ebook img

Practical Security for Agile and DevOps PDF

2022·10.92 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Practical Security for Agile and DevOps

Cover Page Page: i Half-Title Page Page: i Title Page Page: iii Copyright Page Page: iv Dedication Page: vii Table of Contents Page: vii Preface Page: xxi How This Book Is Organized Page: xxii Chapter 1: Today’s Software Development Practices Shatter Old Security Practices Page: xxv Chapter Overview Page: 1 Chapter Takeaways Page: 1 1.1 Over the Waterfall Page: 2 1.2 What Is Agile? Page: 3 1.3 Shift Left! Page: 3 1.4 Principles First! Page: 5 1.5 Summary Page: 6 Chapter Quick Check Page: 6 Exercises Page: 7 References Page: 7 Chapter 2: Deconstructing Agile and Scrum Page: 7 Chapter Overview Page: 9 Chapter Takeaways Page: 9 2.1 The Goals of Agile and Scrum Page: 10 2.2 Agile/Scrum Terminology Page: 11 2.3 Agile/Scrum Roles Page: 11 2.4 Unwinding Sprint Loops Page: 13 2.5 Development and Operations Teams Get Married Page: 15 2.6 Summary Page: 16 Chapter Quick Check Page: 18 Exercises Page: 18 References Page: 19 Chapter 3: Learning Is FUNdamental! Page: 19 Chapter Overview Page: 21 Chapter Takeaways Page: 21 3.1 Education Provides Context, and Context Is Key Page: 22 3.2 Principles for Software Security Education Page: 22 3.3 Getting People’s Attention Page: 23 3.4 Awareness versus Education Page: 24 3.5 Moving into the Education Phase Page: 25 3.6 Strategies for Rolling Out Training Page: 27 3.7 Encouraging Training Engagement and Completion Page: 27 3.8 Measuring Success Page: 28 3.9 Keeping the Drumbeat Alive Page: 28 3.10 Create and Mature a Security Champion Network Page: 29 3.11 A Checklist for Establishing a Software Security Education, Training, and Awareness Program Page: 29 3.12 Summary Page: 30 Chapter Quick Check Page: 30 Exercises Page: 31 References Page: 31 Chapter 4: Product Backlog Development—Building Security In Page: 32 Chapter Overview Page: 33 Chapter Takeaways Page: 33 4.1 Functional versus Nonfunctional Requirements Page: 34 4.2 Testing NFRs Page: 34 4.3 Families of Nonfunctional Requirements Page: 36 4.3.1 Availability Page: 37 4.4 Capacity Page: 38 4.5 Efficiency Page: 38 4.6 Interoperability Page: 39 4.7 Manageability Page: 39 4.7.1 Cohesion Page: 39 4.7.2 Coupling Page: 40 4.8 Maintainability Page: 40 4.9 Performance Page: 40 4.10 Portability Page: 41 4.11 Privacy Page: 41 4.12 Recoverability Page: 42 4.13 Reliability Page: 43 4.14 Scalability Page: 44 4.15 Security Page: 44 4.16 Serviceability/Supportability Page: 45 4.17 Characteristics of Good Requirements Page: 46 4.18 Eliciting Nonfunctional Requirements Page: 47 4.19 NFRs as Acceptance Criteria and Definition of Done Page: 48 4.20 Summary Page: 48 Chapter Quick Check Page: 49 Exercises Page: 49 References Page: 49 Chapter 5: Secure Design Considerations Page: 50 Chapter Overview Page: 51 Chapter Takeaways Page: 51 5.1 Essential Concepts Page: 51 5.2 The Security Perimeter Page: 52 5.3 Attack Surface Page: 53 5.3.1 Mapping the Attack Surface Page: 54 5.3.2 Side Channel Attacks Page: 54 5.4 Application Security and Resilience Principles Page: 55 5.4.1 Practice 1: Apply Defense in Depth Page: 55 5.4.2 Practice 2: Use a Positive Security Model Page: 55 5.4.3 Practice 3: Fail Securely Page: 55 5.4.4 Practice 4: Run with Least Privilege Page: 55 5.4.5 Practice 5: Avoid Security by Obscurity Page: 55 5.4.6 Practice 6: Keep Security Simple Page: 55 5.4.7 Practice 7: Detect Intrusions Page: 55 5.4.8 Practice 8: Don’t Trust Infrastructure Page: 55 5.4.9 Practice 9: Don’t Trust Services Page: 55 5.4.10 Practice 10: Establish Secure Defaults Page: 55 5.5 Mapping Best Practices to Nonfunctional Requirements (NFRs) as Acceptance Criteria Page: 61 5.6 Summary Page: 61 Chapter Quick Check Page: 62 Exercises Page: 63 References Page: 63 Chapter 6: Security in the Design Sprint Page: 64 Chapter Overview Page: 65 CHAPTER TAKEAWAYS Page: 65 6.1 Design Phase Recommendations Page: 65 