Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Implementing DevSecOps Practices
Implementing DevSecOps Practices

Implementing DevSecOps Practices: Understand application security testing and secure coding by integrating SAST and DAST

Arrow left icon
Profile Icon Vandana Verma Sehgal
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.6 (10 Ratings)
Paperback Dec 2023 258 pages 1st Edition
eBook
€13.99 €20.99
Paperback
€26.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Vandana Verma Sehgal
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.6 (10 Ratings)
Paperback Dec 2023 258 pages 1st Edition
eBook
€13.99 €20.99
Paperback
€26.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€13.99 €20.99
Paperback
€26.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Implementing DevSecOps Practices

Introducing DevSecOps

DevSecOps is a term that is getting a lot of attention from everywhere. Organizations used to perform product security checks at the end of the software development life cycle (SDLC) before the development of DevOps and DevSecOps. Security was viewed as less important than the other phases because the emphasis was primarily on application development. Most of the other stages would have been completed and the products would be nearly finished by the time engineers performed security checks. Therefore, finding a security threat at such a late stage required rewriting countless lines of code, a painfully time-consuming and laborious task. Patching eventually became the preferred solution, as expected. “As a result, it was assumed nothing could go wrong.

In this chapter, we will learn about the basics of DevSecOps and the different maturity levels involved in the current state and future attainable state of the practice involved in DevSecOps.

We will also cover the following aspects:

  • The involvement of different teams
  • Key performance indicators (KPIs)

We will also cover the evolution of DevOps and DevSecOps in terms of the Waterfall model, understand the agile methodology, and learn how DevSecOps is changing the paradigm for organizations.

In the chapter, we are going to cover the following main topics:

  • Product development processes:
    • Waterfall model
    • Agile methodology
  • DevSecOps and its evolution
  • The new processes within DevSecOps
  • Maturity levels:
    • Maturity level 1
    • Maturity level 2
    • Maturity level 3
    • Maturity level 4
  • KPIs
  • DevSecOps – the people aspect

Product development processes

Before we cover DevSecOps, let’s understand how products are developed. This is where we will run through the quick processes that are available currently or have existed in the past. Product development has been around for over six decades. Organizations, defense, and various teams have been following certain methodologies for developing and deploying applications. Let’s understand the evolution of these methodologies, which are as follows:

  • Spiral
  • Waterfall model
  • Agile software development:
    • Extreme programming (XP)
  • Rapid application development (RAD)
  • Systems development life cycle

All these methodologies have changed the way we develop applications.

In the initial days, everything revolved around the Waterfall model, where every phase took time. Every phase has to be completed before we can move on to the next one. We will cover some of the important methodologies in this chapter as they lead to the agile process and DevSecOps. We will cover two models here – Waterfall and agile.

First, we’ll discuss the Waterfall model.

The Waterfall model

The SDLC is the process of developing applications in different phases. The SDLC has multiple models and the Waterfall model is one of the widely used models that is still in use by many organizations. The Waterfall model is there to help organizations with step-by-step processes.

The SDLC consists of seven stages:

  1. Planning
  2. Requirements gathering and analysis
  3. Design
  4. Development
  5. Testing
  6. Implementation and integration
  7. Production and maintenance

These are the sequential stages that are used in the Waterfall model, and they are used to develop an application:

  1. Planning: This is the stage where organizations start to plan around what is needed in an application, the new features that need to be built, and what languages will be used.
  2. Requirements gathering and analysis: During this stage, all potential system requirements are gathered and recorded in a requirement specification document. There are tools available to gather these requirements, though they can be captured in a Word document or Excel sheet as well. Which method is used depends on the organization. The best way to capture these requirements is in a system. If any of the requirements change, we can make the necessary changes in the system as well.
  3. Design: Consider this stage as the architect’s dream session. We take all those must-haves and would-loves from phase 1 and turn them into an actionable blueprint. This sets the stage, specifying the hardware and painting the big picture of our digital masterpiece. It is like drafting the dream from a wishlist to a blueprint!
  4. Development: This isn’t just coding; it’s crafting! We whip up mini-programs – our “magic blocks” – and piece them together like a puzzle. Each block goes through its own “quality check party” to make sure it’s up to snuff. Similar to building blocks, this is where small pieces create big magic!
  5. Testing: Think of this stage as dress rehearsal meets detective work. Each of those mini-programs gets its moment in the spotlight before we assemble the full ensemble. Then, we put the whole act through the wringer, making sure it’s standing ovation-ready. Think of it as a test fest, where we iron out the kinks!
  6. Implementation and integration: This stage is like the grand premiere, where our star finally takes the stage! This is where our product undergoes the royal testing treatment and is ready to make its big debut. Will it be the next blockbuster on the market or the VIP guest in a client’s world? Either way, it’s showtime!
  7. Production and maintenance: This stage has a different aspect – even rock stars need tune-ups. When real-world snags pop up, we roll out patches like a roadie rolls out amps. And because we’re always chasing perfection, get ready for some killer updates:
Figure 1.1: SDLC

Figure 1.1: SDLC

The Waterfall model has helped change the way we develop applications smoothly and has been well adopted throughout organizations that went through the process step by step. There were a few releases every year. Adapting to that process was easy and more feasible.

However, over the years, things started changing. Organizations wanted to develop applications faster. The cloud became a thing, and everyone wanted to push out their applications and features to production with lightning speed. This brought about the Agile and DevOps era to the system.

The Agile methodology

The term agile software development refers to a fail-fast methodology and adopting new changes early on. Agile methods or Agile processes typically encourage a subdued management approach that pushes early inspection and adaptation.

The Agile methodology is a framework for including all teams so that they can work together to deliver high-quality software quickly. The Agile methodology helps businesses tie development to customer needs and company objectives.

In the early days, release cycles were long, and it took 3 months to a year to develop an application. Once that was done, everyone was relieved and ready to party.

The Agile methodology changed the mindset, wherein there are more releases at a quicker pace. Organizations have started to release multiple applications in a month, in a week, or even in a day. The Agile methodology shortened the life cycle of developing an application to a great extent. Organizations started following scrum processes, which are part of Agile.

Scrum

A process must adhere to a specific set of guidelines known as a “process framework” to be consistent with it. The scrum process highlights the importance of standing up every day for a very brief period and discussing sprints.

Sprints

Teams who use the Agile methodology work in short periods known as sprints. Sprints can be of any length, but a typical sprint lasts 2 weeks, regardless of the team. Teams complete specific tasks during these sprints, evaluate their performance, and then work to get better in the following sprint.

There are different types of scrum meetings:

  • Daily standup meetings: This is a very short meeting that is generally no longer than 15-20 minutes. In this meeting, all the product owners, architects, and project managers meet to check the status of the sprints.
  • Sprint planning meetings: In this meeting, everyone comes together to decide the duration of a sprint and the number of sprints needed to complete the task. Sprints are generally no longer than 30 days.
  • Sprint review meetings: These are meetings where a review is done once sprints end. These meetings showcase what has been done around the product.
  • Retrospective meetings: These meetings are for checking what has been done right and what has gone wrong.
  • Checking the backlog meetings: In this meeting, the product backlog is tracked and checked to see how soon the product backlog can be worked upon.

All these meetings are headed or run by a person known as a scrum master. They organize daily stand-up meetings, reviews, demos, and other project-related gatherings. They make sure all the teams are adhering to the timeline. They are the one who tracks the progress of sprints to make sure products and projects are managed properly and on time. If there are any changes within the sprints, this can be managed and resolved after discussing this with the teams.

Teams working together

The Agile methodology emphasizes teams working together to make sure we have a viable product to be delivered to clients:

Figure 1.2: Agile methodology

Figure 1.2: Agile methodology

Many sprint management tools are available to ensure the sprint goes smoothly, such as Trello boards:

Figure 1.3: Trello board

Figure 1.3: Trello board

We can also use a whiteboard, where we can color-code the tasks and sprints:

Figure 1.4: Whiteboard

Figure 1.4: Whiteboard

Agile software development evolved as a reaction to rigid software development models such as the Waterfall model. Agile methods include XP. Agile embodies many modern development concepts, including more flexibility, fast turnaround with smaller milestones, strong communication within the team, and more customer involvement.

