DevOpsSec: Delivering Secure Software Through Continuous Delivery

How do you build security and compliance into your DevOps platforms and pipelines? With this OReilly report, security analysts, security engineers, and pen testers will learn how to leverage the same processes and toolssuch as version control, containers, and Continuous Deliverythat DevOps practitioners use to automate software delivery and infrastructure changes. In other words, youll understand how to use DevOps to secure DevOps. Author Jim Bird uses case studies from Etsy, Netflix, and the London Multi-Asset Exchange (LMAX) to illustrate the steps leading organizations have taken to secure their DevOps processes. If you understand application and infrastructure security, and have some familiarity with DevOps and Agile development practices and tools, this report is the ideal place to start. This report shows you how to: - Examine the security and compliance challenges that DevOps poses in your organization - Leverage key DevOps practices and workflows to design, build, deploy, and run secure systems - Build security as code by mapping security checks and controls into DevOps workflows - Take advantage of software component analysis, vulnerability management, and automated software testing tools that dev and ops already use - Build compliance into DevOps, and wire compliance policies and checks and auditing into Continuous Delivery Cover Security Copyright Table of Contents Chapter 1. DevOpsSec: Delivering Secure Software through Continuous Delivery Introduction Chapter 2. Security and Compliance Challenges and Constraints in DevOps Speed: The Velocity of Delivery Where’s the Design? Eliminating Waste and Delays It’s in the Cloud Microservices Containers Separation of Duties in DevOps Change Control Chapter 3. Keys to Injecting Security into DevOps Shift Security Left OWASP Proactive Controls Secure by Default Making Security Self-Service Using Infrastructure as Code Iterative, Incremental Change to Contain Risks Use the Speed of Continuous Delivery to Your Advantage The Honeymoon Effect Chapter 4. Security as Code: Security Tools and Practices in Continuous Delivery Continuous Delivery Continuous Delivery at London Multi-Asset Exchange Injecting Security into Continuous Delivery Precommit Commit Stage (Continuous Integration) Acceptance Stage Production Deployment and Post-Deployment Secure Design in DevOps Risk Assessments and Lightweight Threat Modeling Securing Your Software Supply Chain Writing Secure Code in Continuous Delivery Using Code Reviews for Security What About Pair Programming? SAST: in IDE, in Continuous Integration/Continuous Delivery Security Testing in Continuous Delivery Dynamic Scanning (DAST) Fuzzing and Continuous Delivery Security in Unit and Integration Testing Automated Attacks Pen Testing and Bug Bounties Vulnerability Management Securing the Infrastructure Automated Configuration Management Securing Your Continuous Delivery Pipeline Security in Production Runtime Checks and Monkeys Situational Awareness and Attack-Driven Defense Runtime Defense Learning from Failure: Game Days, Red Teaming, and Blameless Postmortems Security at Netflix Chapter 5. Compliance as Code Defining Policies Upfront Automated Gates and Checks Managing Changes in Continuous Delivery Separation of Duties in the DevOps Audit Toolkit Using the Audit Defense Toolkit Code Instead of Paperwork Chapter 6. Conclusion: Building a Secure DevOps Capability and Culture About the Author