Practical Security for Agile and DevOps
- Length: 236 pages
- Edition: 1
- Language: English
- Publisher: Auerbach Publications
- Publication Date: 2022-02-01
- ISBN-10: 103215120X
- ISBN-13: 9781032151205
- Sales Rank: #0 (See Top 100 Books)
This textbook was written from the perspective of someone who began his software security career in 2005, long before the industry began focusing on it. This is an excellent perspective for students who want to learn about securing application development. After having had made all the rookie mistakes the author realized that software security is a human factors issue rather than a technical or process issue alone. Throwing technology into an environment that expects people to deal with it but failing to prepare them technically and psychologically with the knowledge and skills needed, is a certain recipe for bad results.
Practical Security for Agile and DevOps is a collection of best practices and effective implementation recommendations that are proven to work. The text leaves out the boring details of software security theory out of the discussion as much as possible to concentrate on practical applied software security useful to professionals. It is as much a book for students own benefit as it is for the benefit of their academic careers and organizations. Professionals who are skilled in secure and resilient software development and related tasks are in tremendous demand. This demand will increase exponentially for the foreseeable future. As students integrate the text’s best practices into their daily duties, their value increases to their companies, management, community, and industry.
The textbook was written for the following readers:
- Students in higher education programs in business or engineering disciplines
- Appsec architects and program managers in information security organizations
- Enterprise architecture teams with a focus on application development
- Scrum Teams including:
- Scrum Masters
- Engineers/developers
- Analysts
- Architects
- Testers
- DevOps teams
- Product owners and their management
- Project managers
- Application security auditors
- Agile coaches and trainers
- Instructors and trainers in academia and private organizations
Cover Half Title Title Page Copyright Page Dedication Table of Contents List of Figures and Tables Preface How This Book Is Organized About the Author Chapter 1: Today’s Software Development Practices Shatter Old Security Practices Chapter Overview Chapter Takeaways 1.1 Over the Waterfall 1.2 What Is Agile? 1.3 Shift Left! 1.4 Principles First! 1.5 Summary Chapter Quick Check Exercises References Chapter 2: Deconstructing Agile and Scrum Chapter Overview Chapter Takeaways 2.1 The Goals of Agile and Scrum 2.2 Agile/Scrum Terminology 2.3 Agile/Scrum Roles 2.4 Unwinding Sprint Loops 2.5 Development and Operations Teams Get Married 2.6 Summary Chapter Quick Check Exercises References Chapter 3: Learning Is FUNdamental! Chapter Overview Chapter Takeaways 3.1 Education Provides Context, and Context Is Key 3.2 Principles for Software Security Education 3.3 Getting People’s Attention 3.4 Awareness versus Education 3.5 Moving into the Education Phase 3.6 Strategies for Rolling Out Training 3.7 Encouraging Training Engagement and Completion 3.8 Measuring Success 3.9 Keeping the Drumbeat Alive 3.10 Create and Mature a Security Champion Network 3.11 A Checklist for Establishing a Software Security Education, Training, and Awareness Program 3.12 Summary Chapter Quick Check Exercises References Chapter 4: Product Backlog Development—Building