Think of XP as the ultimate team sport in the software world, but way more chill. Two coders pair up like buddy cops in a movie, working off a plan that’s crystal clear. But here’s the fun twist: customers aren’t just spectators; they’re part of the squad! Imagine a group text that never ends – that’s how much everyone’s chatting to make sure things go smoothly. We can also say that XP is like having a coding jam session where everyone – coders and customers – gets to riff together in real time.

Understanding the shift from DevOps to DevSecOps

Picture DevOps as a dynamic duo of superhero teams, with developers and operations joining forces to save the business world. Their mission? Pumping out awesome apps and updates to wow the crowd. But then, DevSecOps enters the scene – a supercharged version of our dynamic duo. This time, they’ve got a new sidekick: security (Sec). By weaving Sec into the mix, we’re not just cranking out cool features; we’re making sure they’re as safe as a bank vault.

DevSecOps is an extension of DevOps. DevSecOps was introduced to increase the speed of DevOps. By integrating security into DevOps processes, operations teams were motivated and measured to stabilize production to meet service-level agreements (SLAs). It was about making new changes, but they needed to be made quickly. This made it look like a lot of things were being left behind.

In recent years, many organizations have evolved their DevOps practices to address their business challenges more successfully. DevOps is a contemporary method for meeting the demands of the business by delivering applications more quickly and of higher quality. DevOps now spans the entire enterprise, affecting processes and data flows and bringing about significant organizational changes. This differs from the past, where it was primarily concerned with just putting the IT services for applications in place.

DevOps continues to gain momentum and evolve every passing day. New technologies are being included as part of it.

The initial idea was to make sure that the communication gap between different teams during development processes could be removed. The communication gap has always been a huge challenge for organizations. Development teams work on developing the features needed by the organization, while the operations team works to make sure the application is working smoothly. At the same time, Sec comes into the picture and becomes a big bottleneck as soon as we talk about embedding security in the different phases of development. It opens up a can of worms that never ends.

We are now observing the adoption of many of the techniques that are used by developers to support more agile and responsive processes. This aids organizations in determining their current situation and possible future directions. The most crucial component of any process or technology is people. Even with the best processes and technologies, results are impossible to achieve without people.

Since we’re talking about DevSecOps, it starts with DevOps, which involves quickly delivering higher-quality software by combining and automating the work of software development, IT operations teams, project managers, and everyone working around the development pipeline. If an organization is willing to move toward DevSecOps from its traditional model, it needs to have DevOps in place. That’s contradictory to earlier development models.

Rather than relying on human intervention, the process aids in monitoring the security workflow. Additionally, it enhances our ability to identify security flaws in the ecosystem. Employees may feel replaced by automation in this way, which could make them resent giving up their current level of administrator authority. To get around the bottlenecks in the software development and deployment process, mostly on the ops side, the initial plan was to simply de-silo dev and ops.

The new processes within DevSecOps

DevSecOps has changed the role of Sec in DevOps. Sec just being in the end phase and being a big hump in the way of going to production has shifted to security being in every part of the development life cycle. It entails integrating security earlier in the application development life cycle and starting to think about infrastructure and application security right away. Additionally, it entails automating a few security checkpoints to prevent a delay in the DevOps workflow. Figuring out the right tools and processes for people can assist them in achieving their goals.

Instead of security stopping the whole pipeline, it is part of each of the following phases:

  • Plan
  • Code
  • Build
  • Test
  • Release
  • Continuous deployment and decommissioning
  • Operate
  • Continuous monitoring
Figure 1.5: DevSecOps in action

Figure 1.5: DevSecOps in action

We can have the best tools that money can buy but DevSecOps will not work if your team is not working. You can have the most cooperative team, but nothing will work out if you don’t have the right set of tools.

