Securing DevOps

Securing DevOps

by Julien Vehent
Released August 2018
Publisher(s): Manning Publications
ISBN: 9781617294136

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Securing DevOps explores how the techniques of DevOps and security should be applied together to make cloud services safer. This introductory book reviews the latest practices used in securing web applications and their infrastructure and teaches you techniques to integrate security directly into your product. You'll also learn the core concepts of DevOps, such as continuous integration, continuous delivery, and infrastructure as a service.



About the Technology

An application running in the cloud can benefit from incredible efficiencies, but they come with unique security threats too. A DevOps team’s highest priority is understanding those risks and hardening the system against them.



About the Book

Securing DevOps teaches you the essential techniques to secure your cloud services. Using compelling case studies, it shows you how to build security into automated testing, continuous delivery, and other core DevOps processes. This experience-rich book is filled with mission-critical strategies to protect web applications against attacks, deter fraud attempts, and make your services safer when operating at scale. You’ll also learn to identify, assess, and secure the unique vulnerabilities posed by cloud deployments and automation tools commonly used in modern infrastructures.



What's Inside

  • An approach to continuous security
  • Implementing test-driven security in DevOps
  • Security techniques for cloud services
  • Watching for fraud and responding to incidents
  • Security testing and risk assessment


About the Reader

Readers should be comfortable with Linux and standard DevOps practices like CI, CD, and unit testing.



About the Author

Julien Vehent is a security architect and DevOps advocate. He leads the Firefox Operations Security team at Mozilla, and is responsible for the security of Firefox’s high-traffic cloud services and public websites.



Quotes
Provides both sound ideas and real-world examples. A must-read.
- Adrien Saladin, PeopleDoc

Makes a complex topic completely approachable. Recommended for DevOps personnel and technology managers alike.
- Adam Montville, Center for Internet Security

Practical and ready for immediate application.
- Yan Guo, Eventbrite

An amazing resource for secure software development—a must in this day and age—whether or not you’re in DevOps.
- Andrew Bovill, Next Century

