“Hands-On Security in DevOps” Book Released
This guide combines DevOps and security to help you to protect cloud services, and?teaches you how to use techniques to integrate security directly in your product. You will
learn how to implement security at every layer, such as for the web application, cloud?infrastructure, communication, and the delivery pipeline layers. With the help of practical
examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection,?cloud forensics, and incident response. In the concluding chapters, you will cover topics on?extending DevOps security, such as risk assessment, threat modeling, and continuous security.
What this book covers
Chapter 1, DevSecOps Drivers and Challenges, we will cover external factors that drive the
need for security such as security compliance, regulations, and the market.
Chapter 2, Security Goals and Metrics, we will discuss security practices from different
perspectives based on the OWASP SAMM framework. We will also cover security activities
in different roles such as security management, development, QA, and operation teams.
Chapter 3, Security Assurance Program and Organization, will cover how different
organization structures may relate to the execution of a security assurance program. The
role, responsibility and relationship of the security team in the organization structure also
impact the success execution of a security assurance program. We will discuss these factors
by case study.
Chapter 4, Security Requirements and Compliance, will cover security requirements covering
four aspects: the security requirements for each release quality gate, the security
requirements for general web applications, the security requirements for big data, and the
security requirements for compliance with General Data Protection Regulation (GDPR).
Chapter 5, Case Study – Security Assurance Program, we will cover two case studies looking
at the security assurance program and security practices in the DevOps process. Microsoft
SDL and SAMM were introduced to apply to the security assurance program. In addition to
the process, the non-technical parts, security training, and culture are also critical to the
success of the security program. We will also give an example of how security tools and
web security framework can help during the whole DevOps process
Chapter 6, Security Architecture and Design Principles, will cover security architecture and
design principles. For security architects and developers, building software on a mature
security framework will greatly reduce not only security risks with industry best practices
but also implementation efforts. Therefore, this chapter introduces the key security
elements of a cloud service architecture and some mature security frameworks, which can
be applied based on the scenario
Chapter 7, Threat Modeling Practices and Secure Design, we will cover the importance of the
whole team’s involvement with threat modeling practices and the STRIDE examples
(spoofing, tampering, repudiation, information disclosure, denial of service, and elevation
Chapter 8, Secure Coding Best Practices, we will cover secure coding industry best practices,
such as CERT, CWE, Android secure coding, OWASP Code Review, and the Apple secure
coding guide. Based on those secure coding rules, we will establish secure coding baselines
as part of the security policy and release criteria.
Chapter 9, Case Study – Security and Privacy by Design, we will examine a case study to
discuss the implementation of security by design and privacy by design. The case study
will show us the common challenges a DevOps team may have to face when applying
security practices, and how the security team may help to provide best practices, tools, a
security framework, and a training kit.
Chapter 10, Security-Testing Plan and Practices, will give an overview of a security-testing
plan, security-testing domains, and the minimum set of security-testing scope. We will
discuss a security testing plan, testing approaches, risk analysis, security domains, and
industry practices, to build your security-testing knowledge base. In addition, we will
introduce some industry best practices, testing approaches, and security tools, for security
Chapter 11, Whitebox Testing Tips, will focus on whitebox testing tips. Whitebox code
review can be most effective to identify certain specific security issues, such as
XXE, deserialization, and SQL injection. However, a whitebox review can be timeconsuming if there are no proper tools or strategies. To have an effective whitebox test, we
need to focus on specific coding patterns and high-risk modules. This chapter will give tips,
tools, and key coding patterns to identify high-risk security issues.
Chapter 12, Security Testing Toolkits, we will cover common (but not a comprehensive) set
of security testing tools. The major elements of a network that involve security testing
include web and mobile connections, configuration, communication, third-party
components, and sensitive information. We will look at the testing tips and tools for each
element. Furthermore, we will also learn how these tools can be executed both
automatically and as tools that are built into continuous integration.
Chapter 13, Security Automation with the CI Pipeline, will focus on security practices in the
development phases, as well as how to integrate tools such as Jenkins into continuous
integration. In the development phases, we explored the techniques of using IDE plugins to
secure code scanning, and suggested some static code analysis tools. For the build and
package delivery, secure compiler configurations and dependency vulnerability checks will
also be introduced. Finally, web security automation testing approaches and tips will also
be discussed in this chapter.
Chapter 14, Incident Response, will cover incident responses for a security operation
team. We will mainly discuss the key activities in the key phases of the incident response
process: preparation, containment, detection, and post-incident analysis. The field of
incident response includes how to handle public CVE vulnerability, how to respond to
white hat or security attacks, how we evaluate each security issue, the feedback loop to the
development team, and the tools or practices we may apply in incident response.
Chapter 15, Security Monitoring, will cover some security monitoring techniques. The
objective of this chapter is to prepare our security monitoring mechanism to protect
and prevent our cloud services from being attacked. To be prepared for this, our security
monitoring procedures should include logging, monitoring the framework, threat
intelligence, and security scanning for malicious programs.
Chapter 16, Security Assessment for New Releases, we will cover security assessment for new
releases in this chapter. Cloud services may have frequent releases and updates. It’s a
challenge for the development, operations, and security teams to release their work within
a short time frame and to finish the minimum required security testing before releases. In
this chapter, we will look at the security review policies and the suggested checklist and
testing tools for every release. For testing integration, the BDD security framework
and other integrated security testing framework will also be introduced in this chapter.
Chapter 17, Threat Inspection and Intelligence, will cover threat inspection and
intelligence. This chapter focuses on how to identify and prevent known and unknown
security threats, such as backdoors and injection attacks, using various kinds of log
correlation. We will introduce the logs that are needed, how those logs are connected, and
the potential symptoms of attacks. Some open source threat detection will be introduced.
Finally, we will introduce how to build your own in-house threat intelligence system.
Chapter 18, Business Fraud and Service Abuses, will cover business fraud and service
abuses. Cloud services introduce new types of security risks, such as transaction fraud,
account abuses, and promotion code abuses. This online fraud and abuse may result in
financial losses or gains, depending on which side of the fence you sit. It will also provide
guidelines and rules on how to detect these kinds of behaviors. We will discuss typical
technical frameworks and technical approaches needed to build a service abuse prevention
or online fraud detection system.
Chapter 19, GDPR Compliance Case Study, will cover GDPR compliance as a case study to
apply to software development. It discusses the GDPR software security requirements it
should include in coming releases. We will also explore some practical case studies, such as
personal data discovery, data anonymization, cookie consent, data-masking
implementation, and web privacy status.
Chapter 20, DevSecOps – Challenges, Tips, and FAQs, will cover some hands-on tips,
challenges, and FAQs based on a functional roles perspective.