Not all tools are DevSecOps-ready

Not all tools can fit into a pipeline

The quiet and secluded processes can not only destroy the DevOps culture but ultimately reduce the security posture of the whole organization.

We can have the best tools

We can have the best processes

We can have the best people

However, if the culture of the organization is not exercised, nothing will work

This compartmentalized way of thinking not only undermines the DevOps culture but also weakens the organization’s overall security posture. The secret is to reduce process friction to a minimum. Any organization’s processes are carried out by people.

DevSecOps processes, which aim to reduce the enterprise attack surface and enable effective management of technical security debt, are carried out by people using technologies. DevSecOps challenges the way traditional security teams integrate with the larger business, which is one of its most crucial aspects. If attitudes are to shift, it will take a top-down strategy to change behaviors and increase awareness at all levels of a company.

DevSecOps maturity levels

Understanding maturity starts with understanding where you stand in DevSecOps. The DevSecOps maturity model illustrates how security measures can be prioritized in conjunction with DevOps tactics. By utilizing DevOps techniques, security can be strengthened. The future-focused DevSecOps maturity model directs the application of the necessary guidelines and security measures to thwart attacks.

An incredible maturity model has been created by an open source community to understand the maturity of DevSecOps: the Open Web Application Security Project (OWASP) (OWASP DSOMM – https://owasp.org/www-project-devsecops-maturity-model/). There are five levels to the maturity model (https://dsomm.owasp.org):

Figure 1.6: Maturity model

Figure 1.6: Maturity model

Many organizations have come up with maturity models that either start from level 0 or level 1. The model we’ll be looking at talks about the four levels of maturity within organizations for DevSecOps.

There are many dimensions under the different categories, all of which talk about the level of maturity in the build process, testing artifacts, pinning artifacts, SBOM components, and much more. Let’s take a closer look.

Maturity level 1

Maturity level 1, within the context of the OWASP DevSecOps maturity model, represents the foundational stage of implementing security practices in your DevOps process. It’s the initial step that’s taken toward integrating DevSecOps into your organization.

Maturity level 1 is where you lay the groundwork. You’re getting the team to start thinking about security, but you haven’t gone full Mission Impossible on it. Think of maturity level 1 like your first day at the gym. You’re not lifting the heavy weights just yet; you’re learning the ropes and maybe doing some light cardio. Similarly, at level 1, you’re just getting started with integrating security into your DevOps process. It’s less about having airtight defenses and more about setting the stage: think basic security checks, simple monitoring, and everyone still getting to know each other’s roles.

Here’s what typically happens at this level:

  • Security practices: Basic security protocols and practices have been established, but they are manually executed. The methods that are employed are typically straightforward and may not fully cover all security needs. While these practices are in place, they require considerable human effort and manual intervention, which could lead to inconsistencies and errors.
  • Process initiation: At this level, teams start to recognize the importance of integrating security into the development process. However, practices are not yet fully structured or systematic.
  • Education: The team might begin learning about security threats and how to prevent them. However, education and training in secure coding practices might not be comprehensive.
  • Risk awareness: There’s a growing awareness of the potential risks of not integrating security fully into the DevOps process. The need for improvement is recognized, leading to the exploration of automated security measures.
  • Automation: While the goal of DevSecOps is to automate as many security processes as possible, at this stage, little to no automation of security tasks exists. Manual work is predominant, which can be laborious and time-consuming.

Maturity level 2

Maturity level 2, in the context of the OWASP DevSecOps maturity model, signifies a progression from the initial stage of implementing DevSecOps in an organization. It’s the point where you start to incorporate and follow security best practices more systematically.

