Book Image

Implementing DevSecOps Practices

By : Vandana Verma Sehgal
Book Image

Implementing DevSecOps Practices

By: Vandana Verma Sehgal

Overview of this book

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.

Related Content you might be interested in

Current Title:

Small book image
Implementing DevSecOps Practices
Vandana Verma Sehgal
Dec, 2023 | 258 pages
Small book image
Real-World Next.js
Michele Riva
Feb, 2022 | 366 pages
Small book image
Isomorphic JavaScript Web Development
Konstantin Tarkus | Tomas Alabes
Oct, 2017 | 226 pages
Small book image
Build Applications with Meteor
Dobrin Ganev
May, 2017 | 388 pages
Table of Contents (25 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1:DevSecOps – What and How?
Part 1:DevSecOps – What and How?
Free Chapter
2
Chapter 1: Introducing DevSecOps
Chapter 1: Introducing DevSecOps
Product development processes
Understanding the shift from DevOps to DevSecOps
The new processes within DevSecOps
DevSecOps maturity levels
KPIs
DevSecOps – the people aspect
Summary
Think and act
3
Part 2: DevSecOps Principles and Processes
Part 2: DevSecOps Principles and Processes
4
Chapter 2: DevSecOps Principles
Chapter 2: DevSecOps Principles
DevSecOps principles
Challenges within the DevSecOps pipeline that principles can resolve
Summary
5
Chapter 3: Understanding the Security Posture
Chapter 3: Understanding the Security Posture
Understanding your security posture
Why and what measures we take to secure the environment
What measures can we take to monitor an environment?
Where does security stand in the whole development process?
Summary
6
Chapter 4: Understanding Observability
Chapter 4: Understanding Observability
Why do we need observability?
The key functions of observability
Linking observability with monitoring
Challenges around observability
Making organizations observable
Summary
7
Chapter 5: Understanding Chaos Engineering
Chapter 5: Understanding Chaos Engineering
Introducing chaos engineering
Techniques involved in chaos engineering
Measuring the effectiveness of performing chaos engineering
Tools involved in chaos engineering
Basic principles of chaos engineering
How chaos engineering is different from other testing measures
Summary
8
Part 3:Technology
Part 3:Technology
9
Chapter 6: Continuous Integration and Continuous Deployment
Chapter 6: Continuous Integration and Continuous Deployment
What is a CI/CD pipeline?
The benefits of CI/CD
Automating the CI/CD pipeline
The importance of a CI/CD pipeline
Summary
10
Chapter 7: Threat Modeling
Chapter 7: Threat Modeling
What is threat modeling?
The importance of threat modeling in the software development lifecycle
Why should we perform threat modeling?
Threat modeling techniques
Integrating threat modeling into DevSecOps
Open source threat modeling tools
How threat modeling tools help organizations
Reasons some organizations don’t use threat modeling
Summary
11
Chapter 8: Software Composition Analysis (SCA)
Chapter 8: Software Composition Analysis (SCA)
What is SCA?
The importance of SCA
The benefits of SCA
Detection of security flaws
Open source SCA tools
Discussing past breaches
Summary
12
Chapter 9: Static Application Security Testing (SAST)
Chapter 9: Static Application Security Testing (SAST)
Introduction
What is SAST?
Identifying vulnerabilities early in the development process
Resolving issues without breaking the build
The benefits of SAST
The limitations of SAST
Open source SAST tools
Case study 1
Case study 2
Loss due to not following the SAST process
Summary
13
Chapter 10: Infrastructure-as-Code (IaC) Scanning
Chapter 10: Infrastructure-as-Code (IaC) Scanning
What is IaC?
The importance of IaC scanning
IaC security best practices
IaC in DevSecOps
Open source IaC tools
Case study 1 – the Codecov security incident
Case study 2 – Capital One data breach
Case study 3 – Netflix environment improvement
Summary
14
Chapter 11: Dynamic Application Security Testing (DAST)
Chapter 11: Dynamic Application Security Testing (DAST)
What is DAST?
DAST usage for developers
DAST usage for security testers
The importance of DAST in secure development environments
Comparing DAST with other security testing approaches
Summary
15
Part 4: Tools
Part 4: Tools
16
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
Techniques used in setting up the program
Setting up the CI/CD pipeline
Implementing security controls
Managing DevSecOps in production
The benefits of the program
Summary
17
Part 5: Governance and an Effective Security Champions Program
Part 5: Governance and an Effective Security Champions Program
18
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
Chapter 13: License Compliance, Code Coverage, and Baseline Policies
DevSecOps and its relevance to license compliance
The distinction between traditional licenses and security implications
Different types of software licenses
The impact of software licenses on the DevSecOps pipeline
How to perform license reviews
Fine-tuning policies associated with licenses
Case studies
Summary
19
Chapter 14: Setting Up a Security Champions Program
Chapter 14: Setting Up a Security Champions Program
The Security Champions program
Who should be a Security Champion?
The top benefits of starting a Security Champions program
What does a Security Champion do?
Security Champions program – why do you need it?
Shared responsibility models
The roles of different teams
Buy-in from the executive
Measuring the effect of the Security Champions program
Summary
20
Part 6: Case Studies and Conclusion
Part 6: Case Studies and Conclusion
21
Chapter 15: Case Studies
Chapter 15: Case Studies
Case study 1 – FinTech Corporation
Case study 2 – Verma Enterprises
Case study 3 – HealthPlus
Case study 4 – GovAgency
Case study 5 – TechSoft
Common lessons learned and best practices
Summary
22
Chapter 16: Conclusion
Chapter 16: Conclusion
DevSecOps – what and how?
DevSecOps principles and processes
DevSecOps tools
DevSecOps techniques
Governance and an effective Security Champions program
Topics covered in this book
What’s next?
Case studies and conclusion
23
Index
Index
Why subscribe?
24
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

