Agile Application Security. Enabling Security in a Continuous Delivery Pipeline - Helion

ebook

Autor: Laura Bell, Michael Brunton-Spall, Rich Smith
ISBN: 978-14-919-3879-9
stron: 386, Format: ebook
Data wydania: 2017-09-08
Księgarnia: Helion

Cena książki: 152,15 zł (poprzednio: 176,92 zł)
Oszczędzasz: 14% (-24,77 zł)

Osoby, które kupiły tę książkę, wybierały także »

Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally hasn't integrated well with traditional security management techniques. And most security professionals aren’t up to speed in their understanding and experience of agile development. To help bridge the divide between these two worlds, this practical guide introduces several security tools and techniques adapted specifically to integrate with agile development.

Written by security experts and agile veterans, this book begins by introducing security principles to agile practitioners, and agile principles to security practitioners. The authors also reveal problems they encountered in their own experiences with agile security, and how they worked to solve them.

You’ll learn how to:

Add security practices to each stage of your existing development lifecycle
Integrate security with planning, requirements, design, and at the code level
Include security testing as part of your team’s effort to deliver working software in each release
Implement regulatory compliance in an agile or DevOps environment
Build an effective security program through a culture of empathy, openness, transparency, and collaboration

Osoby które kupowały "Agile Application Security. Enabling Security in a Continuous Delivery Pipeline", wybierały także:

Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)
Od hierarchii do turkusu, czyli jak zarządzać w XXI wieku 58,64 zł, (12,90 zł -78%)

Spis treści

Agile Application Security. Enabling Security in a Continuous Delivery Pipeline eBook -- spis treści

Preface
- Who Should Read This Book
  - The Agile Practitioner
  - The Security Practitioner
  - The Agile Security Practitioner
- Navigating This Book
  - Part 1 - Fundamentals
  - Part 2 - Agile and Security
  - Part 3 - Pulling it all together
- Conventions Used in This Book
- Using Code Examples
- OReilly Safari
- How to Contact Us
- Acknowledgments
1. Getting started with security
- This isnt just a technology problem
- Not just for geeks
- Security is about risk
  - Vulnerability, Likelihood and Impact
  - We are all vulnerable - Vulnerability
  - Not impossible just improbable - Likelihood
  - Measuring the cost - Impact
  - Risk can be minimised, not avoided
  - We live in an imperfect world and have to make hard decisions
- Threat Actors and Knowing your enemy
  - There is an attacker for everyone
  - Motivation, Resources, Access
- Security Values : Protecting our data, systems and people
  - Know what you are trying to protect
  - Confidentiality, Integrity and Availability
    - Confidentiality, keep it secret ..
    - Integrity, . keep it safe
    - Availability, keeping the doors open and the lights on
  - Non-repudiation
  - Compliance, regulation and security standards
- Common Security Misconceptions/Mistakes
  - Security is absolute
  - Security is a point that can be reached
  - Security is static
  - Security requires special <insert item/device/budget>
- So welcome, lets get started
2. Agile Enablers
- Build Pipeline
- Automated Testing
- Continuous Integration
- Infrastructure as Code
- Release Management
- Visible Tracking
- Centralised Feedback
- The only good code is deployed code
- Operating Safely and at Speed
3. Welcome to the agile revolution
- Agile: a potted landscape
- Scrum, the most popular of agile methodologies
  - Sprints and Backlogs
  - Stand-Ups
  - Scrum Feedback Loops
- Extreme Programming
  - The Planning Game
  - The On-site Customer
  - Pair Programming
  - Test Driven Development
  - Shared Design Metaphor
- Kanban
  - Kanban Board: Make Work Visible
  - Constant Feedback
  - Continuous Improvement
- Lean
- Agile methods in general
- What about DevOps?
- Agile and Security
4. Working with your existing agile lifecycle
- Traditional Application Security Models
- Per iteration rituals
  - Tools embedded in the lifecycle
- Pre iteration involvement
  - Tooling for planning and discovery
- Post iteration involvement
  - Tools to enable the team
  - Compliance and audit tools
- Setting Secure Baselines
- What about when you scale?
- Building security teams that enable
  - Building tools that people will use
  - Documenting security techniques
- Key Takeaways
5. Security and Requirements
- Dealing with Security in Requirements
- Agile requirements: telling stories
  - What do stories look like?
  - Conditions of Satisfaction
- Tracking and managing stories: the Backlog
- Dealing with Bugs
- Getting Security into Requirements
  - Security Stories
  - Privacy, Fraud, Compliance and Encryption
  - SAFECode Security Stories
- Security Personas and Anti-Personas
- Attacker Stories: Put your Black Hat on
  - Writing Attacker Stories
- Attack Trees
  - Building an attack tree
  - Maintaining and using attack trees
- Infrastructure and Operations Requirements
- Key Takeaways
6. Agile Vulnerability Management
- Vulnerability Scanning and Patching
  - First, understand what you need to scan
  - Then, decide how to scan and how often
  - Tracking Vulnerabilities
  - Managing Vulnerabilities
- Dealing with Critical Vulnerabilities
- Securing your Software Supply Chain
  - Vulnerabilities in Containers
  - Fewer, Better Suppliers
- How to fix Vulnerabilities in an Agile Way
  - Test Driven Security
  - Zero Bug Tolerance
  - Collective Code Ownership
- Security Sprints, Hardening Sprints and Hack Days
- Taking on and Paying down Security Debt
- Key Takeaways
7. Risk for Agile Teams
- Security says No
- Understanding Risks and Risk Management
- Risks and Threats
- Dealing with Risk
  - Making Risks Visible
  - Accepting and Transferring Risks
  - Changing contexts for risks
- Risk Management in Agile and DevOps
  - Speed of delivery
  - Incremental design and refactoring
  - Self organised, autonomous teams
  - Automation
  - Agile risk mitigation
- Handling Security Risks in Agile and DevOps
- Key Takeaways
8. Threat Assessments and Understanding Attacks
- Understanding Threats: Paranoia and Reality
  - Understanding Threat Actors
  - Threat Actor Archetypes
    - Insiders
    - Outsiders
  - Threats and Attack Targets
  - Threat Intelligence
  - Threat Assessment
- Your Systems Attack Surface
  - Mapping your Application Attack Surface
  - Managing your Application Attack Surface
- Agile Threat Modelling
  - Understanding Trust and Trust Boundaries
  - Building your Threat Model
  - Good Enough is Good Enough
  - Thinking like an Attacker
  - STRIDE: A Structured Model to Understand Attackers
  - Incremental Threat Modeling and Risk Assessments
  - Assess Risks Upfront
  - Review threats as the design changes
  - Getting Value out of Threat modelling
- Common Attack Vectors
- Key Takeaways
9. Building secure and usable systems
- Design to resist compromise
- Security vs Usability
- Technical controls
  - Deterrant controls
  - Resistive controls
  - Protective controls
  - Detective controls
  - Compensating controls
- Security architecture
  - Perimeterless security
  - Assume Compromised
- Complexity and Security
- Key Takeaways
10. Code Review for Security
- Why do we need to review code?
- Types of Code Reviews
  - Formal Inspections
  - Rubber Ducking or Desk Checking
  - Pair Programming (and Mob Programming)
- Peer Code Reviews
  - Code Audits
  - Automated Code Reviews
  - What kind of review approach works best for your team?
- When should you review code?
  - Before code changes are committed
  - Gated Checks before Release
  - Post Mortem and Investigation
- How to review code
  - Take advantage of Coding guidelines
  - Using Code Review Checklists
  - Dont make these mistakes
  - Review code a little bit at a time
  - What Code needs to be Reviewed?
- Who needs to Review Code?
  - How many reviewers?
  - What experience do reviewers need?
- Automated Code Reviews
  - Different Tools find Different Problems
  - What tools are good for, and what they arent good for
  - Getting developers to use automated code reviews
  - Self-Service Scanning
  - Reviewing Infrastructure Code
- Code Review Challenges and Limitations
  - Reviews take time
  - Understanding somebody elses code is hard
  - Finding Security Vulnerabilities is even harder
- Adopting Secure Code Reviews
  - Build on what the team is doing, or should be doing
  - Refactoring: Keeping code simple and secure
  - Fundamentals will take you a long way to secure, safe code
- Reviewing Security Features and Controls
- Reviewing Code for Insider Threats
- Key Takeaways
11. Agile Security Testing
- How is testing done in Agile?
- If you got bugs, youll get pwned
- The Agile Test Pyramid
- Unit testing and TDD
  - What Unit Testing Means to System Security
  - Get off of the Happy Path
- Service-Level testing and BDD tools
  - Gauntlt (Be Mean to your Code)
  - BDD-Security
  - Lets look under the covers
- Acceptance Testing
- Functional Security Testing and Scanning
  - ZAP Tutorial
  - ZAP in Continuous Integration
  - BDD-Security and ZAP together
  - Challenges with Application Scanning
- Testing your Infrastructure
  - Linting
  - Unit Testing
  - Acceptance Testing
- Creating an automated build and test pipeline
  - Nightly Build
  - Continuous Integration
  - Continuous Delivery - and Continuous Deployment
  - Out of Band Testing and Reviews
  - Promoting to Production
  - Guidelines for creating a successful automated pipeline
  - Where security testing fits into your pipeline
- A place for manual testing in Agile
- How do you make Security Testing Work in Agile and DevOps?
- Key Takeaways
12. External Reviews, Testing and Advice
- Why do we need External Reviews?
- Vulnerability Assessment
- Penetration Testing
- Red Teaming
- Bug Bounties
  - How Bug Bounties Work
  - Setting up a Bug Bounty Program
  - Are you sure you want to run a Bug Bounty?
- Configuration Review
- Secure Code Audit
- Crypto Audit
- Choosing an External Firm
  - Experience with products/organizations like yours
  - Actively researching or updating skills
  - Meet the technical people
- Getting Your Moneys Worth
  - Dont Waste Their Time
  - Challenge the findings
  - Insist on results that work for you
  - Put results into context
  - Include the engineering team
  - Measure improvement over time
  - Hold review/retrospective/sharing events and share the results
  - Spread remediation across teams to maximise knowledge transfer
  - Rotate firms or swap testers over time
- Key Takeaways
13. Operations and OpSec
- System Hardening: Setting up Secure Systems
  - Regulatory requirements for hardening
  - Hardening standards and guidelines
  - Challenges with hardening
  - Automated Compliance Scanning
  - Approaches for building hardened systems
  - Automated Hardening Templates
- Network as Code
- Monitoring and Intrusion Detection
  - Monitoring to drive feedback loops
  - Using Application Monitoring for security
  - Auditing and Logging
  - Proactive versus Reactive Detection
- Catching Mistakes at Run-time
- Run-time Defense
  - Cloud Security Protection
  - RASP
- Incident Response: Preparing for Breaches
  - Get your Exercise: Game Days and Red Teaming
  - Blameless Postmortems: Learning from Security Failures
- Securing your Build Pipeline
  - Harden your build infrastructure
  - Understand whats in the cloud
  - Harden your CI/CD Tools
  - Lock Down Configuration Managers
  - Protect Keys and Secrets
  - Lock Down Repos
  - Secure Chat
  - Review the Logs
  - Use Phoenix Servers for Build and Test
  - Monitor your Build and Test Systems
- SShh Keeping Secrets Secret
- Key Takeaways
14. Compliance
- Compliance and Security
- Different Regulatory Approaches
  - PCI DSS: Rules-Based
  - Reg SCI: Outcome-Based
- Risk Management and Compliance
- Traceability of Changes
- Data Privacy
- How to meet Compliance and Stay Agile
  - Compliance Stories and Compliance in Stories
  - More Code, Less Paperwork
  - Traceability and Assurance in Continuous Delivery
  - Managing Changes in Continuous Delivery
  - Dealing with Separation of Duties
- Building Compliance into your Culture
  - Keeping Auditors Happy
  - Dealing with Auditors when they arent Happy
- Certification and Attestation
  - Continuous Compliance and Breaches
  - Certification doesnt mean that you are Secure
- Key Takeaways
15. Security Culture
- The importance of security culture
  - Defining culture
  - Push, dont pull
- Building a security culture
- Principles of effective security
  - Enable, dont block
  - Transparently secure
  - Dont play the blame game
  - Scale security, empower the edges
  - The who is just as important as the how
- Security outreach
  - Securgonomics
  - Dashboards
- Key Takeaways
16. What does Agile Security mean?
- Lauras Story
  - Not an engineer but an hacker
  - Your baby is ugly and you should feel bad
  - Speak Little, Listen Much
  - Lets go faster
  - Creating Fans and Friends
  - We are small but we are many
- Jims story
  - You can Build your own Security Experts
  - Choose People over Tools
  - Security has to start with Quality
  - You can make Compliance an Everyday Thing
- Michaels Story
  - Security skills are unevenly distributed
  - Security practitioners needs to get a tech refresh
  - Accrediation and Assurance are dying
  - Security is an enabler
- Richs story
  - The first times free
  - This can be more than a hobby?
  - A little lightbulb
  - Computers are hard, people are harder
  - And now were here
Index