Hands-on security in DevOps : ensure continuous security, deployment, and delivery with DevSecOps

Hands-on security in DevOps ensure continuous security, deployment, and delivery with DevSecOps

Protect your organization's security at all levels by introducing the latest strategies for securing DevOps Key Features Integrate security at each layer of the DevOps pipeline Discover security practices to protect your cloud services by detecting fraud and intrusion Explore solutions to infra...

Descripción completa

Detalles Bibliográficos
Otros Autores: Hsu, Tony, author (author)
Formato: Libro electrónico
Idioma:Inglés
Publicado: Birmingham : Packt 2018.
Edición:1st edition
Materias:
Information technology > Management.
Computer networks > Security measures.
Computer networks > Access control.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009631588506719
Tabla de Contenidos:
  • Cover
  • Title Page
  • Copyright and Credits
  • Packt Upsell
  • Contributors
  • Table of Contents
  • Preface
  • Chapter 1: DevSecOps Drivers and Challenges
  • Security compliance
  • ISO 27001
  • Cloud Security Alliance (CSA)
  • Federal Information Processing Standards (FIPS)
  • Center for Internet Security (CIS) and OpenSCAP - securing your infrastructure
  • National Checklist Program (NCP) repository
  • OpenSCAP tools
  • Legal and security compliance
  • New technology (third-party, cloud, containers, and virtualization)
  • Virtualization
  • Dockers
  • Infrastructure as Code (IaC)
  • Cloud services hacks/abuse
  • Case study - products on sale
  • What do hackers do?
  • Rapid release
  • Summary
  • Questions
  • Further reading
  • Chapter 2: Security Goals and Metrics
  • Organization goal
  • Strategy and metrics
  • Policy and compliance
  • Education and guidance
  • Development goal/metrics
  • Threat assessment
  • Threat assessment for GDPR
  • Deliverables and development team self-assessment
  • Security requirements
  • QA goal/metrics
  • Design review
  • Implementation review
  • Third-party components
  • IDE-plugin code review
  • Static code review
  • Target code review
  • Security testing
  • Operation goal/metrics
  • Issue management
  • Environment Hardening
  • Secure configuration baseline
  • Constant monitoring mechanism
  • Operational enablement
  • Code signing for application deployment
  • Application communication ports matrix
  • Application configurations
  • Summary
  • Questions
  • Further reading
  • Chapter 3: Security Assurance Program and Organization
  • Security assurance program
  • SDL (Security Development Lifecycle)
  • OWASP SAMM
  • Security guidelines and processes
  • Security growth with business
  • Stage 1 - basic security control
  • Stage 2 - building a security testing team
  • Stage 3 - SDL activities.
  • Stage 4 - self-build security services
  • Stage 5 - big data security analysis and automation
  • Role of a security team in an organization
  • Security office under a CTO
  • Dedicated security team
  • Case study - a matrix, functional, or taskforce structure
  • Security resource pool
  • Security technical committee (taskforce)
  • Summary
  • Questions
  • Further reading
  • Chapter 4: Security Requirements and Compliance
  • Security requirements for the release gate
  • Release gate examples
  • Common Vulnerability Scoring System (CVSS)
  • Security requirements for web applications
  • OWASP Application Security Verification Standard (ASVS)
  • Security knowledge portal
  • Security requirements for big data
  • Big data security requirements
  • Big data technical security frameworks
  • Privacy requirements for GDPR
  • Privacy Impact Assessment (PIA)
  • Privacy data attributes
  • Example of a data flow assessment
  • GDPR security requirements for data processor and controller
  • Summary
  • Questions
  • Further reading
  • Chapter 5: Case Study - Security Assurance Program
  • Security assurance program case study
  • Microsoft SDL and SAMM
  • Security training and awareness
  • Security culture
  • Web security frameworks
  • Baking security into DevOps
  • Summary
  • Questions
  • Further reading
  • Chapter 6: Security Architecture and Design Principles
  • Security architecture design principles
  • Cloud service security architecture reference
  • Security framework
  • Java web security framework
  • Non-Java web security frameworks
  • Web readiness for privacy protection
  • Login protection
  • Cryptographic modules
  • Input validation and sanitization
  • Data masking
  • Data governance - Apache Ranger and Atlas
  • Third-party open source management
  • Summary
  • Questions
  • Further reading
