Implementing DevSecOps Practices Supercharge Your Software Security with DevSecOps Excellence
Get to grips with application security, secure coding, and DevSecOps practices to implement in your development pipeline Key Features Understand security posture management to maintain a resilient operational environment Master DevOps security and blend it with software engineering to create robust...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, England :
Packt Publishing Ltd
[2023]
|
| Edición: | First edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009790336406719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright and Credits
- Dedicated
- Contributors
- Table of Contents
- Preface
- Part 1: DevSecOps - What and How?
- Chapter 1: Introducing DevSecOps
- Product development processes
- The Waterfall model
- The Agile methodology
- Understanding the shift from DevOps to DevSecOps
- The new processes within DevSecOps
- DevSecOps maturity levels
- Maturity level 1
- Maturity level 2
- Maturity level 3
- Maturity level 4
- KPIs
- DevSecOps - the people aspect
- Summary
- Think and act
- Part 2: DevSecOps Principles and Processes
- Chapter 2: DevSecOps Principles
- DevSecOps principles
- Unifying the CI/CD pipeline
- Fail fast
- Automation and innovation in DevSecOps
- Introducing compliance checks
- Empowering teams to make decisions
- Cross-skilling and educating teams and the cultural aspect approach
- Proper documentation
- Relevant checkpoints
- Building and managing secure Dev environments and toolchains
- Challenges within the DevSecOps pipeline that principles can resolve
- Continuous application changes
- The developer knowledge gap
- Lack of AppSec tool integration
- Summary
- Chapter 3: Understanding the Security Posture
- Understanding your security posture
- Regular meetings
- Managing pipelines
- Testing pipelines
- Tools involved in pipelines
- Why and what measures we take to secure the environment
- Building the vulnerabilities inventory
- Addressing vulnerabilities
- Parameters to define the security posture
- Discovering the third-party component
- Measuring the effectiveness of the technologies used
- Managing workflows
- What measures can we take to monitor an environment?
- A positive way toward the cloud-native world
- Cloud-native architectures
- Provisioning and configuring infrastructure
- Automating controls
- Securing the toolchains.
- Where does security stand in the whole development process?
- Compliance and audit
- Multi-cloud security
- Monitoring
- Incident response
- Developer tools
- Vulnerability management
- Summary
- Chapter 4: Understanding Observability
- Why do we need observability?
- The key functions of observability
- Linking observability with monitoring
- Exploring the monitoring process
- Implementing observability with monitoring
- Challenges around observability
- Making organizations observable
- Summary
- Chapter 5: Understanding Chaos Engineering
- Introducing chaos engineering
- Why do we need chaos engineering?
- Best practices while working with chaos engineering
- Techniques involved in chaos engineering
- Specific systems and services that organizations use for chaos engineering
- Measuring the effectiveness of performing chaos engineering
- Tools involved in chaos engineering
- Basic principles of chaos engineering
- Team communication strategies while performing chaos engineering experiments
- Developing robust chaos engineering practice from failures
- Challenges around chaos engineering
- How chaos engineering is different from other testing measures
- Summary
- Part 3: Technology
- Chapter 6: Continuous Integration and Continuous Deployment
- What is a CI/CD pipeline?
- CI
- CD - continuous delivery and continuous deployment
- The benefits of CI/CD
- Automating the CI/CD pipeline
- Source control
- Automated builds
- Continuous testing
- Artifact storing
- Deployment automation
- Environment consistency
- Monitoring and feedback
- Rollbacks
- The importance of a CI/CD pipeline
- Summary
- Chapter 7: Threat Modeling
- What is threat modeling?
- The importance of threat modeling in the software development lifecycle
- Why should we perform threat modeling?
- Threat modeling techniques.
- Integrating threat modeling into DevSecOps
- Pre-development phase
- Design phase
- Development phase
- Testing phase
- Deployment phase
- Open source threat modeling tools
- How threat modeling tools help organizations
- Reasons some organizations don't use threat modeling
- Summary
- Chapter 8: Software Composition Analysis (SCA)
- What is SCA?
- How does SCA work?
- SCA tools and their functionalities
- The importance of SCA
- The benefits of SCA
- SAST versus SCA
- The SCA process
- SCA metrics
- Integrating SCA with other security tools
- Resolving the issues without breaking the build
- Detection of security flaws
- Open source SCA tools
- Discussing past breaches
- Summary
- Chapter 9: Static Application Security Testing
- Introduction
- What is SAST?
