DevSecOps

Foreword Introduction 1 DevOps Explained The three ways The five ideals Conclusion 2 Security Explained Types of attacks Adversaries and their weapons Conclusion 3 DevSecOps Security implied in DevOps Points of contention between DevOps and security teams A layered approach to effective DevSecOps Three layers overview Conclusion 4 Layer 1: Security Education Importance of security education Security champions Gamified learning Instructor-led training Self-paced learning Pair programming and peer reviews Informal security knowledge sharing Experimentation Certification Avoiding entropy Conclusion 5 Layer 2: Secure By Design The importance of good design principles Threat modelling Clean code Naming conventions and formatting Common weakness lists Core application security design principles Microservices Container technologies Securing the pipeline Conclusion 6 Layer 3: Security Automation The importance of security automation Application security testing Mobile security testing Runtime application self-protection Software composition analysis Unit testing Infrastructure as code testing Container image scanning Dynamic threat analysis Network scanning Some testing cannot be automated Monitoring and alerting Vulnerability management Conclusion 7 Laying The Foundation Increase DevSecOps maturity Start reducing technical debt Introduce an education programme Implement security design principles Implement security test automation Measure and adjust DevSecOps starts with people Conclusion 8 Summary References Further Reading Acknowledgements The Author