Implementing DevSecOps Practices

Implementing DevSecOps Practices

by Vandana Verma Sehgal
Released December 2023
Publisher(s): Packt Publishing
ISBN: 9781803231495

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Integrate Shift-Left Security, automation, IaC, and compliance into every stage of development, ensuring strong application security and continuous protection for modern software with DevSecOps best practices

Key Features

  • Understand security posture management to maintain a resilient operational environment
  • Master DevOps security and blend it with software engineering to create robust security protocols
  • Adopt the left-shift approach to integrate early-stage security in DevSecOps
  • Purchase of the print or Kindle book includes a free PDF eBook

Book Description

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles.

After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain.

By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.

What you will learn

  • Find out how DevSecOps unifies security and DevOps, bridging a significant cybersecurity gap
  • Discover how CI/CD pipelines can incorporate security checks for automatic vulnerability detection
  • Understand why threat modeling is indispensable for early vulnerability identification and action
  • Explore chaos engineering tests to monitor how systems perform in chaotic security scenarios
  • Find out how SAST pre-checks code and how DAST finds live-app vulnerabilities during runtime
  • Perform real-time monitoring via observability and its criticality for security management

Who this book is for

This book is for individuals new to DevSecOps and want to implement its practices successfully and efficiently. DevSecOps Engineers, Application Security Engineers, Developers, Pentesters, and Security Analysts will find plenty of useful information in this book. Prior knowledge of the software development process and programming logic is beneficial, but not mandatory.

