Securing DevOps
Safe services in the Cloud
Julien Vehent
  • MEAP began August 2016
  • Publication in Fall 2017 (estimated)
  • ISBN 9781617294136
  • 400 pages (estimated)
  • printed in black & white

Modern DevOps make it possible to run online services at low cost, and let small startups compete with tech giants. The role of the security team in DevOps organizations is to be the safety net that protects the company's assets while allowing it to succeed. Securing DevOps is about helping organizations operate securely and protect the data their customers entrust to them. Security teams need to adopt the techniques of DevOps and switch their focus from defending only the infrastructure to protecting the entire organization by improving it continuously.

Securing DevOps explores how the techniques of DevOps and Security should be applied together to make cloud services safer. This introductory book reviews state of the art practices used in securing web applications and their infrastructure, and teaches you techniques to integrate security directly into your product. You'll also learn the core concepts of DevOps, such as Continuous Integration, Continuous Delivery and Infrastructure as a Service. You'll build an example service - an invoice management API - as you learn how to implement both DevOps and Security concepts together. By the end of this book, you'll be ready to build security controls at all layers, monitor and respond to attacks on cloud services, and add security organization-wide through risk management and training.

Table of Contents detailed table of contents

1. Securing DevOps

1.1. The DevOps approach

1.1.1. Continuous Integration (CI)

1.1.2. Continuous Delivery (CD)

1.1.3. Infrastructure as a Service (IaaS)

1.1.4. Culture and trust

1.2. Security in DevOps

1.3. Continuous Security

1.3.1. Test Driven Security

1.3.2. Monitoring and responding to attacks

1.3.3. Assessing risks and maturing security

1.4. Summary

Unit 1: A Case Study: Applying Layers of Security to A Simple DevOps Pipeline

2. Building a Barebones DevOps Pipeline to Secure

2.1. Implementation Roadmap

2.2. The code repository: GitHub

2.3. The CI platform: CircleCI

2.4. The container repository: Docker Hub

2.5. The production infrastructure: Amazon Web Services

2.5.1. Three-tier architecture

2.5.2. Configuring access to AWS

2.5.3. Virtual Private Cloud

2.5.4. Creating the database tier

2.5.5. Creating the first two tiers with Elastic Beanstalk

2.5.6. Deploying the container onto our systems

2.6. A rapid security audit

2.7. Summary

3. Security layer 1: Protecting Web Applications

3.1. Securing and testing web applications

3.2. Websites attacks and content security

3.2.1. Cross-Site Scripting (XSS) and Content-Security Policy (CSP)

3.2.2. Cross-Site Request Forgery (CSRF)

3.2.3. Clickjacking and iframes protection

3.3. Methods for authenticating users

3.3.1. HTTP Basic Authentication

3.3.2. Password management

3.3.3. Identity Providers

3.3.5. Testing authentication

3.4. Managing dependencies

3.4.1. Golang vendoring

3.4.2. Node.js package management

3.4.3. Python requirements

3.5. Summary

4. Security layer 2: Protecting Cloud Infrastructures

4.1. Securing and testing cloud infrastructure : The 'Deployer' App

4.1.1. Setting up the deployer

4.1.2. Configuration notifications between DockerHub and the Deployer

4.1.3. Running tests against the infrastructure

4.1.4. Updating the invoicer environment

4.2. Restricting network accesses

4.2.1. Testing Security Groups

4.2.2. Opening accesses between security groups

4.3. Building a secure entry point

4.3.1. Generating SSH keys

4.3.2. Creating a bastion host in EC2

4.3.3. Enabling two factor authentication with SSH

4.3.4. Sending notifications on accesses

4.3.5. General security considerations

4.3.6. Opening accesses between security groups

4.4. Controlling access to the database

4.4.1. Analyzing the database structure

4.4.2. Roles and permissions in PostgreSQL

4.4.3. Defining fine-grained permissions for the invoicer application