What this book covers

Chapter 1, Introducing DevSecOps, discusses the basics of DevSecOps and the different maturity levels involved in the current state and future attainable state of the practices involved in DevSecOps. It helps organizations understand where they are and where things can be taken next. People are the most important element in any technology and process. You can use the best of technology and processes, but without people, goals can’t be achieved. In this chapter, we will learn about the involvement of different teams and what key performance indicators are.

Chapter 2, DevSecOps Principles, explores the DevSecOps principles, which are the key concepts to pick up a program at any point of the development cycle and take it to the maturity stage.

Chapter 3, Understanding the Security Posture, covers the understanding your security posture of DevSecOps pipeline within an organization. We will also be covering what measures are we taking to secure the environment and why, what measures can we take to monitor an environment?, and where does security stand in the whole development process?

Chapter 4, Understanding Observability, examines what observability is and how it is different from monitoring. Also, we will look at how observability helps DevSecOps.

Chapter 5, Understanding Chaos Engineering, covers the aspects of chaos engineering and how data is fed to a system, well as understanding how the system fails.

Chapter 6, Continuous Integration and Continuous Deployment, discusses what is CI/CD, the benefits of CI/CD, how we can automate the CI/CD pipeline, and the importance of the CI/CD pipeline.

Chapter 7, Threat Modeling, dives into threat modeling, which involves examining applications through the eyes of an attacker in order to identify and highlight security flaws that could be exploited. This makes security a part of the organizational culture, laying the groundwork for a DevSecOps workplace. Threat modeling also helps teams better understand and learn each other’s roles, objectives, and pain points, resulting in a more collaborative and understanding organization. The chapter also covers the free and open source tools for threat modeling.

Chapter 8, Software Composition Analysis (SCA), explores third-party dependencies, which are one of the biggest concerns when we deal with code. Some 80–90 percent of software code contains third-party dependencies or libraries. These dependencies come with their own issues and benefits. In this chapter, we will discuss software composition analysis and its uses. We also cover the free and open source tools for SCA.

Chapter 9, Static Application Security Testing (SAST), examines SAST, which happens early in the Software Development Life Cycle (SDLC) because it does not require a working application and can be performed without executing any code. The chapter also covers the free and open source tools for SAST.

Chapter 10, Infrastructure-as-Code (IaC) Scanning, discusses Infrastructure-as-Code (IaC) scanning, which looks for known vulnerabilities in your IaC configuration files. IaC improves usability and functionality while also assisting developers with infrastructure deployment. The chapter will share the aspects of IaC scanning and usability testing. The chapter also covers the free and open source tools for IaC.

Chapter 11, Dynamic Application Security Testing (DAST), delves into DAST, which is the process of analyzing a web application from the frontend to find vulnerabilities. A DAST scanner looks for results that aren’t part of the expected result set and detects security flaws. The chapter also covers the free and open source tools for DAST.

Chapter 12, Setting Up a DevSecOps Program with Open Source Tools, covers the tools and tips to set up an effective DevSecOps program, covering it from 360 degrees.

Chapter 13, Licenses Compliance, Code Coverage, and Baseline Policies, explores license compliance, which ensures we manage licenses and policies and keep them up to date.

Chapter 14, Setting Up a Security Champions Program, talks about who security champions are and how we can set up a security champions program.

Chapter 15, Case Studies, discusses case studies from organizations that have set up DevSecOps programs. What were the initial setbacks that eventually contributed to the DevSecOps program's success ? We look at the lessons learned along the way.

Chapter 16, Conclusion, concludes the book, focusing on what we have learned from the different chapters and offering a call to action on the way forward.

Previous Section
Next Section