Learning DevSecOps: A Practical Guide to Processes and Tools

Cover....1

Copyright....3

Table of Contents....4

Preface....8

What Is DevSecOps?....8

Who Is This Book For?....9

How This Book Is Organized....9

Conventions Used in This Book....10

O’Reilly Online Learning....11

How to Contact Us....11

Acknowledgments....12

Chapter 1. The Need for DevSecOps....14

Developing Software....15

Developing Agility....17

Developing Broken Software....19

Operating in a Darkroom....20

Security as an Afterthought....21

Culture First....22

Processes over Tools....23

Promoting the Right Skills....23

DevSecOps as Process....24

The DevSecOps SDLC....26

Summary....28

Chapter 2. Foundational Knowledge in 25 Pages or Less....30

The Command-Line Interface....31

Command Line Versus Terminal Versus Shell....31

Why Do I Need the Command Line?....32

Getting Started with the Command Line....33

Protocols: A High-Level Overview....33

Protocol Layers....34

Two Protocols Plus Another....35

Basic Internet Protocols....36

Data Security: Confidentiality, Integrity, and Availability....44

Development Overview for Scripting....46

Commands and Built-ins....47

Basic Programmatic Constructs: Variables, Data, and Data Types....47

Making Decisions with Conditionals....48

Looping....51

Lists and Arrays....52

Summary....52

Chapter 3. Integrating Security....54

Integrating Security Practices....54

Implementing Least Privilege....55

Maintaining Confidentiality....57

Data in Flight....58

Data at Rest....61

Verifying Integrity....63

Checksums....63

Verifying Email....65

Providing Availability....66

Service-Level Agreements and Service-Level Objectives....67

Identifying Stakeholders....67

Identifying Availability Needs....67

Defining Availability and Estimating Costs....68

What About Accountability?....70

Site Reliability Engineering....70

Code Traceability and Static Analysis....72

Becoming Security Aware....74

Finding Formal Training....74

Obtaining Free Knowledge....75

Enlightenment Through Log Analysis....76

Practical Implementation: OWASP ZAP....76

Creating a Target....77

Installing ZAP....78

Getting Started with ZAP: Manual Scan....79

Summary....87

Chapter 4. Managing Code and Testing....90

Examining Development....90

Be Intentional and Deliberate....91

Don’t Repeat Yourself....91

Managing Source Code with Git....92

A Simple Setup for Git....92

Using Git (Briefly)....95

Branching and Merging....99

Examining the Gitflow Pattern....100

Examining the Trunk-Based Pattern....102

Testing Code....103

Unit Testing....103

Integration Testing....104

System Testing....104

Automating Tests....104

Summary....107

Chapter 5. Moving Toward Deployment....110

Managing Configuration as Code and Software Bill of Materials (SBOM)....110

Using Docker....114

Container and Image Concepts....115

Obtaining Images....116

Deploying Safely with Blue-Green Deployment....125

Summary....126

Chapter 6. Deploy, Operate, and Monitor....128

Continuous Integration and Continuous Deployment....128

Building and Maintaining Environments with Ansible....129

Using Jenkins for Deployment....130

Creating a Pipeline....139

Monitoring....144

Summary....147

Chapter 7. Plan and Expand....150

Scaling Up with Kubernetes....150

Understanding Basic Kubernetes Terms....151

Installing Kubernetes....151

Deploying with Kubernetes....157

Defining a Deployment....157

Defining a Service....160

Moving Toward Microservices....162

Connecting the Resources....163

Integrating Helm....166

Summary....167

Chapter 8. Beyond DevSecOps....168

DevSecOps Patterns....168

Shifting Left and Adding CI/CD....169

Multicloud Integration....169

Integrated and Automatic Security....169

Linux Everywhere....170

Refactor and Redeploy....170

Summary....170

Appendix A. Ports and Protocols....172

Appendix B. Command Reference....174

Basic Command-Line Navigation....174

Directory Listing....175

Pager....175

Command Recall and Tab Completion....175

Creating Directories....176

Changing Permissions and Ownership....176

Screen Is Your Friend....176

Using grep....177

Using touch....177

DNS with dig....177

Determine Address for a Host....177

Changing the Server to Be Queried....179

Finding the Authoritative Nameserver....179

Querying the Authoritative Nameserver....181

Finding Mail Servers....182

Finding SPF and TXT Records....182

Examining the Root....183

Index....186

About the Author....193

Colophon....193

How do some organizations maintain 24-7 internet-scale operations? How can organizations integrate security while continuously deploying new features? How do organizations increase security within their DevOps processes?

This practical guide helps you answer those questions and more. Author Steve Suehring provides unique content to help practitioners and leadership successfully implement DevOps and DevSecOps. Learning DevSecOps emphasizes prerequisites that lead to success through best practices and then takes you through some of the tools and software used by successful DevSecOps-enabled organizations.

You'll learn how DevOps and DevSecOps can eliminate the walls that stand between development, operations, and security so that you can tackle the needs of other teams early in the development lifecycle.

With this book, you will:

• Learn why DevSecOps is about culture and processes, with tools to support the processes
• Understand why DevSecOps practices are key elements to deploying software in a 24-7 environment
• Deploy software using a DevSecOps toolchain and create scripts to assist
• Integrate processes from other teams earlier in the software development lifecycle
• Help team members learn the processes important for successful software development