4.4.4. Asserting permissions in the deployer

4.5. Summary

5. Security layer 3: Securing Communications

5.1. What does it mean to secure communications?

5.1.1. Early symmetric cryptography

5.1.2. Diffie-Hellman and RSA

5.1.3. Public Key Infrastructures

5.1.4. SSL and TLS

5.2. Understanding SSL/TLS

5.2.1. The certificate chain

5.2.2. The TLS handshake

5.2.3. Perfect Forward Secrecy

5.3. Getting applications to use HTTPS

5.3.1. Obtaining certificates from AWS

5.3.2. Obtaining certificates from Let's Encrypt

5.3.3. Enabling HTTPS on AWS ELB

5.4. Modernizing HTTPS

5.4.1. Testing TLS

5.4.2. Implementing Mozilla's Modern guidelines

5.4.3. HSTS: Strict Transport Security

5.4.4. HPKP: Public Key Pinning

5.5. Summary

6. Security Layer 4: Securing the delivery pipeline

6.1. Access control of the code management

6.1.1. Managing permissions in a GitHub organization

6.1.2. Managing permissions between GitHub and CircleCI

6.1.3. Signing commits and tags with git

6.2. Access control of the container storage

6.2.1. Managing permissions between DockerHub and CircleCI

6.2.2. Signing containers with Docker Content Trust

6.3. Access control of the infrastructure management

6.3.1. Managing permissions using AWS roles and policies

6.3.2. Distributing secrets to production systems

6.4. Summary

Unit 2: Watching for anomalies and protecting services against attacks

7. Collecting and storing logs

7.1. Collecting logs from systems and applications

7.1.1. Collecting logs from systems

7.1.2. Collecting application logs

7.1.3. Infrastructure logging

7.1.4. Collecting logs from Github

7.2. Streaming log events through message brokers

7.3. Processing events in log consumers

7.4. Storing and archiving logs

7.5. Accessing logs

7.6. Summary

8. Analyzing logs for fraud and attacks

8.1. Architecture of a log analysis layer

8.2. Detecting attacks using string signatures

8.3. Statistical models for fraud detection

8.3.1. Sliding windows and circular buffers

8.3.2. Moving averages

8.4. Using geographic data to find abuses

8.4.1. Geo-profiling users

8.4.2. Calculating distances

8.4.3. Finding a user’s normal connection area

8.5. Detect anomalies in known patterns

8.5.1. User-agent signature

8.5.2. Anomalous Browser

8.5.3. Interaction patterns

8.6. Raising alerts to operators and end-users

8.6.1. Escalating security events to operators

8.6.2. How and when to notify end-users

8.7. Summary

9. Detecting Intrusions

10. Incident Response

Unit 3: Maturing DevOps Security

11. Risk Assessment and Threat Modelling

12. Relying on Third Parties

13. Continual Security Improvement

What's inside

  • The DevOps approach to Continuous Security
  • Construction of a DevOps pipeline via an example application
  • Implementation of Test Driven Security at the web application, cloud infrastructure, and delivery pipeline layers
  • Common attacks on cloud services and methods to protect against them
  • Techniques used in intrusion and fraud detection, digital forensics, and incident response
  • Assessing and managing risks in a DevOps organization

About the reader

Readers should have intermediate skills in systems administration, and be comfortable with Linux and the hosting of websites. An understanding of Amazon Web Services and automation frameworks like Puppet and Chef, along with basic programming skills, is helpful, but not required.

About the author

Julien Vehent is the leader of security architecture for Mozilla's Cloud Services division. He is responsible for defining, implementing and operating the security of web services that millions of Firefox users interact with daily. Julien has been focusing on developing, operating and securing Internet services for the past fifteen years, starting as a Linux sysadmin and graduating with a Master's in Information Security in 2007.

Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
MEAP combo $49.99 pBook + eBook
MEAP eBook $39.99 pdf + ePub + kindle

FREE domestic shipping on three or more pBooks