Securing DevOps
Safe services in the Cloud
Julien Vehent
  • MEAP began August 2016
  • Publication in August 2018 (estimated)
  • ISBN 9781617294136
  • 384 pages (estimated)
  • printed in black & white

This book is an amazing resource for secure software development (a must in this day and age) regardless of whether or not you believe in devops.

Andrew Bovill

Modern DevOps make it possible to run online services at low cost, and let small startups compete with tech giants. The role of the security team in DevOps organizations is to be the safety net that protects the company's assets while allowing it to succeed. Securing DevOps is about helping organizations operate securely and protect the data their customers entrust to them. Security teams need to adopt the techniques of DevOps and switch their focus from defending only the infrastructure to protecting the entire organization by improving it continuously.

Table of Contents detailed table of contents

1. Securing DevOps

1.1. The DevOps approach

1.1.1. Continuous Integration (CI)

1.1.2. Continuous Delivery (CD)

1.1.3. Infrastructure as a Service (IaaS)

1.1.4. Culture and trust

1.2. Security in DevOps

1.3. Continuous Security

1.3.1. Test Driven Security

1.3.2. Monitoring and responding to attacks

1.3.3. Assessing risks and maturing security

1.4. Summary

Unit 1: A Case Study: Applying Layers of Security to A Simple DevOps Pipeline

2. Building a Barebones DevOps Pipeline to Secure

2.1. Implementation Roadmap

2.2. The code repository: GitHub

2.3. The CI platform: CircleCI

2.4. The container repository: Docker Hub

2.5. The production infrastructure: Amazon Web Services

2.5.1. Three-tier architecture

2.5.2. Configuring access to AWS

2.5.3. Virtual Private Cloud

2.5.4. Creating the database tier

2.5.5. Creating the first two tiers with Elastic Beanstalk

2.5.6. Deploying the container onto our systems

2.6. A rapid security audit

2.7. Summary

3. Security layer 1: Protecting Web Applications

3.1. Securing and testing web applications

3.2. Websites attacks and content security

3.2.1. Cross-site Scripting (XSS) and Content-Security Policy (CSP)

3.2.2. Cross-Site Request Forgery (CSRF)

3.2.3. Clickjacking and iframes protection

3.3. Methods for authenticating users

3.3.1. HTTP Basic Authentication

3.3.2. Password management

3.3.3. Identity Providers

3.3.5. Testing authentication

3.4. Managing dependencies

3.4.1. Golang vendoring

3.4.2. Node.js package management

3.4.3. Python requirements

3.5. Summary

4. Security layer 2: Protecting Cloud Infrastructures

4.1. Securing and testing cloud infrastructure: The "Deployer" App

4.1.1. Setting up the deployer

4.1.2. Configuration notifications between DockerHub and the Deployer

4.1.3. Running tests against the infrastructure

4.1.4. Updating the invoicer environment

4.2. Restricting network accesses

4.2.1. Testing Security Groups

4.2.2. Opening accesses between security groups

4.3. Building a secure entry point

4.3.1. Generating SSH keys

4.3.2. Creating a bastion host in EC2

4.3.3. Enabling two-factor authentication with SSH

4.3.4. Sending notifications on accesses

4.3.5. General security considerations

4.3.6. Opening accesses between security groups

4.4. Controlling access to the database

4.4.1. Analyzing the database structure

4.4.2. Roles and permissions in PostgreSQL

4.4.3. Defining fine-grained permissions for the invoicer application

4.4.4. Asserting permissions in the deployer

4.5. Summary

5. Security layer 3: Securing Communications

5.1. What does it mean to secure communications?

5.1.1. Early symmetric cryptography

5.1.2. Diffie-Hellman and RSA

5.1.3. Public Key Infrastructures

5.1.4. SSL and TLS

5.2. Understanding SSL/TLS

5.2.1. The certificate chain

5.2.2. The TLS handshake

5.2.3. Perfect Forward Secrecy

5.3. Getting applications to use HTTPS

5.3.1. Obtaining certificates from AWS

5.3.2. Obtaining certificates from Let’s Encrypt

5.3.3. Enabling HTTPS on AWS ELB

5.4. Modernizing HTTPS

5.4.1. Testing TLS

5.4.2. Implementing Mozilla’s Modern guidelines

5.4.3. HSTS: Strict Transport Security

5.4.4. HPKP: Public Key Pinning

5.5. Summary

6. Security Layer 4: Securing the delivery pipeline

6.1. Access control to the code management infrastructure

6.1.1. Managing permissions in a GitHub organization

6.1.2. Managing permissions between GitHub and CircleCI

6.1.3. Signing commits and tags with git

6.2. Access control of the container storage

6.2.1. Managing permissions between DockerHub and CircleCI

6.2.2. Signing containers with Docker Content Trust

6.3. Access control of the infrastructure management

6.3.1. Managing permissions using AWS roles and policies

6.3.2. Distributing secrets to production systems

6.4. Summary

Unit 2: Watching for anomalies and protecting services against attacks

7. Collecting and storing logs

7.1. Collecting logs from systems and applications

7.1.1. Collecting logs from systems

7.1.2. Collecting application logs

7.1.3. Infrastructure logging

7.1.4. Collecting logs from Github

7.2. Streaming log events through message brokers

7.3. Processing events in log consumers

7.4. Storing and archiving logs

7.5. Accessing logs

7.6. Summary

8. Analyzing logs for fraud and attacks

8.1. Architecture of a log analysis layer

8.2. Detecting attacks using string signatures

