Book Image

Implementing DevSecOps Practices

By : Vandana Verma Sehgal
Book Image

Implementing DevSecOps Practices

By: Vandana Verma Sehgal

Overview of this book

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.

Related Content you might be interested in

Current Title:

Small book image
Implementing DevSecOps Practices
Vandana Verma Sehgal
Dec, 2023 | 258 pages
Small book image
Real-World Next.js
Michele Riva
Feb, 2022 | 366 pages
Small book image
Isomorphic JavaScript Web Development
Konstantin Tarkus | Tomas Alabes
Oct, 2017 | 226 pages
Small book image
Build Applications with Meteor
Dobrin Ganev
May, 2017 | 388 pages
Table of Contents (25 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1:DevSecOps – What and How?
Part 1:DevSecOps – What and How?
Free Chapter
2
Chapter 1: Introducing DevSecOps
Chapter 1: Introducing DevSecOps
Product development processes
Understanding the shift from DevOps to DevSecOps
The new processes within DevSecOps
DevSecOps maturity levels
KPIs
DevSecOps – the people aspect
Summary
Think and act
3
Part 2: DevSecOps Principles and Processes
Part 2: DevSecOps Principles and Processes
4
Chapter 2: DevSecOps Principles
Chapter 2: DevSecOps Principles
DevSecOps principles
Challenges within the DevSecOps pipeline that principles can resolve
Summary
5
Chapter 3: Understanding the Security Posture
Chapter 3: Understanding the Security Posture
Understanding your security posture
Why and what measures we take to secure the environment
What measures can we take to monitor an environment?
Where does security stand in the whole development process?
Summary
6
Chapter 4: Understanding Observability
Chapter 4: Understanding Observability
Why do we need observability?
The key functions of observability
Linking observability with monitoring
Challenges around observability
Making organizations observable
Summary
7
Chapter 5: Understanding Chaos Engineering
Chapter 5: Understanding Chaos Engineering
Introducing chaos engineering
Techniques involved in chaos engineering
Measuring the effectiveness of performing chaos engineering
Tools involved in chaos engineering
Basic principles of chaos engineering
How chaos engineering is different from other testing measures
Summary
8
Part 3:Technology
Part 3:Technology
9
Chapter 6: Continuous Integration and Continuous Deployment
Chapter 6: Continuous Integration and Continuous Deployment
What is a CI/CD pipeline?
The benefits of CI/CD
Automating the CI/CD pipeline
The importance of a CI/CD pipeline
Summary
10
Chapter 7: Threat Modeling
Chapter 7: Threat Modeling
What is threat modeling?
The importance of threat modeling in the software development lifecycle
Why should we perform threat modeling?
Threat modeling techniques
Integrating threat modeling into DevSecOps
Open source threat modeling tools
How threat modeling tools help organizations
Reasons some organizations don’t use threat modeling
Summary
11
Chapter 8: Software Composition Analysis (SCA)
Chapter 8: Software Composition Analysis (SCA)
What is SCA?
The importance of SCA
The benefits of SCA
Detection of security flaws
Open source SCA tools
Discussing past breaches
Summary
12
Chapter 9: Static Application Security Testing (SAST)
Chapter 9: Static Application Security Testing (SAST)
Introduction
What is SAST?
Identifying vulnerabilities early in the development process
Resolving issues without breaking the build
The benefits of SAST
The limitations of SAST
Open source SAST tools
Case study 1
Case study 2
Loss due to not following the SAST process
Summary
13
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Chapter 10: Infrastructure-as-Code (IaC) Scanning
What is IaC?
The importance of IaC scanning
IaC security best practices
IaC in DevSecOps
Open source IaC tools
Case study 1 – the Codecov security incident
Case study 2 – Capital One data breach
Case study 3 – Netflix environment improvement
Summary
14
Chapter 11: Dynamic Application Security Testing (DAST)
Chapter 11: Dynamic Application Security Testing (DAST)
What is DAST?
DAST usage for developers
DAST usage for security testers
The importance of DAST in secure development environments
Comparing DAST with other security testing approaches
Summary
15
Part 4: Tools
Part 4: Tools
16
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Techniques used in setting up the program
Setting up the CI/CD pipeline
Implementing security controls
Managing DevSecOps in production
The benefits of the program
Summary
17
Part 5: Governance and an Effective Security Champions Program
Part 5: Governance and an Effective Security Champions Program
18
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
DevSecOps and its relevance to license compliance
The distinction between traditional licenses and security implications
Different types of software licenses
The impact of software licenses on the DevSecOps pipeline
How to perform license reviews
Fine-tuning policies associated with licenses
Case studies
Summary
19
Chapter 14: Setting Up a Security Champions Program
Chapter 14: Setting Up a Security Champions Program
The Security Champions program
Who should be a Security Champion?
The top benefits of starting a Security Champions program
What does a Security Champion do?
Security Champions program – why do you need it?
Shared responsibility models
The roles of different teams
Buy-in from the executive
Measuring the effect of the Security Champions program
Summary
20
Part 6: Case Studies and Conclusion
Part 6: Case Studies and Conclusion
21
Chapter 15: Case Studies
Chapter 15: Case Studies
Case study 1 – FinTech Corporation
Case study 2 – Verma Enterprises
Case study 3 – HealthPlus
Case study 4 – GovAgency
Case study 5 – TechSoft
Common lessons learned and best practices
Summary
22
Chapter 16: Conclusion
Chapter 16: Conclusion
DevSecOps – what and how?
DevSecOps principles and processes
DevSecOps tools
DevSecOps techniques
Governance and an effective Security Champions program
Topics covered in this book
What’s next?
Case studies and conclusion
23
Index
Index
Why subscribe?
24
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

KPIs

KPIs help in measuring our goals and their priority. KPIs help us get to the point we wish to reach in the stipulated time. The whole DevOps phase or DevSecOps works in tandem to move to production. It depends on us where we want to take them.

Before moving toward these KPIs, we must ask ourselves some questions:

  • Are we testing all the application’s features before pushing them to security?
  • Are we educating our developers around security processes and tools, rather than forcing security upon them?
  • What software development processes are we following?
  • Do we just follow the OWASP Top 10, or have we created a certain process for that?
  • How frequently is security being called in the SDLC?

All these questions take us to points where we can start thinking about taking our first step toward setting up the right processes and moving toward the best practices.

Some of the key KPIs for DevSecOps processes are as follows:

  • Figuring out the amount of open source code that’s used in the code – that is, third-party libraries and dependencies.
  • Where do we stand on automation processes?
  • Are the tools aiding in having a smooth software pipeline?
  • Are we able to reduce the bugs in the pipeline by fine-tuning it?
  • How frequently are we fixing bugs?

These are just some of the parameters you need to consider; stay tuned for more detailed information.

Previous Section
End of Section 6
Next Section