Publisher resources

View/Submit Errata

Table of contents

  1. Securing DevOps
  2. Copyright
  3. dedication
  4. contents
  5. front matter
    1. preface
    2. acknowledgments
    3. about this book
      1. How this book is organized
      2. Roadmap
      3. About the code
      4. Book forum
    4. about the author
    5. about the cover illustration
  6. 1 Securing DevOps
    1. 1.1 The DevOps approach
      1. 1.1.1 Continuous integration
      2. 1.1.2 Continuous delivery
      3. 1.1.3 Infrastructure as a service
      4. 1.1.4 Culture and trust
    2. 1.2 Security in DevOps
    3. 1.3 Continuous security
      1. 1.3.1 Test-driven security
      2. 1.3.2 Monitoring and responding to attacks
      3. 1.3.3 Assessing risks and maturing security
    4. Summary
  7. Part 1. Case study: applying layers of security to a simple DevOps pipeline
  8. 2 Building a barebones DevOps pipeline
    1. 2.1 Implementation roadmap
    2. 2.2 The code repository: GitHub
    3. 2.3 The CI platform: CircleCI
    4. 2.4 The container repository: Docker Hub
    5. 2.5 The production infrastructure: Amazon Web Services
      1. 2.5.1 Three-tier architecture
      2. 2.5.2 Configuring access to AWS
      3. 2.5.3 Virtual Private Cloud
      4. 2.5.4 Creating the database tier
      5. 2.5.5 Creating the first two tiers with Elastic Beanstalk
      6. 2.5.6 Deploying the container onto your systems
    6. 2.6 A rapid security audit
    7. Summary
  9. 3 Security layer 1: protecting web applications
    1. 3.1 Securing and testing web apps
    2. 3.2 Website attacks and content security
      1. 3.2.1 Cross-site scripting and Content Security Policy
      2. 3.2.2 Cross-site request forgery
      3. 3.2.3 Clickjacking and IFrames protection
    3. 3.3 Methods for authenticating users
      1. 3.3.1 HTTP basic authentication
      2. 3.3.2 Password management
      3. 3.3.3 Identity providers
      4. 3.3.4 Sessions and cookie security
      5. 3.3.5 Testing authentication
    4. 3.4 Managing dependencies
      1. 3.4.1 Golang vendoring
      2. 3.4.2 Node.js package management
      3. 3.4.3 Python requirements
    5. Summary
  10. 4 Security layer 2: protecting cloud infrastructures
    1. 4.1 Securing and testing cloud infrastructure: the deployer
      1. 4.1.1 Setting up the deployer
      2. 4.1.2 Configuration notifications between Docker Hub and the deployer
      3. 4.1.3 Running tests against the infrastructure
      4. 4.1.4 Updating the invoicer environment
    2. 4.2 Restricting network access
      1. 4.2.1 Testing security groups
      2. 4.2.2 Opening access between security groups
    3. 4.3 Building a secure entry point
      1. 4.3.1 Generating SSH keys
      2. 4.3.2 Creating a bastion host in EC2
      3. 4.3.3 Enabling two-factor authentication with SSH
      4. 4.3.4 Sending notifications on accesses
      5. 4.3.5 General security considerations
      6. 4.3.6 Opening access between security groups
    4. 4.4 Controlling access to the database
      1. 4.4.1 Analyzing the database structure
      2. 4.4.2 Roles and permissions in PostgreSQL
      3. 4.4.3 Defining fine-grained permissions for the invoicer application
      4. 4.4.4 Asserting permissions in the deployer
    5. Summary
  11. 5 Security layer 3: securing communications
    1. 5.1 What does it mean to secure communications?
      1. 5.1.1 Early symmetric cryptography
      2. 5.1.2 Diffie-Hellman and RSA
      3. 5.1.3 Public-key infrastructures
      4. 5.1.4 SSL and TLS
    2. 5.2 Understanding SSL/TLS
      1. 5.2.1 The certificate chain
      2. 5.2.2 The TLS handshake
      3. 5.2.3 Perfect forward secrecy
    3. 5.3 Getting applications to use HTTPS
      1. 5.3.1 Obtaining certificates from AWS
      2. 5.3.2 Obtaining certificates from Let’s Encrypt
      3. 5.3.3 Enabling HTTPS on AWS ELB
    4. 5.4 Modernizing HTTPS
      1. 5.4.1 Testing TLS
      2. 5.4.2 Implementing Mozilla’s Modern guidelines
      3. 5.4.3 HSTS: Strict Transport Security
      4. 5.4.4 HPKP: Public Key Pinning
    5. Summary
  12. 6 Security layer 4: securing the delivery pipeline
    1. 6.1 Access control to code-management infrastructure
      1. 6.1.1 Managing permissions in a GitHub organization
      2. 6.1.2 Managing permissions between GitHub and CircleCI
      3. 6.1.3 Signing commits and tags with Git
    2. 6.2 Access control for container storage
      1. 6.2.1 Managing permissions between Docker Hub and CircleCI
      2. 6.2.2 Signing containers with Docker Content Trust
    3. 6.3 Access control for infrastructure management