Table of contents

  1. Implementing DevSecOps Practices
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Conventions used
    5. Get in touch
    6. Share Your Thoughts
    7. Download a free PDF copy of this book
  6. Part 1:DevSecOps – What and How?
  7. Chapter 1: Introducing DevSecOps
    1. Product development processes
      1. The Waterfall model
      2. The Agile methodology
    2. Understanding the shift from DevOps to DevSecOps
    3. The new processes within DevSecOps
    4. DevSecOps maturity levels
      1. Maturity level 1
      2. Maturity level 2
      3. Maturity level 3
      4. Maturity level 4
    5. KPIs
    6. DevSecOps – the people aspect
    7. Summary
    8. Think and act
  8. Part 2: DevSecOps Principles and Processes
  9. Chapter 2: DevSecOps Principles
    1. DevSecOps principles
      1. Unifying the CI/CD pipeline
      2. Fail fast
      3. Automation and innovation in DevSecOps
      4. Introducing compliance checks
      5. Empowering teams to make decisions
      6. Cross-skilling and educating teams and the cultural aspect approach
      7. Proper documentation
      8. Relevant checkpoints
      9. Building and managing secure Dev environments and toolchains
    2. Challenges within the DevSecOps pipeline that principles can resolve
      1. Continuous application changes
      2. The developer knowledge gap
      3. Lack of AppSec tool integration
    3. Summary
  10. Chapter 3: Understanding the Security Posture
    1. Understanding your security posture
      1. Regular meetings
      2. Managing pipelines
      3. Testing pipelines
      4. Tools involved in pipelines
    2. Why and what measures we take to secure the environment
      1. Building the vulnerabilities inventory
      2. Addressing vulnerabilities
      3. Parameters to define the security posture
      4. Discovering the third-party component
      5. Measuring the effectiveness of the technologies used
      6. Managing workflows
    3. What measures can we take to monitor an environment?
      1. A positive way toward the cloud-native world
      2. Cloud-native architectures
      3. Provisioning and configuring infrastructure
      4. Automating controls
      5. Securing the toolchains
    4. Where does security stand in the whole development process?
      1. Compliance and audit
      2. Multi-cloud security
      3. Monitoring
      4. Incident response
      5. Developer tools
      6. Vulnerability management
    5. Summary
  11. Chapter 4: Understanding Observability
    1. Why do we need observability?
    2. The key functions of observability
    3. Linking observability with monitoring
      1. Exploring the monitoring process
      2. Implementing observability with monitoring
    4. Challenges around observability
    5. Making organizations observable
    6. Summary
  12. Chapter 5: Understanding Chaos Engineering
    1. Introducing chaos engineering
      1. Why do we need chaos engineering?
      2. Best practices while working with chaos engineering
    2. Techniques involved in chaos engineering
      1. Specific systems and services that organizations use for chaos engineering
    3. Measuring the effectiveness of performing chaos engineering
    4. Tools involved in chaos engineering
    5. Basic principles of chaos engineering
      1. Team communication strategies while performing chaos engineering experiments
      2. Developing robust chaos engineering practice from failures
      3. Challenges around chaos engineering
    6. How chaos engineering is different from other testing measures
    7. Summary
  13. Part 3:Technology
  14. Chapter 6: Continuous Integration and Continuous Deployment
    1. What is a CI/CD pipeline?
      1. CI
      2. CD – continuous delivery and continuous deployment
    2. The benefits of CI/CD
    3. Automating the CI/CD pipeline
      1. Source control
      2. Automated builds
      3. Continuous testing
      4. Artifact storing
      5. Deployment automation
      6. Environment consistency
      7. Monitoring and feedback
      8. Rollbacks
    4. The importance of a CI/CD pipeline
    5. Summary
  15. Chapter 7: Threat Modeling
    1. What is threat modeling?
    2. The importance of threat modeling in the software development lifecycle
    3. Why should we perform threat modeling?
    4. Threat modeling techniques
    5. Integrating threat modeling into DevSecOps
      1. Pre-development phase
      2. Design phase
      3. Development phase
      4. Testing phase
      5. Deployment phase
    6. Open source threat modeling tools
    7. How threat modeling tools help organizations
    8. Reasons some organizations don’t use threat modeling
    9. Summary
  16. Chapter 8: Software Composition Analysis (SCA)
    1. What is SCA?
      1. How does SCA work?
      2. SCA tools and their functionalities
    2. The importance of SCA
    3. The benefits of SCA
      1. SAST versus SCA
      2. The SCA process
      3. SCA metrics
      4. Integrating SCA with other security tools
      5. Resolving the issues without breaking the build
    4. Detection of security flaws
    5. Open source SCA tools
    6. Discussing past breaches
    7. Summary
  17. Chapter 9: Static Application Security Testing (SAST)
    1. Introduction
    2. What is SAST?
      1. SAST tools and their functionalities
    3. Identifying vulnerabilities early in the development process
      1. The SAST process
      2. SAST metrics
      3. Integrating SAST with other security tools
    4. Resolving issues without breaking the build
    5. The benefits of SAST
    6. The limitations of SAST
    7. Open source SAST tools
    8. Case study 1
    9. Case study 2
    10. Loss due to not following the SAST process
    11. Summary
  18. Chapter 10: Infrastructure-as-Code (IaC) Scanning
    1. What is IaC?
    2. The importance of IaC scanning
      1. IaC toolset functionalities
      2. Advantages and disadvantages of IaC
      3. Identifying vulnerabilities using IaC
      4. What is the IaC process?
      5. IaC metrics