- SAST tools and their functionalities
- Identifying vulnerabilities early in the development process
- The SAST process
- SAST metrics
- Integrating SAST with other security tools
- Resolving issues without breaking the build
- The benefits of SAST
- The limitations of SAST
- Open source SAST tools
- Case study 1
- Case study 2
- Loss due to not following the SAST process
- Summary
- Chapter 10: Infrastructure-as-Code (IaC) Scanning
- What is IaC?
- The importance of IaC scanning
- IaC toolset functionalities
- Advantages and disadvantages of IaC
- Identifying vulnerabilities using IaC
- What is the IaC process?
- IaC metrics
- IaC versus SAST
- IaC security best practices
- IaC in DevSecOps
- Understanding DevSecOps
- The role of IaC in DevSecOps
- The DevSecOps process with IaC
- Key benefits
- Challenges and mitigation
- Conclusion and future outlook
- Open source IaC tools
- Case study 1 - the Codecov security incident
- Case study 2 - Capital One data breach
- Case study 3 - Netflix environment improvement
- Summary.
- Chapter 11: Dynamic Application Security Testing (DAST)
- What is DAST?
- Advantages and limitations of DAST
- The DAST process
- DAST usage for developers
- DAST usage for security testers
- The importance of DAST in secure development environments
- Incorporating DAST into the application development life cycle
- Advanced DAST techniques
- Choosing the right DAST tool
- How to perform a DAST scan in an organization
- Integrating DAST with other security tools
- Incorporating DAST into DevOps processes
- Prioritizing and remediating vulnerabilities
- Comparing DAST with other security testing approaches
- SAST
- IAST
- RASP
- The future of DAST
- Summary
- Part 4: Tools
- Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
- Techniques used in setting up the program
- Understanding DevSecOps
- Setting up the CI/CD pipeline
- The technicalities of setting up a CI/CD pipeline
- Implementing security controls
- Identifying open source security tools
- Implementing security policies and procedures
- Managing DevSecOps in production
- Monitoring and managing the DevSecOps pipeline in production
- Using open source tools for monitoring, logging, and alerting
- Incorporating continuous compliance and auditing into the pipeline
- Managing incidents and responding to security breaches
- The benefits of the program
- Summary
- Part 5: Governance and an Effective Security Champions Program
- Chapter 13: License Compliance, Code Coverage, and Baseline Policies
- DevSecOps and its relevance to license compliance
- The distinction between traditional licenses and security implications
- Source code access
- Modification and redistribution
- Community oversight
- Vendor dependency
- Cost and resource allocation
- Different types of software licenses
- Permissive licenses (MIT, Apache).
- Copyleft licenses (GPL, LGPL)
- Proprietary licenses
- The impact of software licenses on the DevSecOps pipeline
- How to perform license reviews
- Tools and techniques
- Engaging legal and security teams
- Documentation and continuous improvement
- Fine-tuning policies associated with licenses
- Establishing an organizational standard
- Exception handling
- Continuous review and improvement
- Case studies
- Case study 1 - the Redis licensing change
- Case study 2 - Elastic versus AWS licensing drama
- Summary
- Chapter 14: Setting Up a Security Champions Program
- The Security Champions program
- Structuring your Security Champions program
- Things to remember before setting up the program
- Who should be a Security Champion?
- How a Security Champions program would look
- The top benefits of starting a Security Champions program
- What does a Security Champion do?
- Security Champions program - why do you need it?
- Shared responsibility models
- The roles of different teams
- Buy-in from the executive
- The importance of executive buy-in
- How to secure executive buy-in
- Measuring the effect of the Security Champions program
- Technical aspects to check the effectiveness of the Security Champions program
- Strategic aspects to check the effectiveness of the Security Champions program
- Summary
- Part 6: Case Studies and Conclusion
- Chapter 15: Case Studies
- Case study 1 - FinTech Corporation
- Challenges faced before implementing DevSecOps
- Steps were taken to transition to DevSecOps
- Results and impact on the company's software development
- Lessons learned
- Case study 2 - Verma Enterprises
- Challenges faced by the organization in terms of security
- Implementation of DevSecOps practices and tools
- Results and benefits achieved
- Case study 3 - HealthPlus.
- The importance of security in healthcare data and systems.