      1. 6.3.1 Managing permissions using AWS roles and policies
      2. 6.3.2 Distributing secrets to production systems
    4. Summary
  13. Part 2. Watching for anomalies and protecting services against attacks
  14. 7 Collecting and storing logs
    1. 7.1 Collecting logs from systems and applications
      1. 7.1.1 Collecting logs from systems
      2. 7.1.2 Collecting application logs
      3. 7.1.3 Infrastructure logging
      4. 7.1.4 Collecting logs from GitHub
    2. 7.2 Streaming log events through message brokers
    3. 7.3 Processing events in log consumers
    4. 7.4 Storing and archiving logs
    5. 7.5 Accessing logs
    6. Summary
  15. 8 Analyzing logs for fraud and attacks
    1. 8.1 Architecture of a log-analysis layer
    2. 8.2 Detecting attacks using string signatures
    3. 8.3 Statistical models for fraud detection
      1. 8.3.1 Sliding windows and circular buffers
      2. 8.3.2 Moving averages
    4. 8.4 Using geographic data to find abuses
      1. 8.4.1 Geoprofiling users
      2. 8.4.2 Calculating distances
      3. 8.4.3 Finding a user’s normal connection area
    5. 8.5 Detecting anomalies in known patterns
      1. 8.5.1 User-agent signature
      2. 8.5.2 Anomalous browser
      3. 8.5.3 Interaction patterns
    6. 8.6 Raising alerts to operators and end users
      1. 8.6.1 Escalating security events to operators
      2. 8.6.2 How and when to notify end users
    7. Summary
  16. 9 Detecting intrusions
    1. 9.1 The seven phases of an intrusion: the kill chain
    2. 9.2 What are indicators of compromise?
    3. 9.3 Scanning endpoints for IOCs
    4. 9.4 Inspecting network traffic with Suricata
      1. 9.4.1 Setting up Suricata
      2. 9.4.2 Monitoring the network
      3. 9.4.3 Writing rules
      4. 9.4.4 Using predefined rule-sets
    5. 9.5 Finding intrusions in system-call audit logs
      1. 9.5.1 The execution vulnerability
      2. 9.5.2 Catching fraudulent executions
      3. 9.5.3 Monitoring the filesystem
      4. 9.5.4 Monitoring the impossible
    6. 9.6 Trusting humans to detect anomalies
    7. Summary
  17. 10 The Caribbean breach: a case study in incident response
    1. 10.1 The Caribbean breach
    2. 10.2 Identification
    3. 10.3 Containment
    4. 10.4 Eradication
      1. 10.4.1 Capturing digital forensics artifacts in AWS
      2. 10.4.2 Outbound IDS filtering
      3. 10.4.3 Hunting IOCs with MIG
    5. 10.5 Recovery
    6. 10.6 Lessons learned and the benefits of preparation
    7. Summary
  18. Part 3. Maturing DevOps security
  19. 11 Assessing risks
    1. 11.1 What is risk management?
    2. 11.2 The CIA triad
      1. 11.2.1 Confidentiality
      2. 11.2.2 Integrity
      3. 11.2.3 Availability
    3. 11.3 Establishing the top threats to an organization
    4. 11.4 Quantifying the impact of risks
      1. 11.4.1 Finances
      2. 11.4.2 Reputation
      3. 11.4.3 Productivity
    5. 11.5 Identifying threats and measuring vulnerability
      1. 11.5.1 The STRIDE threat-modeling framework
      2. 11.5.2 The DREAD threat-modeling framework
    6. 11.6 Rapid risk assessment
      1. 11.6.1 Gathering information
      2. 11.6.2 Establishing a data dictionary
      3. 11.6.3 Identifying and measuring risks
      4. 11.6.4 Making recommendations
    7. 11.7 Recording and tracking risks
      1. 11.7.1 Accepting, rejecting, and delegating risks
      2. 11.7.2 Revisiting risks regularly
    8. Summary
  20. 12 Testing security
    1. 12.1 Maintaining security visibility
    2. 12.2 Auditing internal applications and services
      1. 12.2.1 Web-application scanners
      2. 12.2.2 Fuzzing
      3. 12.2.3 Static code analysis
      4. 12.2.4 Auditing Cloud Infrastructure
    3. 12.3 Red teams and external pen testing
    4. 12.4 Bug bounty programs
    5. Summary
  21. 13 Continuous security
    1. 13.1 Practice and repetition: 10,000 hours of security
    2. 13.2 Year 1: integrating security into DevOps
      1. 13.2.1 Don’t judge too early
      2. 13.2.2 Test everything and make dashboards
    3. 13.3 Year 2: preparing for the worst
      1. 13.3.1 Avoid duplicating infrastructure
      2. 13.3.2 Build versus buy
      3. 13.3.3 Getting breached
    4. 13.4 Year 3: driving the change
      1. 13.4.1 Revisit security priorities
      2. 13.4.2 Progressing iteratively
  22. Index
  23. Lists
    1. List of Tables
    2. List of Illustrations

Product information

  • Title: Securing DevOps
  • Author(s): Julien Vehent
  • Release date: August 2018
  • Publisher(s): Manning Publications
  • ISBN: 9781617294136