Cloud native software security handbook : unleash the power of cloud native tools for robust security in modern applications

Cloud native software security handbook unleash the power of cloud native tools for robust security in modern applications

Master widely used cloud native platforms like Kubernetes, Calico, Kibana, Grafana, Anchor, and more to ensure secure infrastructure and software development Purchase of the print or Kindle book includes a free PDF eBookKey FeaturesLearn how to select cloud-native platforms and integrate security so...

Full description

Bibliographic Details
Other Authors: Shah, Mihir, author (author)
Format: eBook
Language:Inglés
Published: Birmingham, England : Packt Publishing Ltd [2023]
Edition:1st ed
Subjects:
Cloud computing > 21st century.
Computer software > 21st century.
Computer security > 21st century.
Computer storage device industry > 21st century.
See on Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009764839106719
Table of Contents:
  • Cover
  • Title Page
  • Copyright and Credits
  • Contributors
  • Table of Contents
  • Preface
  • Part 1: Understanding Cloud Native Technology and Security
  • Chapter 1: Foundations of Cloud Native
  • Understanding the cloud-native world
  • Why consider using cloud-native architecture?
  • Cloud models
  • Approach to thinking cloud-native
  • Components of a cloud-native system
  • Orchestration
  • Monitoring
  • Logging and tracing
  • Container registries
  • Service meshes
  • Security
  • Summary
  • Quiz
  • Further readings
  • Chapter 2: Cloud Native Systems Security Management
  • Technical requirements
  • Secure configuration management
  • Using OPA for secure configuration management
  • Requiring encryption for all confidential data
  • Restricting access to sensitive resources
  • Enforcing resource limits
  • Secure image management
  • Why care about image security?
  • Best practices for secure image management
  • Clair
  • Harbor
  • Creating an HTTPS connection for the repository
  • Scanning for vulnerabilities in images
  • Summary
  • Quiz
  • Further readings
  • Chapter 3: Cloud Native Application Security
  • Technical requirements
  • Overview of cloud-native application development
  • Differences between traditional and cloud-native app development
  • The DevOps model
  • Cloud-native architecture and DevOps
  • Introduction to application security
  • Overview of different security threats and attacks
  • Integrating security into the development process
  • OWASP Top 10 for cloud native
  • Not shift-left
  • Security and development trade-off
  • Supplemental security components
  • OWASP ASVS
  • Secrets management
  • How to create secrets in Vault
  • Summary
  • Quiz
  • Further reading
  • Part 2: Implementing Security in Cloud Native Environments
  • Chapter 4: Building an AppSec Culture
  • Technical requirements.
  • Overview of building an AppSec program
  • Understanding your security needs
  • Identifying threats and risks in cloud-native environments
  • Bug bounty
  • Evaluating compliance requirements and regulations
  • Building an effective AppSec program for cloud-native
  • Security tools for software in development
  • Threat modeling
  • Providing security training and awareness to all stakeholders
  • Developing policies and procedures
  • Incident response and disaster recovery
  • Cloud security policy
  • Identity and access management policies
  • Continuous monitoring and improvement
  • Summary
  • Quiz
  • Further readings
  • Chapter 5: Threat Modeling for Cloud Native
  • Technical requirements
  • Developing an approach to threat modeling
  • An overview of threat modeling for cloud native
  • Integrating threat modeling into Agile and DevOps processes
  • Developing a threat matrix
  • Cultivating critical thinking and risk assessment
  • Fostering a critical thinking mindset
  • Developing risk assessment skills
  • Threat modeling frameworks
  • STRIDE
  • PASTA
  • LINDDUN
  • Kubernetes threat matrix
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Impact
  • Summary
  • Quiz
  • Further readings
  • Chapter 6: Securing the Infrastructure
  • Technical requirements
  • Approach to object access control
  • Kubernetes network policies
  • Calico
  • Using Calico with Kubernetes
  • Principles for authentication and authorization
  • Authentication
  • Authorization
  • Importance of authentication and authorization
  • Kubernetes authentication and authorization mechanisms
  • Defense in depth
  • Infrastructure components in cloud-native environments
