Book Image

Implementing DevSecOps Practices

By : Vandana Verma Sehgal
Book Image

Implementing DevSecOps Practices

By: Vandana Verma Sehgal

Overview of this book

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.

Related Content you might be interested in

Current Title:

Small book image
Implementing DevSecOps Practices
Vandana Verma Sehgal
Dec, 2023 | 258 pages
Small book image
Real-World Next.js
Michele Riva
Feb, 2022 | 366 pages
Small book image
Isomorphic JavaScript Web Development
Konstantin Tarkus | Tomas Alabes
Oct, 2017 | 226 pages
Small book image
Build Applications with Meteor
Dobrin Ganev
May, 2017 | 388 pages
Table of Contents (25 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1:DevSecOps – What and How?
Part 1:DevSecOps – What and How?
Free Chapter
2
Chapter 1: Introducing DevSecOps
Chapter 1: Introducing DevSecOps
Product development processes
Understanding the shift from DevOps to DevSecOps
The new processes within DevSecOps
DevSecOps maturity levels
KPIs
DevSecOps – the people aspect
Summary
Think and act
3
Part 2: DevSecOps Principles and Processes
Part 2: DevSecOps Principles and Processes
4
Chapter 2: DevSecOps Principles
Chapter 2: DevSecOps Principles
DevSecOps principles
Challenges within the DevSecOps pipeline that principles can resolve
Summary
5
Chapter 3: Understanding the Security Posture
Chapter 3: Understanding the Security Posture
Understanding your security posture
Why and what measures we take to secure the environment
What measures can we take to monitor an environment?
Where does security stand in the whole development process?
Summary
6
Chapter 4: Understanding Observability
Chapter 4: Understanding Observability
Why do we need observability?
The key functions of observability
Linking observability with monitoring
Challenges around observability
Making organizations observable
Summary
7
Chapter 5: Understanding Chaos Engineering
Chapter 5: Understanding Chaos Engineering
Introducing chaos engineering
Techniques involved in chaos engineering
Measuring the effectiveness of performing chaos engineering
Tools involved in chaos engineering
Basic principles of chaos engineering
How chaos engineering is different from other testing measures
Summary
8
Part 3:Technology
Part 3:Technology
9
Chapter 6: Continuous Integration and Continuous Deployment
Chapter 6: Continuous Integration and Continuous Deployment
What is a CI/CD pipeline?
The benefits of CI/CD
Automating the CI/CD pipeline
The importance of a CI/CD pipeline
Summary
10
Chapter 7: Threat Modeling
Chapter 7: Threat Modeling
What is threat modeling?
The importance of threat modeling in the software development lifecycle
Why should we perform threat modeling?
Threat modeling techniques
Integrating threat modeling into DevSecOps
Open source threat modeling tools
How threat modeling tools help organizations
Reasons some organizations don’t use threat modeling
Summary
11
Chapter 8: Software Composition Analysis (SCA)
Chapter 8: Software Composition Analysis (SCA)
What is SCA?
The importance of SCA
The benefits of SCA
Detection of security flaws
Open source SCA tools
Discussing past breaches
Summary
12
Chapter 9: Static Application Security Testing (SAST)
Chapter 9: Static Application Security Testing (SAST)
Introduction
What is SAST?
Identifying vulnerabilities early in the development process
Resolving issues without breaking the build
The benefits of SAST
The limitations of SAST
Open source SAST tools
Case study 1
Case study 2
Loss due to not following the SAST process
Summary
13
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Chapter 10: Infrastructure-as-Code (IaC) Scanning
What is IaC?
The importance of IaC scanning
IaC security best practices
IaC in DevSecOps
Open source IaC tools
Case study 1 – the Codecov security incident
Case study 2 – Capital One data breach
Case study 3 – Netflix environment improvement
Summary
14
Chapter 11: Dynamic Application Security Testing (DAST)
Chapter 11: Dynamic Application Security Testing (DAST)
What is DAST?
DAST usage for developers
DAST usage for security testers
The importance of DAST in secure development environments
Comparing DAST with other security testing approaches
Summary
15
Part 4: Tools
Part 4: Tools
16
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Techniques used in setting up the program
Setting up the CI/CD pipeline
Implementing security controls
Managing DevSecOps in production
The benefits of the program
Summary
17
Part 5: Governance and an Effective Security Champions Program
Part 5: Governance and an Effective Security Champions Program
18
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
DevSecOps and its relevance to license compliance
The distinction between traditional licenses and security implications
Different types of software licenses
The impact of software licenses on the DevSecOps pipeline
How to perform license reviews
Fine-tuning policies associated with licenses
Case studies
Summary
19
Chapter 14: Setting Up a Security Champions Program
Chapter 14: Setting Up a Security Champions Program
The Security Champions program
Who should be a Security Champion?
The top benefits of starting a Security Champions program
What does a Security Champion do?
Security Champions program – why do you need it?
Shared responsibility models
The roles of different teams
Buy-in from the executive
Measuring the effect of the Security Champions program
Summary
20
Part 6: Case Studies and Conclusion
Part 6: Case Studies and Conclusion
21
Chapter 15: Case Studies
Chapter 15: Case Studies
Case study 1 – FinTech Corporation
Case study 2 – Verma Enterprises
Case study 3 – HealthPlus
Case study 4 – GovAgency
Case study 5 – TechSoft
Common lessons learned and best practices
Summary
22
Chapter 16: Conclusion
Chapter 16: Conclusion
DevSecOps – what and how?
DevSecOps principles and processes
DevSecOps tools
DevSecOps techniques
Governance and an effective Security Champions program
Topics covered in this book
What’s next?
Case studies and conclusion
23
Index
Index
Why subscribe?
24
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

DevSecOps – the people aspect

When we talk about DevSecOps, the focus is often on processes and tools, but people – the team members involved in implementing and managing DevSecOps – are a crucial part of this equation. In simple terms, the “people aspect” of DevSecOps is all about how individuals within an organization understand, adopt, and execute the principles and practices of DevSecOps.

The following are the main elements of the people aspect of DevSecOps:

  • Collaboration: In DevSecOps, development, security, and operations teams need to work together closely. This might be a shift from traditional ways of working, where these groups often worked in silos. Regular communication and collaboration become key.
  • Shared responsibility: In the DevSecOps world, everyone shares responsibility for security – it’s not just the job of the security team. Developers, operations personnel, and others all have roles to play in maintaining security.
  • Education and training: People need to know about the importance of security and how to incorporate it into their daily work. This involves ongoing training about security threats, safe coding practices, using security tools, and more.
  • Culture shift: Adopting DevSecOps often involves a cultural shift within an organization. It requires moving toward a culture that values transparency, shared responsibility, continuous learning, and a proactive approach to security.
  • Empowerment: Team members should feel empowered to make decisions related to security, and should feel comfortable reporting potential issues. This requires an environment of trust and openness, where people aren’t blamed for mistakes but are encouraged to learn from them.
  • Skills and expertise: As security practices become more integrated into the development process, team members might need to develop new skills and expertise. This might involve learning about new tools, technologies, or methodologies.

The people aspect of DevSecOps is all about creating an environment where everyone in the team understands the importance of security, is capable of contributing to it, and is committed to maintaining it as a collective responsibility. It’s about fostering a culture of collaboration, learning, and shared accountability for security. We will discuss this in more detail in the upcoming chapters.

Previous Section
End of Section 7
Next Section