Identity Security for Software Development - Helion

ebook

Autor: John Walsh, Uzi Ailon, Matt Barker
ISBN: 9781098157999
stron: 208, Format: ebook
Data wydania: 2025-05-06
Księgarnia: Helion

Cena książki: 177,65 zł (poprzednio: 206,57 zł)
Oszczędzasz: 14% (-28,92 zł)

Osoby, które kupiły tę książkę, wybierały także »

Maintaining secrets, credentials, and nonhuman identities in secure ways is an important, though often overlooked, aspect of secure software development. Cloud migration and digital transformation have led to an explosion of nonhuman identities—like automation scripts, cloud native apps, and DevOps tools—that need to be secured across multiple cloud and hybrid environments.

DevOps security often addresses vulnerability scanning, but it neglects broader discussions like authentication, authorization, and access control, potentially leaving the door open for breaches. That's where an identity security strategy focused on secrets management can help.

In this practical book, authors John Walsh and Uzi Ailon provide conceptual frameworks, technology overviews, and practical code snippets to help DevSecOps engineers, cybersecurity engineers, security managers, and software developers address use cases across CI/CD pipelines, Kubernetes and cloud native, hybrid and multicloud, automation/RPA, IOT/OT, and more. You'll learn:

The fundamentals of authentication, authorization, access control, and secrets management
What developers need to know about managing secrets and identity to build safer apps
What nonhuman identities, secrets, and credentials are—and how to secure them
How developers work with their cross-function peers to build safer apps
How identity security fits into modern software development practices

Osoby które kupowały "Identity Security for Software Development", wybierały także:

Biologika Sukcesji Pokoleniowej. Sezon 3. Konflikty na terytorium 124,17 zł, (14,90 zł -88%)
Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Podręcznik startupu. Budowa wielkiej firmy krok po kroku 93,13 zł, (14,90 zł -84%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
Scrum. O zwinnym zarz 78,42 zł, (14,90 zł -81%)

Spis treści

Identity Security for Software Development eBook -- spis treści

Preface
- Our Approach
- Who Should Read This Book?
- What Youll Find Inside
- Conventions Used in This Book
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
1. What You Need to Know About Identity Security
- Why Identity Security Matters
- Zero Trust Identity Security
- The Modern Enterprise Makes Identity Security Difficult
- Machine Identity Challenges
- Common Attack Types
- Identity Security Concepts
- Summary
2. Secure Coding Practices for Identity Security
- The Zero Trust Model
- Best Practices
  - General Secure Coding Best Practices
    - Input validation
    - Encryption
    - Resource management
    - Session management
    - Code obfuscation
  - Identity Security Best Practices
    - Authentication (AuthN)
    - Authorization (AuthZ)
    - Access control
    - Auditing and logging
    - Secrets management
    - Securing development environments
    - Avoiding insecure components
    - Automated scanning and analysis
- Understanding Security Standards
  - CWE
  - OWASP
  - NIST
  - PCI DSS
  - HIPAA
- Summary
3. Authentication and Authorization
- AuthN
  - Username and Password
  - MFA
  - Token-Based AuthN
  - Biometric AuthN
  - Common AuthN Techniques
    - OpenID Connect
    - JWT
    - Lightweight directory access protocol
    - Security Assertion Markup Language
  - Risk Analysis During AuthN
  - AuthN Best Practices
- AuthZ
  - OAuth 2.0
  - JWT
  - Access Control Lists
  - Extensible Access Control Markup Language
- Summary
4. Overview of Identity and Access Management Solutions and Protocols
- Core Components of IAM
  - Identity Management
  - Access Management
  - AuthN
  - AuthZ
  - Identity Governance and Administration
- Why Does IAM Matter?
  - Consumer Applications
  - Enterprise Applications
  - How IAM Relates to OWASP
    - A01:2021Broken access control
    - A03:2021Injection
    - A04:2021Insecure design
    - A07:2021Identification and authentication failures
    - A09:2021Security logging and monitoring failures
- Identity Lifecycle Management
  - Identity Provisioning and Deprovisioning
  - Role Management
  - Workflow and Approval Processes
  - Identity Synchronization and Reconciliation
- IAM Architecture Models
  - Centralized IAM Model
  - Decentralized IAM Model
  - Hybrid IAM Model
  - IAM in Cloud Environments
- Key Standards in IAM
  - SAML: Centralized AuthN for SSO
  - OAuth 2.0: Securing Third-Party Access to Resources
  - OIDC: Adding Identity to OAuth 2.0
  - LDAP: Centralized Directory Services
  - System for Cross-Domain Identity Management: Simplifying User Provisioning
  - FIDO: Passwordless AuthN for Strong Security
- Emerging Trends in IAM
  - AI in IAM
  - Blockchain in IAM
- Summary
5. Secrets Management
- Why Does Secrets Management Matter?
- Principles of Secrets Management
  - Principle #1: Encryption
  - Principle #2: Access Control
  - Principle #3: Monitoring and Auditing
  - Principle #4: Compliance
  - Principle #5: Testing
  - Principle #6: Automation
  - Principle #7: Centralization
- Secrets Management in Code
- Secrets Management Tools and Frameworks
  - Setting Up a Secrets Policy
  - Creating a Secrets Store by Using ESO
  - Setting a Secret
  - Retrieving a Secret
- Summary
6. Cloud Security and Cloud Native Considerations
- Background on Cloud Computing and Security
- Watch Out for Security Misconfigurations
- Cloud Native Versus Lift and Shift
  - The Four Cs of Cloud Native Security
    - Cloud security
    - Cluster security
    - Container security
    - Code
  - How Different CSPs Structure Resources
    - AWS
      - Google Cloud Platform
    - Microsoft Azure
- Guiding Principles for Securing Cloud Applications
- Comparing IAM Services
  - Permissions
    - AWS
    - GCP
    - Microsoft Azure
  - Access
    - AWS
    - GCP
    - Microsoft Azure
  - Switching Between CSPs
- Summary
7. Securing Kubernetes
- How Kubernetes Works
- Kubernetes Security Challenges
- Secrets Management in Kubernetes
- Best Practices for Kubernetes Security
  - Use Service Accounts Diligently
  - Leverage the Kubernetes RBAC Framework
    - Examples of Roles and ClusterRoles
    - Examples of RoleBinding and ClusterRoleBinding
  - Securing Your Pods and Containers
    - Pod security context
    - Container security context
    - Pod Security Standards
    - Sandboxed Pods
    - Use a minimal base image
      - Slim images
      - Distroless images
      - Multistage Docker builds
    - Other considerations
  - Ensure Network Security
    - Examples of NetworkPolicies
    - Network security best practices
- Identity Management on Kubernetes Using SPIFFE
- Using cert-manager for TLS Identity Security Automation
- Using Service Meshes to Secure Clusters
  - Identity Management in Service Meshes
  - AuthZ in Service Meshes
  - Trading Off Performance and Security
  - Service Mesh Best Practices
    - Prioritize security
    - Manage mesh traffic
    - Implement effective observability
- Summary
8. Security Automation
- Why Does Security Automation Matter?
- Types of Security Automation
- What Security Processes Can Be Automated?
- Security Automation at Work
  - Security Automation Tools
    - Digital forensics
    - EDR and XDR
    - Firewalls
    - Intrusion detection
    - Privileged access management
    - SIEM
    - SOAR
    - Static code analysis
    - Threat intelligence
  - Security Automation Best Practices
    - Know where to start
    - Enforce zero trust
    - Choose a solution
    - Use scripts and playbooks
    - Monitor continuously
  - Infrastructure as Code
  - Policy as Code
  - Secure Automation Tools
  - Security Automation with AI
- Example: Security Automation with Ansible and Conjur Open Source
- Summary
9. CI/CD Pipeline Security and Software Supply Chains
- Why Does Securing Your CI/CD Pipeline Matter?
  - Securing Secrets in a CI/CD Pipeline
  - A Jenkins Example
  - What OWASP Says About CI/CD Security
- Foundations of CI/CD Security
  - Source Code Threats
    - Access control
    - Security-focused testing
    - Dependency management
    - Commit integrity
  - Hardening the Build Process
    - Access control
    - Build protection
  - Managing Artifacts
    - Public registries
    - Registry security
  - Integrating Security Testing into CI/CD Pipelines
    - Static application security testing
    - Dynamic application security testing
    - Fuzzing
    - Interactive application security testing
    - Common vulnerabilities and exposures scanning
  - Monitoring and Incident Response
  - Provenance, Attestations, and Digital Signatures
    - Provenance generation
    - Provenance storage
    - SBOMs
    - Digital signatures
- Summary
Index