Let’s take a deeper look at this level:

  • Adoption of best practices: The organization starts to adopt recognized security best practices. These practices are likely documented and have become a standard part of the development process.
  • Continuous security: Security practices are not only implemented but are now applied continuously throughout the DevOps pipeline. This means that the security controls are not just a one-time event, but are instead consistently applied throughout the SDLC.
  • Partial automation: This level sees the introduction of automation, but it is not yet extensive. Certain tasks are likely automated to reduce manual effort, improve consistency, and mitigate human error. However, several security processes may still rely heavily on manual work.
  • Regular training: At this stage, there is likely more emphasis on educating the development and operations teams about security threats, secure coding practices, and how to use any new security tools that have been introduced.
  • Proactive security: There’s a shift toward a more proactive stance on security. Rather than just responding to security issues when they arise, teams are working to anticipate and prevent potential security issues.

Maturity level 3

Maturity level 3 within the OWASP DevSecOps maturity model marks a pivotal point in the evolution of an organization’s DevSecOps journey. It signifies the transition from just setting up DevSecOps practices to actively progressing toward their maturity.

Level 3 comprises the following aspects:

  • Advanced automation: The focus at this level is largely on automation. Most security practices are now automated, which reduces manual effort, increases efficiency, and minimizes human error. Security checks and protocols become an integral part of the entire software development pipeline.
  • Integration of security: Security considerations are more thoroughly integrated into the DevOps process. This integration ensures that security is not an afterthought but a consistent theme from the very start of the SDLC.
  • Proactive and continuous: At this level, security practices are not only proactive but also continuous. It’s not about implementing measures to fix issues as they arise but about embedding security practices to prevent issues from occurring in the first place.
  • Regular reviews and updates: Security policies, practices, and automation scripts are regularly reviewed and updated to cope with emerging security threats and vulnerabilities. This keeps the security practices in line with the latest best practices.
  • Enhanced training: There’s an increased focus on training, with development and operations teams regularly educated about current and emerging security threats. They are trained to use the latest security tools and follow updated secure coding practices.

Maturity level 4

At this level, we must set up the process and keep enhancing from there via automation and other processes.

KPIs

KPIs help in measuring our goals and their priority. KPIs help us get to the point we wish to reach in the stipulated time. The whole DevOps phase or DevSecOps works in tandem to move to production. It depends on us where we want to take them.

Before moving toward these KPIs, we must ask ourselves some questions:

  • Are we testing all the application’s features before pushing them to security?
  • Are we educating our developers around security processes and tools, rather than forcing security upon them?
  • What software development processes are we following?
  • Do we just follow the OWASP Top 10, or have we created a certain process for that?
  • How frequently is security being called in the SDLC?

All these questions take us to points where we can start thinking about taking our first step toward setting up the right processes and moving toward the best practices.

Some of the key KPIs for DevSecOps processes are as follows:

  • Figuring out the amount of open source code that’s used in the code – that is, third-party libraries and dependencies.
  • Where do we stand on automation processes?
  • Are the tools aiding in having a smooth software pipeline?
  • Are we able to reduce the bugs in the pipeline by fine-tuning it?
  • How frequently are we fixing bugs?

These are just some of the parameters you need to consider; stay tuned for more detailed information.

DevSecOps – the people aspect

When we talk about DevSecOps, the focus is often on processes and tools, but people – the team members involved in implementing and managing DevSecOps – are a crucial part of this equation. In simple terms, the “people aspect” of DevSecOps is all about how individuals within an organization understand, adopt, and execute the principles and practices of DevSecOps.

The following are the main elements of the people aspect of DevSecOps:

  • Collaboration: In DevSecOps, development, security, and operations teams need to work together closely. This might be a shift from traditional ways of working, where these groups often worked in silos. Regular communication and collaboration become key.
  • Shared responsibility: In the DevSecOps world, everyone shares responsibility for security – it’s not just the job of the security team. Developers, operations personnel, and others all have roles to play in maintaining security.
  • Education and training: People need to know about the importance of security and how to incorporate it into their daily work. This involves ongoing training about security threats, safe coding practices, using security tools, and more.
  • Culture shift: Adopting DevSecOps often involves a cultural shift within an organization. It requires moving toward a culture that values transparency, shared responsibility, continuous learning, and a proactive approach to security.
  • Empowerment: Team members should feel empowered to make decisions related to security, and should feel comfortable reporting potential issues. This requires an environment of trust and openness, where people aren’t blamed for mistakes but are encouraged to learn from them.
  • Skills and expertise: As security practices become more integrated into the development process, team members might need to develop new skills and expertise. This might involve learning about new tools, technologies, or methodologies.

