0
Home / Catalog / Concepts and Practices of DevSecOps
  
Concepts and Practices of DevSecOps  
Crack the DevSecOps interviews (English Edition)
Author(s): Ashwini Kumar Rath
Published by BPB Publications
Publication Date:  Available in all formats
ISBN: 9789355519320
Pages: 238
https://doi.org/9789355519320

EBOOK (EPUB)

ISBN: 9789355519320 Price: INR 799.00
Add to cart Buy Now

Description

Table of contents

Subject(s): DevSecOps Methodologies, Practical DevSecOps Tips, Comprehensive DevSecOps Guide, DevSecOps Culture, Security-centric Development, Interview Ready DevSecOps, Effective DevSecOps Practices
DevOps took shape after the rapid evolution of agile methodologies and tools for managing different aspects of software development and IT operations. This resulted in a cultural shift and quick adoption of new methodologies and tools. Start with the core principles of integrating security throughout software development lifecycles. Dive deep into application security, tackling vulnerabilities, and tools like JWT and OAuth. Subjugate multi-cloud infrastructure with DevSecOps on AWS, GCP, and Azure. Secure containerized applications by understanding vulnerabilities, patching, and best practices for Docker and Kubernetes. Automate and integrate your security with powerful tools. The book aims to provide a range of use cases, practical tips, and answers to a comprehensive list of 150+ questions drawn from software team war rooms and interview sessions. After reading the book, you can confidently respond to questions on DevSecOps in interviews and work in a DevSecOps team effectively.
Rating
Description
Subject(s): DevSecOps Methodologies, Practical DevSecOps Tips, Comprehensive DevSecOps Guide, DevSecOps Culture, Security-centric Development, Interview Ready DevSecOps, Effective DevSecOps Practices
DevOps took shape after the rapid evolution of agile methodologies and tools for managing different aspects of software development and IT operations. This resulted in a cultural shift and quick adoption of new methodologies and tools. Start with the core principles of integrating security throughout software development lifecycles. Dive deep into application security, tackling vulnerabilities, and tools like JWT and OAuth. Subjugate multi-cloud infrastructure with DevSecOps on AWS, GCP, and Azure. Secure containerized applications by understanding vulnerabilities, patching, and best practices for Docker and Kubernetes. Automate and integrate your security with powerful tools. The book aims to provide a range of use cases, practical tips, and answers to a comprehensive list of 150+ questions drawn from software team war rooms and interview sessions. After reading the book, you can confidently respond to questions on DevSecOps in interviews and work in a DevSecOps team effectively.
Table of contents
  • Cover Page
  • Title Page
  • Copyright Page
  • Dedication
  • About the Author
  • About the Reviewers
  • Acknowledgement
  • Preface
  • Table of Contents
  • 1. Security in DevOps
    • Introduction
    • Structure
    • Objectives
      • Relooking at security operations
      • A DevOps cycle
      • Conventional SecOps with DevOps
      • Issues with conventional SecOps
    • Shifting security left
    • Adopting DevSecOps: Key changes
      • Lean process
    • Agile versus DevSecOps: No contradiction
      • Automation
      • Measurement
      • Ecosystem interoperability
      • Documentation of new and old ways
    • Security controls
      • Goals of security
    • Documentation and security
    • Threat modelling and security policies
    • Infrastructure provisioning and security
      • A high availability configuration
      • Managing infrastructure in the Cloud
      • Security intervention for infrastructure provisioning
    • Code commit, release and security
      • A programming framework
      • Automated security tools in software environments
    • A use case: IoT application
    • Conclusion
    • Questions
  • 2. Application Security
    • Introduction
    • Structure
    • Objectives
    • An app on the Cloud
      • Delivery of Cloud services
      • Identity and access management
      • Metering and billing
      • Provisioning and resource management
      • Constituents of an app
      • App and workflow
      • Session management: Cookie and JSON web token
      • Encryption
      • Hash function
      • Public key infrastructure and secured socket layer
      • Microservices
      • High availability deployment and multi-instance deployment
      • Serviceful and serverless
      • Putting all together: A security perspective
    • CI /CD pipeline and security
      • Web application firewall
      • Vulnerability DBs, automation and monitoring
      • InfoSec as a service
    • Low-Code, No-Code and RAD
      • Business operation, workflow, and communication
      • Different techs and new ways of application development
    • Application security
      • OWASP Top 10
        • A01:2021 - Broken access control
        • A02:2021 - Cryptographic failures
        • A03:2021 - Injection
        • A04:2021 - Insecure design
        • A05:2021 - Security misconfiguration
        • A06:2021 - Vulnerable and outdated components
        • A07:2021 - Identification and authentication failures
        • A08:2021 - Software and data integrity failures
        • A09:2021 - Security logging and monitoring failures
        • A10:2021 - Server-side request forgery
        • SAN Top 25
        • Use case: Making a secure application
    • Conclusion
    • Questions
  • 3. Infrastructure as Code
    • Introduction
    • Structure
    • Objectives
    • Cloud infrastructure
    • Benefits of IaC in DevSecOps
    • IaC for DevSecOps in AWS
      • Define our IaC with AWS CloudFormation
      • Set up CI/CD pipeline
      • Incorporate security controls
      • Use AWS Config for continuous compliance
      • Automated testing
      • Incorporate monitoring and logging
      • Use AWS Secrets Manager for managing secrets
    • IaC for DevSecOps in GCP
      • Define our IaC with deployment manager
      • CI/CD pipeline
      • Incorporate security controls
      • Use Google Cloud Asset Inventory for continuous compliance
      • Automated testing
      • Incorporate monitoring and logging
      • Use Google Secret Manager for managing secrets
    • IaC for DevSecOps in Azure
      • CI/CD pipeline
      • Incorporate security controls
      • Use Azure Policy for continuous compliance
      • Automated testing
      • Incorporate monitoring and logging
      • Use Azure Key Vault for managing secrets
    • IaC for DevSecOps in a hybrid environment
      • Define our Infrastructure as Code
      • CI/CD pipeline
      • Incorporate security controls
      • Continuous compliance