Security In Chapter Overview Chapter Takeaways 4.1 Functional versus Nonfunctional Requirements 4.2 Testing NFRs 4.3 Families of Nonfunctional Requirements 4.3.1 Availability 4.4 Capacity 4.5 Efficiency 4.6 Interoperability 4.7 Manageability 4.7.1 Cohesion 4.7.2 Coupling 4.8 Maintainability 4.9 Performance 4.10 Portability 4.11 Privacy 4.12 Recoverability 4.13 Reliability 4.14 Scalability 4.15 Security 4.16 Serviceability/Supportability 4.17 Characteristics of Good Requirements 4.18 Eliciting Nonfunctional Requirements 4.19 NFRs as Acceptance Criteria and Definition of Done 4.20 Summary Chapter Quick Check Exercises References Chapter 5: Secure Design Considerations Chapter Overview Chapter Takeaways 5.1 Essential Concepts 5.2 The Security Perimeter 5.3 Attack Surface 5.3.1 Mapping the Attack Surface 5.3.2 Side Channel Attacks 5.4 Application Security and Resilience Principles 5.4.1 Practice 1: Apply Defense in Depth 5.4.2 Practice 2: Use a Positive Security Model 5.4.3 Practice 3: Fail Securely 5.4.4 Practice 4: Run with Least Privilege 5.4.5 Practice 5: Avoid Security by Obscurity 5.4.6 Practice 6: Keep Security Simple 5.4.7 Practice 7: Detect Intrusions 5.4.8 Practice 8: Don’t Trust Infrastructure 5.4.9 Practice 9: Don’t Trust Services 5.4.10 Practice 10: Establish Secure Defaults 5.5 Mapping Best Practices to Nonfunctional Requirements (NFRs) as Acceptance Criteria 5.6 Summary Chapter Quick Check Exercises References Chapter 6: Security in the Design Sprint Chapter Overview Chapter Takeaways 6.1 Design Phase Recommendations 6.2 Modeling Misuse Cases 6.3 Conduct Security Design and Architecture Reviews in Design Sprint 6.4 Perform Threat and Application Risk Modeling 6.4.1 Brainstorming Threats 6.5 Risk Analysis and Assessment 6.5.1 Damage Potential 6.5.2 Reproducibility 6.5.3 Exploitability 6.5.4 Affected Users 6.5.5 Discoverability 6.6 Don’t Forget These Risks! 6.7 Rules of Thumb for Defect Removal or Mitigation 6.8 Further Needs for Information Assurance 6.9 Countering Threats through Proactive Controls 6.10 Architecture and Design Review Checklist 6.11 Summary Chapter Quick Check Exercises References Chapter 7: Defensive Programming Chapter Overview Chapter Takeaways 7.1 The Evolution of Attacks 7.2 Threat and Vulnerability Taxonomies 7.2.1 MITRE’s Common Weaknesses Enumeration (CWE) 7.2.2 OWASP Top 10—2017 7.3 Failure to Sanitize Inputs Is the Scourge of Software Development 7.4 Input Validation and Handling 7.4.1 Client-Side versus Server-Side Validation 7.4.2 Input Sanitization 7.4.3 Canonicalization 7.5 Common Examples of Attacks Due to Improper Input Handling 7.5.1 Buffer Overflow 7.5.2 OS Commanding 7.6 Best Practices in Validating Input Data 7.6.1 Exact Match Validation 7.6.2 Exact Match Validation Example 7.6.3 Known Good Validation 7.6.4 Known Bad Validation 7.6.5 Handling Bad Input 7.7 OWASP’s Secure Coding Practices 7.8 Summary Chapter Quick Check Exercises References Chapter 8: Testing Part 1: Static Code Analysis Chapter Overview Chapter Takeaways 8.1 Fixing Early versus Fixing Later 8.2 Testing Phases 8.2.1 Unit Testing 8.2.2 Manual Source Code Reviews 8.2.3 The Code Review Process 8.3 Static Source Code Analysis 8.4 Automated Reviews Compared with Manual Reviews 8.5 Peeking Inside SAST Tools 8.6 SAST Policies 8.7 Using SAST in Development Sprints 8.8 Software Composition Analysis (SCA) 8.9 SAST is NOT for the Faint of Heart! 