  • Compute components - virtual machines, containers, and serverless computing.
  • Networking components - VPCs, subnets, load balancers, and ingress controllers
  • Storage services - block storage, object storage, and databases
  • Falco - real-time monitoring for cloud workloads
  • Summary
  • Quiz
  • Further readings
  • Chapter 7: Cloud Security Operations
  • Technical requirements
  • Novel techniques in sourcing data points
  • Centralized logging with the EFK stack
  • Creating alerting and webhooks within different platforms
  • Creating alerting rules in Prometheus
  • Configuring webhook notifications for different platforms (e.g., Slack)
  • Automating incident response with custom scripts and tools
  • Automated security lapse findings
  • Security Orchestration, Automation, and Response (SOAR) platforms
  • SOAR platforms on the market
  • Integrating security tools and automating workflows
  • Integrating security tools
  • Automating workflows
  • Building and maintaining a security automation playbook
  • Elements of a security automation playbook
  • Building a security automation playbook
  • Maintaining a security automation playbook
  • Summary
  • Quiz
  • Further readings
  • Chapter 8: DevSecOps Practices for Cloud Native
  • Technical requirements
  • Infrastructure as Code
  • The importance of DevSecOps
  • DevSecOps in practice
  • Continuous integration and continuous deployment (CI/CD) in DevSecOps
  • Infrastructure as Code (IaC) and Policy as Code in DevSecOps
  • Security tools in DevSecOps
  • Security implications of IaC
  • Checkov - a comprehensive overview
  • Policy as Code
  • Why Policy as Code?
  • Implementing Policy as Code with OPA
  • Policy as Code in the broader DevSecOps strategy
  • Integrating Policy as Code into the CI/CD pipeline
  • Policy as Code - a pillar of DevSecOps
  • Policy as Code and Infrastructure as Code - two sides of the same coin
  • Container security
  • Secrets management
  • Network policies.
  • Security in serverless architectures
  • Security observability
  • Compliance auditing
  • Threat modeling and risk assessment
  • Incident response
  • Security training and culture
  • Continuous learning and improvement - the DevSecOps mindset
  • The role of automation in DevSecOps
  • The importance of collaboration in DevSecOps
  • The power of open source in DevSecOps
  • Future trends - the evolution of DevSecOps
  • Summary
  • Quiz
  • Further readings
  • Part 3: Legal, Compliance, and Vendor Management
  • Chapter 9: Legal and Compliance
  • Overview
  • Comprehending privacy in the cloud
  • The importance of privacy in the cloud-native landscape
  • The CCPA and its implications for cloud-native
  • Other significant US privacy laws and their implications for cloud-native
  • Audit processes, methodologies, and cloud-native adoption
  • Importance of audit processes and methodologies in cloud-native adoption
  • Common audit processes and methodologies
  • Laws, regulations, and standards
  • The CFAA and its implications for cloud-native software security
  • The FTCA and its implications for cloud-native software security
  • Overview of compliance standards and their implications for cloud-native software security
  • Case studies - incidents related to standards and their implications for security engineers
  • Summary
  • Quiz
  • Further readings
  • Chapter 10: Cloud Native Vendor Management and Security Certifications
  • Security policy framework
  • Understanding cloud vendor risks
  • Understanding security policy frameworks
  • Implementing security policy frameworks with cloud vendors
  • Effective security policy framework in a cloud environment
  • Best practices for implementing a security policy framework with cloud vendors
  • Government cloud standards and vendor certifications
  • Industry cloud standards.
  • The importance of adhering to government and industry cloud standards
  • Vendor certifications
  • Enterprise risk management
  • The significance of ERM in cloud security
  • Incorporating vendor management into your enterprise risk management program
  • Risk analysis
  • Risk analysis - a key step in vendor evaluation
  • Tools and techniques for evaluating vendor risk
  • Best practices for vendor selection
  • Building and managing vendor relationships
  • Case study
  • Background
  • Risk analysis and vendor selection
  • Establishing strong vendor relationship
  • Managing the relationship
  • Successful outcomes
  • Summary
  • Quiz
  • Further readings
  • Index
  • Other Books You May Enjoy.

Similar Items