      • Automated testing
      • Incorporate monitoring and logging
      • Secret management
    • IaC and DevSecOps with legacy system
      • Implementing IaC and DevSecOps with legacy systems
    • DevSecOps dashboard
    • Use case: Setup software environment
    • Conclusion
    • Questions
  • 4. Containers and Security
    • Introduction
    • Structure
    • Objectives
    • Introduction to containers
      • Natural fit for microservices
    • Container technologies
      • Overview of Docker
      • Introduction to Kubernetes
      • Other container orchestration tools
    • Role of containers in DevSecOps
      • Consistency and reproducibility
      • Isolation
      • Scalability and efficiency
      • Immutable Infrastructure
    • Container security basics
      • Container images
        • Storing and distributing securely
      • Container runtime
        • Container isolation
        • Least privilege
        • Security modules
        • Runtime vulnerability scanning
      • Host system
      • Orchestration and deployment
        • Role-based access control
        • Securing the control plane
        • Network policies
      • Importance of container security in DevSecOps
        • Challenges in container security
    • Security in container lifecycle
      • Secure container development
      • Secure container deployment
      • Secure container operations
    • Container image security
      • Importance of secure container images
      • Vulnerabilities in container images
        • Clair
        • Anchore Engine
        • Docker Security Scanning
      • Signing and verifying container images
        • Docker Content Trust
        • Notary
        • Portieris
    • Runtime container security
      • Container isolation mechanisms
        • Namespaces
        • Control groups
        • Capabilities
      • Monitoring and auditing container activity
        • Monitoring container activity with Fluentd
        • Log analysis with Elasticsearch and Kibana
        • Auditing container activity with Auditd and Falco
      • Detecting and responding to runtime threats
    • Network security for containers
      • Container network models
        • Bridge networks
        • Host networks
        • Overlay networks
      • Implementing network policies
      • Secure service discovery and communication
      • Service discovery
        • Secure communication
    • Secrets management in containers
      • Challenges of managing secrets in containers
        • Ephemeral nature of containers
        • Scale
        • Immutable infrastructure
      • Secure strategies for storing and accessing secrets
        • Environment variables
        • Secrets volume
        • Secrets management service
      • Tools for secrets management in containers
        • Docker secrets
        • Kubernetes Secrets
        • Vault by HashiCorp
        • Cloud secrets management services
    • Best practices for container security in DevSecOps
      • Following the principle of least privilege
        • Running containers as non-root user
        • Limiting container capabilities
        • Implementing fine-grained access control
      • Regularly updating and patching containers
        • Updating container images
        • Deploying updated containers
        • Monitoring for vulnerabilities
      • Using immutable containers
      • Automated security scanning and remediation
        • Automated security scanning during build
        • Continuous scanning
        • Automated remediation
        • Alerts and manual intervention
      • Integrating security into the CI/CD pipeline
        • Image scanning during build
        • Static code analysis
        • Security policy enforcement
    • Case studies of container security in DevSecOps
      • Case study: Adobe
      • Case study: Shopify
    • Conclusion
    • Questions
  • 5. Automation and Integration
    • Introduction
    • Structure
    • Objectives
    • Automating integration workflows
    • Policy as Code
    • Monitoring as code
    • Security as code
      • Automated security checks
      • Infrastructure security
      • Secure defaults
      • Authentication and authorization
        • Identity and access management tools
        • Multi-factor authentication
        • Single sign-on
        • Identity federation
        • Secrets management
    • Cloud security solutions
      • Cloud workload protection platforms
      • Cloud security posture management
      • Cloud access security brokers
    • Supply chain and risks
      • Potential vulnerabilities
      • Possible exploits
      • Mitigation strategies
    • Automating integration workflows challenges and best practices
    • Use case: Integrations
    • Conclusion
    • Questions
  • 6. Frameworks and Best Practices
    • Introduction
    • Structure
    • Objectives
    • Risks and compliance
    • Security frameworks
      • ISO/IEC 27001
      • National Institute of Standards and Technology Cybersecurity Framework
      • Center for Internet Security Controls
      • Payment card industry data security standard
      • Control objectives for information and related technologies
      • Health Insurance Portability and Accountability Act
      • System and Organization Controls 2
      • Working with different frameworks
    • Compliance as code and its importance
    • Understanding security audit workflows
    • Threat modeling
      • STRIDE
      • Process for attack simulation and threat analysis
      • DREAD
      • OCTAVE
      • Attack trees
    • CSA’s six pillars of DevSecOps
    • Compliance and risk management for our IoT application
    • Conclusion
    • Questions
  • 7. Digital Transformation and DevSecOps
    • Introduction
    • Structure
    • Objectives
    • The nature of digital transformation
    • DevSecOps: Roles, responsibilities, and skillsets
    • Cultivating a new culture: The human element
      • Collective responsibility
      • Open communication and collaboration
      • Pragmatic implementation and continuous learning
      • Automation and empowerment
      • Threat investigation and embracing failure
    • Open-source software balancing opportunities and challenges
      • Opportunities presented by open-source software
        • Innovation and flexibility
        • Reduced costs
        • Availability of high-quality tools
        • Driving innovation in DevSecOps
        • Challenges of open-source software
        • Security risks
        • Dependency management
        • Quality and maintenance variability
        • Technological liability
      • Towards successful open-source initiatives in DevSecOps
    • The journey towards cloud-native capabilities
    • Conclusion
    • Questions
  • Index
User Reviews
Rating