8.3. Statistical models for fraud detection

8.3.1. Sliding windows and circular buffers

8.3.2. Moving averages

8.4. Using geographic data to find abuses

8.4.1. Geo-profiling users

8.4.2. Calculating distances

8.4.3. Finding a user’s normal connection area

8.5. Detect anomalies in known patterns

8.5.1. User-agent signature

8.5.2. Anomalous Browser

8.5.3. Interaction patterns

8.6. Raising alerts to operators and end-users

8.6.1. Escalating security events to operators

8.6.2. How and when to notify end-users

8.7. Summary

9. Detecting intrusions

9.1. The seven phases of an intrusion: the kill chain

9.2. What are indicators of compromise?

9.2.1. Snort rules

9.2.2. YARA

9.2.3. OpenIOC

9.2.4. STIX and TAXII

9.3. Scanning endpoints for IOCs

9.3.1. A Survey of Tools

9.3.2. Endpoint security and containers

9.4. Inspecting network traffic with Suricata

9.4.1. Setting up Suricata

9.4.2. Monitoring the network

9.4.3. Writing rules

9.4.4. Using pre-defined rulesets

9.5. Finding intrusions in system call audit logs

9.5.1. The execution vulnerability

9.5.2. Catching fraudulent executions

9.5.3. Monitoring the file system

9.5.4. Monitoring the impossible

9.6. Trusting humans to detect anomalies

9.7. Summary

10. The Caribbean breach: a case study in incident response

10.1. The Caribbean breach

10.2. Identification

10.3. Containment

10.4. Eradication

10.4.1. Capturing digital forensics artifacts in AWS

10.4.2. Outbound IDS filtering

10.4.3. Hunting IOCs with MIG

10.5. Recovery

10.6. Lessons Learned, and the benefits of preparation

10.7. Summary

Unit 3: Maturing DevOps Security

11. Assessing risks

11.1. What is risk management?

11.2. The CIA Triad

11.2.1. Confidentiality

11.2.2. Integrity

11.2.3. Availability

11.3. Establishing the top threats to an organization

11.4. Quantifying the impact of risks

11.4.1. Finance

11.4.2. Reputation

11.4.3. Productivity

11.5. Identifying threats and measuring vulnerability

11.5.1. The STRIDE threat-modeling framework

11.5.2. The DREAD threat-modeling framework

11.6. The Rapid Risk Assessment framework

11.6.1. Gathering information

11.6.2. Establishing a data dictionary

11.6.3. Identifying and Measuring risks

11.6.4. Making recommendations

11.7. Recording and tracking risks

11.7.1. Accepting, rejecting, and delegating risks

11.7.2. Revisiting risks regularly

11.8. Summary

12. Testing Security

12.1. Maintaining security visibility

12.2. Auditing internal applications and services

12.2.1. Web application scanners

12.2.2. Fuzzing

12.2.3. Static code analysis

12.2.4. Auditing Cloud Infrastructure

12.3. Red teams and external pentesting

12.4. Bug bounty programs

12.5. Summary

13. Continuous security

13.1. Practice & repetition: 10,000 hours of security

13.2. Year 1: Integrating security into DevOps

13.2.1. Don’t judge too early

13.2.2. Test everything, and make dashboards

13.3. Year 2: Preparing for the worst

13.3.1. Avoid duplicating infrastructure

13.3.2. Build versus buy

13.3.3. Getting breached

13.4. Year 3: Driving the change

13.4.1. Revisit security priorities

13.4.2. Progressing iteratively

About the book

Securing DevOps explores how the techniques of DevOps and Security should be applied together to make cloud services safer. This introductory book reviews state of the art practices used in securing web applications and their infrastructure, and teaches you techniques to integrate security directly into your product. You'll also learn the core concepts of DevOps, such as Continuous Integration, Continuous Delivery and Infrastructure as a Service. You'll build an example service - an invoice management API - as you learn how to implement both DevOps and Security concepts together. By the end of this book, you'll be ready to build security controls at all layers, monitor and respond to attacks on cloud services, and add security organization-wide through risk management and training.

What's inside

  • The DevOps approach to Continuous Security
  • Construction of a DevOps pipeline via an example application
  • Implementation of Test Driven Security at the web application, cloud infrastructure, and delivery pipeline layers
  • Common attacks on cloud services and methods to protect against them
  • Techniques used in intrusion and fraud detection, digital forensics, and incident response
  • Assessing and managing risks in a DevOps organization

About the reader

Readers should have intermediate skills in systems administration, and be comfortable with Linux and the hosting of websites. An understanding of Amazon Web Services and automation frameworks like Puppet and Chef, along with basic programming skills, is helpful, but not required.

About the author

Julien Vehent is the leader of security architecture for Mozilla's Cloud Services division. He is responsible for defining, implementing and operating the security of web services that millions of Firefox users interact with daily. Julien has been focusing on developing, operating and securing Internet services for the past fifteen years, starting as a Linux sysadmin and graduating with a Master's in Information Security in 2007.

Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
MEAP combo $49.99 pBook + eBook + liveBook
MEAP eBook $39.99 pdf + ePub + kindle + liveBook

FREE domestic shipping on three or more pBooks