      6. IaC versus SAST
    3. IaC security best practices
    4. IaC in DevSecOps
      1. Understanding DevSecOps
      2. The role of IaC in DevSecOps
      3. The DevSecOps process with IaC
      4. Key benefits
      5. Challenges and mitigation
      6. Conclusion and future outlook
    5. Open source IaC tools
    6. Case study 1 – the Codecov security incident
    7. Case study 2 – Capital One data breach
    8. Case study 3 – Netflix environment improvement
    9. Summary
  19. Chapter 11: Dynamic Application Security Testing (DAST)
    1. What is DAST?
      1. Advantages and limitations of DAST
      2. The DAST process
    2. DAST usage for developers
    3. DAST usage for security testers
    4. The importance of DAST in secure development environments
      1. Incorporating DAST into the application development life cycle
      2. Advanced DAST techniques
      3. Choosing the right DAST tool
      4. How to perform a DAST scan in an organization
      5. Integrating DAST with other security tools
      6. Incorporating DAST into DevOps processes
      7. Prioritizing and remediating vulnerabilities
    5. Comparing DAST with other security testing approaches
      1. SAST
      2. IAST
      3. RASP
      4. The future of DAST
    6. Summary
  20. Part 4: Tools
  21. Chapter 12: Setting Up a DevSecOps Program with Open Source Tools
    1. Techniques used in setting up the program
      1. Understanding DevSecOps
    2. Setting up the CI/CD pipeline
      1. The technicalities of setting up a CI/CD pipeline
    3. Implementing security controls
      1. Identifying open source security tools
      2. Implementing security policies and procedures
    4. Managing DevSecOps in production
      1. Monitoring and managing the DevSecOps pipeline in production
      2. Using open source tools for monitoring, logging, and alerting
      3. Incorporating continuous compliance and auditing into the pipeline
      4. Managing incidents and responding to security breaches
    5. The benefits of the program
    6. Summary
  22. Part 5: Governance and an Effective Security Champions Program
  23. Chapter 13: License Compliance, Code Coverage, and Baseline Policies
    1. DevSecOps and its relevance to license compliance
    2. The distinction between traditional licenses and security implications
      1. Source code access
      2. Modification and redistribution
      3. Community oversight
      4. Vendor dependency
      5. Cost and resource allocation
    3. Different types of software licenses
      1. Permissive licenses (MIT, Apache)
      2. Copyleft licenses (GPL, LGPL)
      3. Proprietary licenses
    4. The impact of software licenses on the DevSecOps pipeline
    5. How to perform license reviews
      1. Tools and techniques
      2. Engaging legal and security teams
      3. Documentation and continuous improvement
    6. Fine-tuning policies associated with licenses
      1. Establishing an organizational standard
      2. Exception handling
      3. Continuous review and improvement
    7. Case studies
      1. Case study 1 – the Redis licensing change
      2. Case study 2 – Elastic versus AWS licensing drama
    8. Summary
  24. Chapter 14: Setting Up a Security Champions Program
    1. The Security Champions program
      1. Structuring your Security Champions program
      2. Things to remember before setting up the program
    2. Who should be a Security Champion?
      1. How a Security Champions program would look
    3. The top benefits of starting a Security Champions program
    4. What does a Security Champion do?
    5. Security Champions program – why do you need it?
    6. Shared responsibility models
    7. The roles of different teams
    8. Buy-in from the executive
      1. The importance of executive buy-in
      2. How to secure executive buy-in
    9. Measuring the effect of the Security Champions program
      1. Technical aspects to check the effectiveness of the Security Champions program
      2. Strategic aspects to check the effectiveness of the Security Champions program
    10. Summary
  25. Part 6: Case Studies and Conclusion
  26. Chapter 15: Case Studies
    1. Case study 1 – FinTech Corporation
      1. Challenges faced before implementing DevSecOps
      2. Steps were taken to transition to DevSecOps
      3. Results and impact on the company’s software development
      4. Lessons learned
    2. Case study 2 – Verma Enterprises
      1. Challenges faced by the organization in terms of security
      2. Implementation of DevSecOps practices and tools
      3. Results and benefits achieved
    3. Case study 3 – HealthPlus
      1. The importance of security in healthcare data and systems
      2. The implementation of DevSecOps practices and tools to improve security
      3. Results and benefits achieved
    4. Case study 4 – GovAgency
      1. Security requirements for government agencies
      2. The implementation of DevSecOps practices and tools to meet compliance and improve security
      3. Results and benefits achieved
    5. Case study 5 – TechSoft
      1. Security requirements for the IT sector
      2. The implementation of DevSecOps practices and tools to meet compliance and improve security
      3. Results and benefits achieved
    6. Common lessons learned and best practices
      1. Lessons learned from implementing DevSecOps practices and tools
      2. Best practices for implementing DevSecOps in software development
    7. Summary
  27. Chapter 16: Conclusion
    1. DevSecOps – what and how?
    2. DevSecOps principles and processes
    3. DevSecOps tools
    4. DevSecOps techniques
    5. Governance and an effective Security Champions program
    6. Topics covered in this book
    7. What’s next?
    8. Case studies and conclusion
  28. Index
    1. Why subscribe?
  29. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Implementing DevSecOps Practices
  • Author(s): Vandana Verma Sehgal
  • Release date: December 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781803231495