The people aspect of DevSecOps is all about creating an environment where everyone in the team understands the importance of security, is capable of contributing to it, and is committed to maintaining it as a collective responsibility. It’s about fostering a culture of collaboration, learning, and shared accountability for security. We will discuss this in more detail in the upcoming chapters.

Summary

DevSecOps means we’re incorporating security considerations from the very beginning, not just tackling them at the end of the SDLC. With this approach, each stage of the development process must include security as a fundamental component.

DevSecOps actively brings these ideas to life. It assists organizations in developing applications securely by default. What we’re talking about here is a reshaped way of handling the SDLC – and it’s known as DevSecOps.

Traditionally, security was never given priority, even at the cost of neglecting to properly educate developers. But with DevSecOps, the two go hand in hand.

Understanding our current maturity level in this process gives us a sense of where we stand, and tracking KPIs allows us to measure our progress – to see where we were and where we are now, and to chart a path toward where we want to be.

Think and act

Answer the following questions to test your knowledge of this chapter:

  • What is DevSecOps? Think about this from your own experience.
  • Does DevSecOps change the way you work?
  • Who contributes to the DevSecOps program?
Left arrow icon Right arrow icon

Key benefits

  • Understand security posture management to maintain a resilient operational environment
  • Master DevOps security and blend it with software engineering to create robust security protocols
  • Adopt the left-shift approach to integrate early-stage security in DevSecOps
  • Purchase of the print or Kindle book includes a free PDF eBook

Description

DevSecOps is built on the idea that everyone is responsible for security, with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context. This practice of integrating security into every stage of the development process helps improve both the security and overall quality of the software. This book will help you get to grips with DevSecOps and show you how to implement it, starting with a brief introduction to DevOps, DevSecOps, and their underlying principles. After understanding the principles, you'll dig deeper into different topics concerning application security and secure coding before learning about the secure development lifecycle and how to perform threat modeling properly. You’ll also explore a range of tools available for these tasks, as well as best practices for developing secure code and embedding security and policy into your application. Finally, you'll look at automation and infrastructure security with a focus on continuous security testing, infrastructure as code (IaC), protecting DevOps tools, and learning about the software supply chain. By the end of this book, you’ll know how to apply application security, safe coding, and DevSecOps practices in your development pipeline to create robust security protocols.

Who is this book for?

This book is for individuals new to DevSecOps and want to implement its practices successfully and efficiently. DevSecOps Engineers, Application Security Engineers, Developers, Pentesters, and Security Analysts will find plenty of useful information in this book. Prior knowledge of the software development process and programming logic is beneficial, but not mandatory.

What you will learn

  • Find out how DevSecOps unifies security and DevOps, bridging a significant cybersecurity gap
  • Discover how CI/CD pipelines can incorporate security checks for automatic vulnerability detection
  • Understand why threat modeling is indispensable for early vulnerability identification and action
  • Explore chaos engineering tests to monitor how systems perform in chaotic security scenarios
  • Find out how SAST pre-checks code and how DAST finds live-app vulnerabilities during runtime
  • Perform real-time monitoring via observability and its criticality for security management

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 22, 2023
Length: 258 pages
Edition : 1st
Language : English
ISBN-13 : 9781803231495
Category :
Concepts :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Dec 22, 2023
Length: 258 pages
Edition : 1st
Language : English
ISBN-13 : 9781803231495
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 94.97 102.97 8.00 saved
Practical Cybersecurity Architecture
€29.99 €37.99
Mastering Linux Security and Hardening
€37.99
Implementing DevSecOps Practices
€26.99
Total 94.97 102.97 8.00 saved Stars icon
Banner background image