  • Chapter 7: Threat Modeling Practices and Secure Design.
  • Threat modeling practices
  • Threat modeling with STRIDE
  • Diagram designer tool
  • Card games
  • Threat library references
  • Case study - formal documents or not?
  • Secure design
  • Summary
  • Questions
  • Further reading
  • Chapter 8: Secure Coding Best Practices
  • Secure coding industry best practices
  • Establishing secure coding baselines
  • Secure coding awareness training
  • Tool evaluation
  • Tool optimization
  • High-risk module review
  • Manual code review tools
  • Secure code scanning tools
  • Secure compiling
  • Common issues in practice
  • Summary
  • Questions
  • Further reading
  • Chapter 9: Case Study - Security and Privacy by Design
  • Case study background
  • Secure architecture review
  • Authentication
  • Authorization
  • Session management
  • Data input/output
  • Privacy by design
  • Summary of security and privacy frameworks
  • Third-party component management
  • Summary
  • Questions
  • Further reading
  • Chapter 10: Security-Testing Plan and Practices
  • Security-testing knowledge kit
  • Security-testing plan templates
  • Security-testing objective
  • Security-testing baseline
  • Security-testing environment
  • Testing strategy
  • High-risk modules
  • Recommended security-testing tools
  • Web security testing
  • Privacy
  • Security-testing domains
  • Thinking like a hacker
  • Exploits and CVE
  • Hacker techniques
  • Malware Information
  • Security-Training environment
  • Summary
  • Questions
  • Further reading
  • Chapter 11: Whitebox Testing Tips
  • Whitebox review preparation
  • Viewing the whole project
  • High-risk module
  • Whitebox review checklist
  • Top common issues
  • Secure coding patterns and keywords
  • Case study - Java struts security review
  • Struts security review approaches
  • Struts security checklist
  • Struts security strings search in struts.xml and API
  • Summary
  • Questions
  • Further reading.
  • Chapter 12: Security Testing Toolkits
  • General security testing toolkits
  • Automation testing criteria
  • Behavior-driven security testing framework
  • Android security testing
  • Securing infrastructure configuration
  • Docker security scanning
  • Integrated security tools
  • Summary
  • Questions
  • Further reading
  • Chapter 13: Security Automation with the CI Pipeline
  • Security in continuous integration
  • Security practices in development
  • IDE plugins to automate the code review
  • Static code analysis
  • Secure compiler configuration
  • Dependency check
  • Web testing in proactive/proxy mode
  • Web automation testing tips
  • Security automation in Jenkins
  • Summary
  • Questions
  • Further reading
  • Chapter 14: Incident Response
  • Security incident response process
  • Preparation
  • Detection and analysis
  • Containment and recovery
  • Post-incident activity
  • Security incident response platforms (SIRP)
  • SOC team
  • Incident forensics techniques
  • Summary
  • Questions
  • Further reading
  • Chapter 15: Security Monitoring
  • Logging policy
  • Security monitoring framework
  • Source of information
  • Threat intelligence toolset
  • Security scanning toolset
  • Malware behavior matching - YARA
  • Summary
  • Questions
  • Further reading
  • Chapter 16: Security Assessment for New Releases
  • Security review policies for releases
  • Security checklist and tools
  • BDD security framework
  • Consolidated testing results
  • Summary
  • Questions
  • Further reading
  • Chapter 17: Threat Inspection and Intelligence
  • Unknown threat detection
  • Indicators of compromises
  • Security analysis using big data frameworks
  • TheHive
  • MISP - an Open Source Threat Intelligence Platform
  • Apache Metron
  • Summary
  • Questions
  • Further reading
  • Chapter 18: Business Fraud and Service Abuses
  • Business fraud and abuses.
  • Business risk detection framework
  • PCI DSS compliance
  • Summary
  • Questions
  • Further reading
  • Chapter 19: GDPR Compliance Case Study
  • GDPR security requirement
  • Case studies
  • Case 1 - personal data discovery
  • Case 2 - database anonymization
  • Case 3 - cookie consent
  • Case 4 - data-masking library for implementation
  • Case 5 - evaluating website privacy status
  • Summary
  • Questions
  • Further reading
  • Chapter 20: DevSecOps - Challenges, Tips, and FAQs
  • DevSecOps for security management
  • DevSecOps for the development team
  • DevSecOps for the testing team
  • DevSecOps for the operations team
  • Summary
  • Further reading
  • Assessments
  • Other Books You May Enjoy
  • Index.

Ejemplares similares