8.10 Commercial and Free SAST Tools 8.11 Summary Chapter Quick Check Exercises References Chapter 9: Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP Chapter Overview Chapter Takeaways 9.1 Penetration (Pen) Testing 9.2 Open Source Security Testing Methodology Manual (OSSTMM) 9.3 OWASP’s ASVS 9.4 Penetration Testing Tools 9.5 Automated Pen Testing with Black Box Scanners 9.6 Deployment Strategies 9.6.1 Developer Testing 9.6.2 Centralized Quality Assurance Testing 9.7 Gray Box Testing 9.8 Limitations and Constraints of Pen Testing 9.9 Interactive Application Security Testing (IAST) 9.10 Runtime Application Self-Protection (RASP) 9.11 Summary Chapter Quick Check Exercises References Chapter 10: Securing DevOps Chapter Overview Chapter Takeaways 10.1 Shifting Left All Around 10.1.1 Changing the Business Culture 10.2 The Three Ways That Make DevOps Work 10.3 The Three Ways Applied to AppSec 10.4 OWASP’s DevSecOps Maturity Model 10.5 OWASP’s DevSecOps Studio 10.6 Summary Chapter Quick Check Exercises References Chapter 11: Metrics and Models for AppSec Maturity Chapter Overview Chapter Takeaways 11.1 Maturity Models for Security and Resilience 11.2 Software Assurance Maturity Model—OpenSAMM 11.2.1 OpenSAMM Business Functions 11.2.2 Core Practice Areas 11.3 Levels of Maturity 11.3.1 Objective 11.3.2 Activities 11.3.3 Results 11.3.4 Success Metrics 11.3.5 Costs 11.3.6 Personnel 11.3.7 Related Levels 11.3.8 Assurance 11.4 Using OpenSAMM to Assess Maturity Levels 11.5 The Building Security In Maturity Model (BSIMM) 11.6 BSIMM Organization 11.7 BSIMM Software Security Framework 11.7.1 Governance 11.7.2 Intelligence 11.7.3 SSDL Touchpoints 11.7.4 Deployment 11.8 BSIMM’s 12 Practice Areas 11.9 Measuring Results with BSIMM 11.10 The BSIMM Community 11.11 Conducting a BSIMM Assessment 11.12 Summary Chapter Quick Check Exercises References Chapter 12: Frontiers for AppSec Chapter Overview Chapter Takeaways 12.1 Internet of Things (IoT) 12.1.1 The Industry Responds 12.1.2 The Government Responds 12.2 Blockchain 12.2.1 Security Risks with Blockchain Implementations 12.2.2 Securing the Chain 12.3 Microservices and APIs 12.4 Containers 12.4.1 Container Security Issues 12.4.2 NIST to the Rescue Again! 12.5 Autonomous Vehicles 12.6 Web Application Firewalls (WAFs) 12.7 Machine Learning/Artificial Intelligence 12.8 Big Data 12.8.1 Vulnerability to Fake Data Generation 12.8.2 Potential Presence of Untrusted Mappers 12.8.3 Lack of Cryptographic Protection 12.8.4 Possibility of Sensitive Information Mining 12.8.5 Problems with Granularity of Access Controls 12.8.6 Data Provenance Difficulties 12.8.7 High Speed of NoSQL Databases’ Evolution and Lack of Security Focus 12.8.8 Absent Security Audits 12.9 Summary Chapter Quick Check Exercises References Chapter 13: AppSec Is a Marathon—Not a Sprint! Chapter Overview Chapter Takeaways 13.1 Hit the Road 13.2 Getting Involved with OWASP 13.3 Certified Secure Software Lifecycle Professional (CSSLP®) 13.3.1 Why Obtain the CSSLP? 13.4 Higher Education 13.5 Conclusion Chapter Quick Check Exercises References Appendix A: Security Acceptance Criteria Sample Acceptance Criteria for Seven Categories of Application Security Functions or Attributes Appendix B: Resources for AppSec Training Cyber Ranges Requirements Management Tools Threat Modeling Static Code Scanners: Open Source Static Code Scanners: Commercial Dynamic Code Scanners: Open Source Dynamic Code Scanners: Commercial Maturity Models Software Composition Analysis IAST Tools API Security Testing Runtime Application Self-Protection (RASP) Web Application Firewalls (WAFs) Browser-centric Protection Appendix C: Answers to Chapter Quick Check Questions Glossary Index
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.