Table of Contents

24 Chapters
Part 1:DevSecOps – What and How? Chevron down icon Chevron up icon
Chapter 1: Introducing DevSecOps Chevron down icon Chevron up icon
Part 2: DevSecOps Principles and Processes Chevron down icon Chevron up icon
Chapter 2: DevSecOps Principles Chevron down icon Chevron up icon
Chapter 3: Understanding the Security Posture Chevron down icon Chevron up icon
Chapter 4: Understanding Observability Chevron down icon Chevron up icon
Chapter 5: Understanding Chaos Engineering Chevron down icon Chevron up icon
Part 3:Technology Chevron down icon Chevron up icon
Chapter 6: Continuous Integration and Continuous Deployment Chevron down icon Chevron up icon
Chapter 7: Threat Modeling Chevron down icon Chevron up icon
Chapter 8: Software Composition Analysis (SCA) Chevron down icon Chevron up icon
Chapter 9: Static Application Security Testing (SAST) Chevron down icon Chevron up icon
Chapter 10: Infrastructure-as-Code (IaC) Scanning Chevron down icon Chevron up icon
Chapter 11: Dynamic Application Security Testing (DAST) Chevron down icon Chevron up icon
Part 4: Tools Chevron down icon Chevron up icon
Chapter 12: Setting Up a DevSecOps Program with Open Source Tools Chevron down icon Chevron up icon
Part 5: Governance and an Effective Security Champions Program Chevron down icon Chevron up icon
Chapter 13: License Compliance, Code Coverage, and Baseline Policies Chevron down icon Chevron up icon
Chapter 14: Setting Up a Security Champions Program Chevron down icon Chevron up icon
Part 6: Case Studies and Conclusion Chevron down icon Chevron up icon
Chapter 15: Case Studies Chevron down icon Chevron up icon
Chapter 16: Conclusion Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.6
(10 Ratings)
5 star 70%
4 star 20%
3 star 10%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




N/A Jul 31, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Well written and simple enough to get a grasp on key topic. Very happy with this purchase.
Feefo Verified review Feefo
Yakov Shipilov Mar 11, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
"Implementing DevSecOps Practices" by Vandana Verma Sehgal offers a deep dive into integrating security within DevOps, blending theory with actionable strategies. Sehgal's expertise and real-world examples illuminate the path for organizations aiming to enhance their software development lifecycle. While the book excels in providing comprehensive coverage and practical insights, its dense technical content might challenge newcomers to DevSecOps. Additionally, some readers might seek more on evolving threats and adapting strategies in rapidly changing tech landscapes. Nevertheless, it stands as a valuable resource for professionals seeking to advance their understanding and application of DevSecOps principles, offering a well-rounded perspective on fostering a security-centric culture in tech environments.
Amazon Verified review Amazon
Monzur Elahi Mar 08, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
'Implementing DevSecOps Practices,' by Vandana Verma Sehgal, is a short but powerful guide for putting security at the heart of DevOps. This roadmap, which includes both principles and methods, is a way to build a strong security foundation. Security is no longer just a guardian thanks to Sehgal's work on observability, chaos engineering, threat modeling, software composition analysis (SCA), and dynamic application security testing (DAST). This book is a strategic guide that gives writers useful information to make their code stronger against digital threats. 'Implementing DevSecOps Practices' is a must-read for anyone who wants to make their code more secure than ever before.
Amazon Verified review Amazon
Amrut Mar 11, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is essential for anyone wanting to improve their knowledge of DevOps security. Whether you're a developer, operations engineer, security pro, or an IT leader, it provides valuable insights that can change how you think about development and security. Vandana's focus on the connection between security and development makes this book incredibly useful for anyone looking to boost their software security practices. I highly recommend it..
Amazon Verified review Amazon
Vishwanath Gorti Feb 28, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Implementation of DevSecOps practices book is very well designed with required principles and processes to be followed along with the tools kit from CI/CD, Code Scan (Static & Dynamic) and Observability. Here based on the Author experience, highlighted need of every individual roles responsibility to address secure, clean & compliant code.This book is useful for all levels of engineers, how could be on the path of Security Champions
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.