon
Case study 2 – Verma Enterprises
Icon
Case study 3 – HealthPlus
Icon
Case study 4 – GovAgency
Icon
Case study 5 – TechSoft
Icon
Common lessons learned and best practices
Icon
Summary
22
Chapter 16: Conclusion
Icon
Chapter 16: Conclusion
Icon
DevSecOps – what and how?
Icon
DevSecOps principles and processes
Icon
DevSecOps tools
Icon
DevSecOps techniques
Icon
Governance and an effective Security Champions program
Icon
Topics covered in this book
Icon
What’s next?
Icon
Case studies and conclusion
23
Index
Icon
Index
Icon
Why subscribe?
24
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book

KPIs

KPIs help in measuring our goals and their priority. KPIs help us get to the point we wish to reach in the stipulated time. The whole DevOps phase or DevSecOps works in tandem to move to production. It depends on us where we want to take them.

Before moving toward these KPIs, we must ask ourselves some questions:

  • Are we testing all the application’s features before pushing them to security?
  • Are we educating our developers around security processes and tools, rather than forcing security upon them?
  • What software development processes are we following?
  • Do we just follow the OWASP Top 10, or have we created a certain process for that?
  • How frequently is security being called in the SDLC?

All these questions take us to points where we can start thinking about taking our first step toward setting up the right processes and moving toward the best practices.

Some of the key KPIs for DevSecOps processes are as follows:

  • Figuring out the amount of open source code that’s used in the code – that is, third-party libraries and dependencies.
  • Where do we stand on automation processes?
  • Are the tools aiding in having a smooth software pipeline?
  • Are we able to reduce the bugs in the pipeline by fine-tuning it?
  • How frequently are we fixing bugs?

These are just some of the parameters you need to consider; stay tuned for more detailed information.

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Implementing DevSecOps Practices
End of Section 2
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon