Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Hands-On Security in DevOps
Hands-On Security in DevOps

Hands-On Security in DevOps: Ensure continuous security, deployment, and delivery with DevSecOps

eBook
S$36.99 S$52.99
Paperback
S$66.99
Subscription
Free Trial

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Hands-On Security in DevOps

DevSecOps Drivers and Challenges

Due to the rapid release of cloud services, law enforcement, security incidents, and tenants' data protection, the security is indispensable to cloud/internet services. Moving security activities from right to left during the development lifecycle and having built-in security practices in the continuous integration pipeline are the goals of DevSecOps.

The business environment, culture, law compliance, and external market drive relate to how the DevSecOps security assurance program rolls out in an organization. The DevSecOps or security assurance program management involved with the whole organization across all business units and the key success to DevSecOps will require all stakeholders to agree with the goal and approaches.

We will cover the following topics in this chapter:

  • Security compliance (ISO 2700x, FIPS, CSA-CCM)
  • Legal/law compliance—General Data Protection Regulation (GDPR)
  • New technology (third-party, cloud, containers, and virtualization)
  • Cloud service hacks/abuse
  • Rapid release

As shown in the following diagram, this is how external drivers and challenges impact on a team when delivering secure cloud services:

Security compliance

For cloud services, it's very important to have security compliance-ready. Security compliance not only shows how the security controls of the cloud service meet security standards but also demonstrates security trustworthiness for customers and partners. Security compliance provides an overview of a security assurance program, but it won't specifically tell us which security technical approach it should apply. For frequent cloud service releases, constantly monitoring and auditing to meet security compliance can be a big challenge.

Although most cloud service providers are security compliance ready (ISO, PCI, FedRAMP, SOC, and so on), it's still the cloud service customer's responsibility to secure data and manage their own application compliance assessment. Both cloud service customers and providers need to maintain system or application audit logs, configuration lists, and change histories for compliance assessment. The compliance assessment should be considered a continuous activity—not a one-time audit check.

In this chapter, we will introduce key cloud services security compliance as a reference to building a security assurance program, and how these security compliance standards relate to DevSecOps.

ISO 27001

ISO 27001 is an information security management system (ISMS). It provides an overview of organization-level security assurance programs. ISO 27001 won't specify a technical security approach, but it provides a complete set of a security management programs. As the diagram shows, the segments in the upper parts may be more directly related to DevOps security practices, such as compliance, business continuity, operation security, access control, software development, cryptography, incident management, and communication. This will serve as a guideline to further developing our own DevOps security program:

We won't introduce ISO 27001 details, but the following table summarizes how ISO 27001 relates to each role and the DevOps team:

Role

Company/organization security policy

Operation or DevOps team

Development team

ISO 27001 chapters

5 Information security policies

6 Organization of information security

7 Human resource security

8 Assess management

15 Supplier relationships

11 Physical and environmental security

9 Access Control

10 Cryptography

12 Operation security

13 Communication security

17 Information security aspects of business continuity management

16 Information security incident management

18 Compliance; with internal requirements, such as policies, and external requirements, such as laws

19 Cloud services control

14 System development

10 Cryptography

9 Access control

ISO 27017 and ISO 27018

ISO 27018 is mainly for the protection of personally identifiable information (PII) in the cloud. It's an extended security compliance based on ISO 27001 and ISO 27002. On top of ISO 27001/27002, ISO 27018 additionally defines PII protection security requirements

ISO 27017 provides both service providers and cloud service consumers with the ability to implement security controls for cloud services. ISO 27017 is an extension to ISO 27002 to address cloud-specific security issues.

Cloud Security Alliance (CSA)

As there are many cloud security compliance methods out there, we may get frustrated trying to follow each of them. The CSA (Cloud Security Alliance) Cloud Controls Matrix (CCM) consolidated most security compliance methods into one matrix called CCM. Take application and interface application security as an example—CCM includes all security compliance controls such as ISO, FedRAMP, and NIST 800-53 related to this area, and defines the control ID. The key benefit of referring to CCM is that we can simply focus on CCM and know all other security compliance regulations will be met as well.

In addition, CSA provides a Consensus Assessments Initiative Questionnaire (CAIQ). It's a yes/no questionnaire for cloud consumers or cloud provides to do security self-assessment and to understand the requirements of security controls. Google Vendor Security Assessment Questionnaires (VSAQ) also provide a security assessment questionnaire in terms of Web Application Security, Security and Privacy Program, Infrastructure Security and Physical and Datacenter Security.

Furthermore, if you are looking for the top cloud threats and security control mitigations, Cloud Security Alliance (CSA) cloud top threats provide guidelines. At the time of writing, it defines the top 12 cloud threats, mappings to threat analysis, CCM/Control ID, and the domains of CSA Security Guidance reference. The following table shows related CSA security guides and how to apply security practices in your organization:

CSA security guides

What it is?

When to apply?

CSA Security Guidance reference

Cloud security white paper

If your organization needs a cloud service security guideline or white paper, this can be a good reference.

Cloud top threats

Top 12 cloud threats and mappings to threat analysis, CCM/Control ID, and domains of CSA Security Guidance reference

It can be the basis for cloud threat modeling.

CAIQ

Yes/no questionnaire

A list of yes/no questions for self-assessment to understand existing security control requirements.

CSA CCM

One consolidated worldwide security standard mapping

It's a great consolidated reference and includes most security compliance standards (ISO 27001, PCI, NIST, and so on). It's the only matrix you need to review security standards compliance.

Federal Information Processing Standards (FIPS)

The FIPS mainly defines minimum security requirements for the use of cryptographic modules. Every organization that is not going to get a FIPS certificate should also refer to it. It's highly recommended that you refer to Security Requirements for Cryptographic Modules to understand what cryptographic modules may be considered safe, legacy, or weak.

For developers who would like to learn how to implement cryptographic modules correctly, the following resources are recommended.

  • OWASP Cryptographic Storage Cheat Sheet.
  • OWASP Guide to Cryptography
  • OWASP Key Management Cheat Sheet

Here is a summary of the minimum security requirements for each cryptography algorithm and its usage:

Usage scenario

Unsafe cryptography algorithm

(key length)

Legacy Systems Only

Recommended cryptography algorithm

Symmetric encryption

Blowfish, DES, Skipjack, RC4

3 DES only when

(key 1 != key 2 != key 3)

AES > 128 bits

Asymmetric encryption

RSA (< 1024 bits)

RSA (1024 bits)

RSA (> 1024 bits)

Hash

MD5

SHA1 (1024 bits)

SHA256

Digital signature

RSA (< 1024 bits)

DSA (< 1024 bits)

ECDSA (<= 160 bits)

DSA (1024 bits)

RSA (1024 bits)

RSA (>=2048 bits)

DSA (>=2048 bits)

ECDSA (>=256 bits)

Hellman key exchange (DH)

DH ( < 1024 bits)

DH (1024-2047 bits)

DH (>=2048 bits)

ECDH(>-256 bits)

Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure

The CIS defines security benchmarks and the National Checklist Program (NCP), defined by the NIST SP 800-70, provides guidance on the security configurations of the operating system, database, virtualization, framework, and applications.

The IT and operation team are primarily responsible for ensuring the security of the infrastructure. However, the development team may also share some responsibilities for securing the infrastructure. For example, the development team may decide to deliver the application package in the form of a container or to apply Infrastructure as Code frameworks, such as Puppet or Chef. These technologies allow development teams to define a secure configuration, even in the development stage, and the operation team just needs to apply the secure configuration definition during application deployment.

In addition, it's also the development team's job to provide a list of configuration changes for every release's deployment. This will allow the operation team to review if the configuration changes are secure and appropriate. Due to the complexity and the amount of configuration that needs to be reviewed, the adoption of scanning tools to check if all the configurations are secure and comply with industry best practices is necessary. Cloud service providers may provide such scanning services or tools. Here, we recommend open source tools such as CIS-CAT Lite provided by CIS and OpenSCAP.

The journey to secure the infrastructure and platform can be completed in three stages. The first stage is to define a secure configuration baseline by referring to industry practices such as CIS or NIST NCP. Then, we may apply tools such as Chef or Puppet to ensure every deployment includes a secure configuration as well. The final stage is to do constant monitoring of frequent configuration changes and security compliance assessment.

Typical infrastructure components are listed in the following table. CIS provides secure configuration suggestions to each system component and also tools to do the scanning against the security best practice baseline.

CIS provides the CIS Benchmark, which defines the secure configuration of operating systems, server software, cloud services, networking devices, and so on. It helps operation teams to understand how to secure and configure an infrastructure and platform.

Infrastructure layers

System

Web services

Apache, Nginx, IIS

Database

MS SQL, MySQL, Oracle, MongoDB

Virtualization/container

VMware, Docker, Kubernetes

Networking

Cisco devices

Operating systems

Windows, Linux, Ubuntu, CentOS, SUSE

In addition to CIS Benchmark documents, CIS also provides tools to infrastructure or operation teams for secure configuration scanning. The CIS Security website provides related security configuration scanning tools to download.

Source: https://www.cisecurity.org/cybersecurity-tools/

National Checklist Program (NCP) repository

The NCP repository provides secure configuration for specific software components. For example, if you are looking for Apache security configuration or the CIS of Apache, you may use the NCP to do the search. The screenshot is from the NIST NCP (National Checklist Program).

Source: https://nvd.nist.gov/ncp/repository

OpenSCAP tools

OpenSCAP is similar to CIS security benchmarks; it also provides a secure configuration baseline. In addition, OpenSCAP also provides different kinds of tool for operation or infrastructure teams to do secure configuration evaluation and scanning. Depending on the requirements, there are four kinds of tool provided, as shown in the following screenshot:

Source: https://www.open-scap.org/tools/

Legal and security compliance

The EU GDPR, which came into force in May 2018, protects all EU citizens from privacy and data breaches. According to the GDPR FAQ:

"The GDPR not only applies to organizations located within the EU but it also applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location."

In other words, if a company is providing services to customers in the European Union, its data handling will need to comply entirely with GDPR. From a DevSecOps point of view, it's related to data collection, handling, storage, backup, modification, transport, and removal—in a secure manner. According to GDPR Article 5, there are six privacy principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitations
  • Data minimization
  • Accuracy
  • Storage limitations
  • Integrity and confidentiality

GDPR, like other security compliance policies, doesn't define the technical approach to achieve it. GDPR can still be too high-level for an engineering team. It needs to translate into software security requirements, design, threat modeling, tools, and so on. The following table summarizes typical security practices for the engineering team:

Stage

Common security practices for privacy or sensitive info handing

Design

Privacy Impact Assessment (PIA)

Coding

  • Data masking library
  • Anonymous toolbox
  • RAPPOR—privacy-preserving reporting algorithms
  • Encryption storage (RSA, ASE)
  • Secure erasure
  • Secure communication protocol (such as TLS v1.2, SSH v2, SFTP, SNMP v3)
  • Cookie consent
  • Data Vault
  • Key management

Testing

OWASP testing for weak cryptography, testing for error handling, testing for configuration, and so on

Deployment

  • OWASP configuration and deployment management testing
  • CIS secure environment configuration
  • Sensitive information in Git

Monitoring

  • ELK for log analysis
  • Integrity monitoring (IDS/IPS) to monitor any unauthorized changes
  • CIS secure configuration monitoring
  • Sensitive information leakage in Git

New technology (third-party, cloud, containers, and virtualization)

New technologies such as virtualization, Docker, and microservices introduce new methods of software delivery and speeds up application deployment, but also brings new security threats and risks. We will briefly discuss how these new technologies change the practices of security and DevOps.

Virtualization

It's very common to install application services on top of a virtualized OS. Virtualization technology helps to make the most physical machine resources such as the CPU, memory, and disks. However, virtualization is a shared OS technology. It also introduces security risks such as VM escape, information leakage, and denial-of-service for applications running on top of virtualization.

Security practices in guest OS virtualization are normally involved with both OS and virtualization hardening. Here are some key security configurations related to virtualization. Refer to CIS Benchmarks for details:

  • Limit informative messages from the VM to the VMX file
  • Limit sharing console connections
  • Disconnect unauthorized devices (USB, DVD, serial devices, and so on)
  • Disable BIOS Boot Specification (BBS)
  • Disable guest-host interaction protocol handler
  • Disable host guest filesystem server
  • Disable VM console paste operations
  • Disable virtual disk shrinking
  • Do not send host information to guests

The following diagram shows the adoption of virtualization. Virtualization adds a hypervisor layer on top of the physical server so that the virtualized guest OS can run on top of it:

In addition to the secure configuration of virtualization, applying a security patch to virtualization is also a must for operation or IT teams.

In addition, the following resources may help you to search for Common Vulnerabilities and Exposures (CVE) in vulnerability databases:

To search for the vulnerabilities of a specific product or vendor, refer to the URL search for VMware as following:

Dockers

The introduction of Docker provides software package delivery and installation with new choices and can be one of the best ways to isolate different applications without using a whole separate OS virtual machine. Software can be packaged into a container by Docker. A container, like a VM image, includes everything needed to run application services such as runtime, system libraries, and settings. The key difference between a virtual machine image and a container is that the container doesn't actually include the whole OS. The container only includes key necessary system libraries and every container shares the same OS kernel during runtime. Therefore, Docker containers can boot up within seconds and use much less memory or far fewer disks than virtualization images.

The use of Docker can also greatly help operation teams to do deployment and secure configuration since a Docker container includes every configuration and the settings you need to run. To understand Docker security practices, check out the CIS Docker Benchmark and Docker security in the Further reading section.

Key secure practices and configurations of Docker are listed here:

  • Separate partition for containers
  • Updated Linux kernel
  • Only allow trusted users to control the Docker daemon
  • Audit the Docker daemon, files, and directories
  • Restrict network traffic between containers
  • TLS authentication for the Docker daemon
  • Do not bind Docker to another IP/port or a Unix socket
  • Docker daemon configuration files permissions
  • Container runtime (Linux Kernel capabilities, SSH, ports, memory, CPU, IPC)

The following diagram shows the key difference between virtualization and Docker. Virtualization is a guest OS level while Docker is actually an application-level isolation and shares the same guest OS:

Here is a summary of the known security vulnerabilities identified in Docker.

CVE ID Related CWE ID Description
CVE-2014-5282 20

Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via Docker load.

CVE-2017-14992 20

Lack of content verification in Docker-CE (also known as Moby), and earlier allows a remote attacker to launch a Denial of Service attack via a crafted image layer payload; a.k.a Gzip bombing.

CVE-2017-7297 264

Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3.

CVE-2016-9962 362

RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

CVE-2014-0047 n/a

Docker before 1.5 allows local users to have an unspecified impact via vectors involving unsafe /tmp usage.

Here is a tip to query a specific vulnerability. Take 'CVE-2014-0047' as an example; just replace the CVE ID number at the end of the following URL.

Infrastructure as Code (IaC)

Puppet, Chef, Ansible, and SaltStack are tools to apply IaC. The key advantage of using these tools is that any system configuration can be defined in a text file at the design stage and changes can be managed by versions. This will help both operation or development teams to build security configuration baselines such as file permissions, firewall rules, web configurations, or MySQL connections. Once the security configuration baseline is defined, the operation team can monitor any unauthorized changes or roll back the configuration to previous specific versions.

For example, we may have baseline security firewall rules for a web services environment to only allow ports 80 and 443. All an operation team needs to do is to define the firewall rules by using one of the tools (Puppet, Chef, Ansible, SaltStack), and the framework will apply the rules, audit, and even correct changes if other ports are opened by mistake or by other service deployments.

The DevSec Hardening Framework project available at https://github.com/dev-sec provides Ansible, Chef, and Puppet secure configuration baseline template scripts.

The following diagram shows how IaC (for example, Puppet) works:

Cloud services hacks/abuse

A CSA survey on the top cloud security concerns has identified the following 12 issues:

  • Data breaches
  • Weak identity, credentials, and access management
  • Insecure APIs
  • System and application vulnerabilities
  • Account hijacking
  • Malicious insiders
  • Advanced Persistent Threats (APTs)
  • Data loss
  • Insufficient due diligence
  • Abuse and nefarious use of cloud services
  • Denial of service
  • Shared technology issues

In addition, service abuse has also become a headache for most e-commerce or shopping sites. Let's take one example to understand how hackers or misconduct users can benefit from it.

Case study – products on sale

Assume that one online shopping store is going to have a 50% discount on one new model phone for only the first 100 customers; it will be available at 12:00 on February 1.

What do hackers do?

For this kind of sale with 50 % profit is a great attraction for malicious users to do something. What underground users typically may do involves the massive registration of user accounts. There can be more than 10,000 users accounts registered in a short period of time just before the sales. At the moment of the sale, they will use automated scripts to trigger purchase behaviors and finish the orders within seconds. Once they have ordered or occupied all the phones, they may either sell them at higher prices or even not pay for the orders.

Is this illegal? These behaviors follow the business rules for registration and purchases. Although the behavior may not be against the law, it may be considered misconduct or service abuse. Therefore, this kind of on-sale activity may require additional business rules and regulations. After all, it's not purely hacking behavior. We will discuss this in later chapters. Here, we provide an overview of alleviating measures, which can be by means of business rules or technical approaches:

  • The sale is only limited to those customers with a certain period of purchase history
  • Apply CAPTCHA to distinguish humans from machines
  • Two-factor authentication and registration via phone SMS
  • Detection and correlation of IP, phone number, email, account ID, physical address, and GeoIP location
  • Unusual page browsing behavior such as skipping products and jumping to the purchase directly
  • Unusual massive logins or registration from the same IP or devices

Rapid release

Rapid, frequent, and iterative releases are very common for cloud services. This normally drives the need for DevOps practices. This can be both an opportunity and a challenge to security. The challenge is that a short period of frequent releases may not include enough time to do a full cycle of security testing. There are three maturity levels of DevOps practices:

Maturity level

Achieved

Technology adoption

Continuous integration

  • Source code repository and version control
  • CI workflow with a daily build and unit testing
  • Jenkins
  • Git
  • Unit testing

Continuous delivery

  • Automated deploy to the staging environment
  • Integration testing on the staging environment
  • Deployment to production is done manually
  • IaC(Puppet)
  • Docker

Continuous deployment

  • Automated deployment and acceptance testing on production
  • Production changes or configuration management
  • IaC (puppet)
  • Docker
  • Automated acceptance testing
  • Configuration monitoring

The adoption of DevOps practices means more collaboration between development, QA, IT, and operation teams, and more in-progress adoption of continuous integration or continuous delivery tools. This provides a good foundation to move to DevSecOps. Depending on the maturity level of the existing CI/CD, security practices or tools can be added on top of the existing CI/CD framework. It's the most effective and least learning curve to introduce security is don't change existing development, QA, IT, operation team the way they work. Building security tools around the existing CI/CD is still the best approach. We will explore this more in upcoming chapters.

The diagram below shows the security involved with development, QA, and operations through the whole CI/CD lifecycle.

Summary

In this chapter, we discussed external factors that drive the need for security such as security compliance, regulations, and the market. In addition, the adoption of new technologies also brings about new challenges such as Docker, virtualization, cloud services, and IaC.

For security compliance, we briefly discussed ISO 27001 and some security best practices/tools introduced by CSA such as CCM, cloud security guide, CAIQ, and Cloud top threats. FIPS was also discussed for the correct usage of cryptography. In terms of infrastructure security, CIS and OpenSCAP were introduced. Finally, the EU GDPR law regulates and drives the security requirements of data and privacy protection.

Based on all these security challenges and compliance rules, we introduced one small case study for cloud services, which could be hacked and abused. Moreover, what security technologies may apply to DevOps practices. In upcoming chapters, we will further discuss how security goals, metrics, and security assurance programs apply to different kinds of organization and practices.

Questions

  1. Does FIPS define the security requirements for cryptography?
  2. Which of the following defines the security compliance is primarily focused on personal data privacy?
    1. ISO 27018
    2. FIPS
    3. GDPR
    4. CIS
  3. What can be considered cloud service abuse?
    1. Account sharing
    2. Brute-force logins
    3. API abuse
    4. All of the above
  1. What is the CIS security benchmark used for?
    1. Anti-virus
    2. Defining secure configuration of the OS, platform, databases, and so on
    3. Firewall
    4. Integrity
  2. Which role is involved with security practices during the DevOps cycle?
    1. QA
    2. RD
    3. Operations
    4. All of the above
  3. How does the technology Infrastructure as Code help security operation teams?
    1. Virus detection
    2. Secure configuration
    3. Intrusion detection
    4. Encryption
  4. Which of the following is not a privacy principle?
    1. Spoofing
    2. Purpose limitations
    3. Storage limitations
    4. Accuracy

Further reading

Read the following links for further readings:

Left arrow icon Right arrow icon

Key benefits

  • •Integrate security at each layer of the DevOps pipeline
  • •Discover security practices to protect your cloud services by detecting fraud and intrusion
  • •Explore solutions to infrastructure security using DevOps principles

Description

DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization. Hands-On Security in DevOps shows you how to adopt DevOps techniques to continuously improve your organization’s security at every level, rather than just focusing on protecting your infrastructure. This guide combines DevOps and security to help you to protect cloud services, and teaches you how to use techniques to integrate security directly in your product. You will learn how to implement security at every layer, such as for the web application, cloud infrastructure, communication, and the delivery pipeline layers. With the help of practical examples, you’ll explore the core security aspects, such as blocking attacks, fraud detection, cloud forensics, and incident response. In the concluding chapters, you will cover topics on extending DevOps security, such as risk assessment, threat modeling, and continuous security. By the end of this book, you will be well-versed in implementing security in all layers of your organization and be confident in monitoring and blocking attacks throughout your cloud services.

Who is this book for?

Hands-On Security in DevOps is for system administrators, security consultants, and DevOps engineers who want to secure their entire organization. Basic understanding of Cloud computing, automation frameworks, and programming is necessary.

What you will learn

  • •Understand DevSecOps culture and organization
  • •Learn security requirements, management, and metrics
  • •Secure your architecture design by looking at threat modeling, coding tools and practices
  • •Handle most common security issues and explore black and white-box testing tools and practices
  • •Work with security monitoring toolkits and online fraud detection rules
  • •Explore GDPR and PII handling case studies to understand the DevSecOps lifecycle

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jul 30, 2018
Length: 356 pages
Edition : 1st
Language : English
ISBN-13 : 9781788995504
Concepts :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Jul 30, 2018
Length: 356 pages
Edition : 1st
Language : English
ISBN-13 : 9781788995504
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just S$6 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just S$6 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total S$ 178.97
Continuous Delivery and DevOps ??? A Quickstart Guide
S$44.99
Hands-On Security in DevOps
S$66.99
Practical DevOps, Second Edition
S$66.99
Total S$ 178.97 Stars icon
Banner background image

Table of Contents

22 Chapters
DevSecOps Drivers and Challenges Chevron down icon Chevron up icon
Security Goals and Metrics Chevron down icon Chevron up icon
Security Assurance Program and Organization Chevron down icon Chevron up icon
Security Requirements and Compliance Chevron down icon Chevron up icon
Case Study - Security Assurance Program Chevron down icon Chevron up icon
Security Architecture and Design Principles Chevron down icon Chevron up icon
Threat Modeling Practices and Secure Design Chevron down icon Chevron up icon
Secure Coding Best Practices Chevron down icon Chevron up icon
Case Study - Security and Privacy by Design Chevron down icon Chevron up icon
Security-Testing Plan and Practices Chevron down icon Chevron up icon
Whitebox Testing Tips Chevron down icon Chevron up icon
Security Testing Toolkits Chevron down icon Chevron up icon
Security Automation with the CI Pipeline Chevron down icon Chevron up icon
Incident Response Chevron down icon Chevron up icon
Security Monitoring Chevron down icon Chevron up icon
Security Assessment for New Releases Chevron down icon Chevron up icon
Threat Inspection and Intelligence Chevron down icon Chevron up icon
Business Fraud and Service Abuses Chevron down icon Chevron up icon
GDPR Compliance Case Study Chevron down icon Chevron up icon
DevSecOps - Challenges, Tips, and FAQs Chevron down icon Chevron up icon
Assessments Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.3
(13 Ratings)
5 star 23.1%
4 star 30.8%
3 star 23.1%
2 star 0%
1 star 23.1%
Filter icon Filter
Top Reviews

Filter reviews by




Peter Sep 08, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The book gives a broad coverage for all security aspects of DevOps, ,from infrastructure to communication to application layer. It is helpful for security planning and review of new and established environments.
Amazon Verified review Amazon
Melanie Alwardt Feb 05, 2019
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Provides a really good overview about security relevant steps during software development lifecycle, combined with practical tipps where to get started and what to consider. I liked especially the well structured lists of assets/standards/tools per topic.
Amazon Verified review Amazon
dnyaneshwar Feb 08, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Original MRP is 1099 rs. Price is inflated.
Amazon Verified review Amazon
kimberly allen Sep 06, 2018
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
I Enjoyed the book and its no nonsense concept of getting to the information a practitioner need. Many of the examples, tables and links will assist any security professional in developing a framework or way forward to implement DEVSECOPS. I was pleasantly surprised I would have said 5 stars but the tables seems awkward in the kindle app for PC or IPAD. Really…..4.9 stars to be honest.
Amazon Verified review Amazon
Mirko Brandner Nov 10, 2018
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Gute Übersicht, Security kommt mir einbeinig zu kurz, also DevSecOps
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.