6.2 Modeling Misuse Cases Page: 66 6.3 Conduct Security Design and Architecture Reviews in Design Sprint Page: 67 6.4 Perform Threat and Application Risk Modeling Page: 67 6.4.1 Brainstorming Threats Page: 69 6.5 Risk Analysis and Assessment Page: 70 6.5.1 Damage Potential Page: 70 6.5.2 Reproducibility Page: 71 6.5.3 Exploitability Page: 71 6.5.4 Affected Users Page: 71 6.5.5 Discoverability Page: 71 6.6 Don’t Forget These Risks! Page: 72 6.7 Rules of Thumb for Defect Removal or Mitigation Page: 72 6.8 Further Needs for Information Assurance Page: 73 6.9 Countering Threats through Proactive Controls Page: 74 6.10 Architecture and Design Review Checklist Page: 76 6.11 Summary Page: 78 Chapter Quick Check Page: 78 Exercises Page: 79 References Page: 80 Chapter 7: Defensive Programming Page: 80 Chapter Overview Page: 81 Chapter Takeaways Page: 81 7.1 The Evolution of Attacks Page: 82 7.2 Threat and Vulnerability Taxonomies Page: 82 7.2.1 MITRE’s Common Weaknesses Enumeration (CWE) Page: 83 7.2.2 OWASP Top 10—2017 Page: 83 7.3 Failure to Sanitize Inputs Is the Scourge of Software Development Page: 85 7.4 Input Validation and Handling Page: 86 7.4.1 Client-Side versus Server-Side Validation Page: 87 7.4.2 Input Sanitization Page: 89 7.4.3 Canonicalization Page: 89 7.5 Common Examples of Attacks Due to Improper Input Handling Page: 90 7.5.1 Buffer Overflow Page: 90 7.5.2 OS Commanding Page: 90 7.6 Best Practices in Validating Input Data Page: 91 7.6.1 Exact Match Validation Page: 91 7.6.2 Exact Match Validation Example Page: 91 7.6.3 Known Good Validation Page: 92 7.6.4 Known Bad Validation Page: 93 7.6.5 Handling Bad Input Page: 93 7.7 OWASP’s Secure Coding Practices Page: 94 7.8 Summary Page: 95 Chapter Quick Check Page: 95 Exercises Page: 95 References Page: 96 Chapter 8: Testing Part 1: Static Code Analysis Page: 96 Chapter Overview Page: 97 Chapter Takeaways Page: 97 8.1 Fixing Early versus Fixing Later Page: 97 8.2 Testing Phases Page: 98 8.2.1 Unit Testing Page: 98 8.2.2 Manual Source Code Reviews Page: 99 8.2.3 The Code Review Process Page: 100 8.3 Static Source Code Analysis Page: 101 8.4 Automated Reviews Compared with Manual Reviews Page: 102 8.5 Peeking Inside SAST Tools Page: 103 8.6 SAST Policies Page: 107 8.7 Using SAST in Development Sprints Page: 107 8.8 Software Composition Analysis (SCA) Page: 110 8.9 SAST is NOT for the Faint of Heart! Page: 111 8.10 Commercial and Free SAST Tools Page: 112 8.11 Summary Page: 112 Chapter Quick Check Page: 112 Exercises Page: 113 References Page: 113 Chapter 9: Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP Page: 114 Chapter Overview Page: 115 Chapter Takeaways Page: 115 9.1 Penetration (Pen) Testing Page: 116 9.2 Open Source Security Testing Methodology Manual (OSSTMM) Page: 116 9.3 OWASP’s ASVS Page: 117 9.4 Penetration Testing Tools Page: 119 9.5 Automated Pen Testing with Black Box Scanners Page: 119 9.6 Deployment Strategies Page: 120 9.6.1 Developer Testing Page: 120 9.6.2 Centralized Quality Assurance Testing Page: 121 9.7 Gray Box Testing Page: 121 9.8 Limitations and Constraints of Pen Testing Page: 121 9.9 Interactive Application Security Testing (IAST) Page: 122 9.10 Runtime Application Self-Protection (RASP) Page: 122 9.11 Summary Page: 123 Chapter Quick Check Page: 123 Exercises Page: 124 References Page: 124 Chapter 10: Securing DevOps Page: 125 Chapter Overview Page: 127 Chapter Takeaways Page: 127 10.1 Shifting Left All Around Page: 127 10.1.1 Changing the Business Culture Page: 128 10.2 The Three Ways That Make DevOps Work Page: 130 10.3 The Three Ways Applied to AppSec Page: 132 10.4 OWASP’s DevSecOps Maturity Model Page: 134 10.5 OWASP’s DevSecOps Studio Page: 135 10.6 Summary Page: 135 Chapter Quick Check Page: 135 Exercises Page: 136 References Page: 136 Chapter 11: Metrics and Models for AppSec Maturity Page: 137 Chapter Overview Page: 139 Chapter Takeaways Page: 139 11.1 Maturity Models for Security and Resilience Page: 139 11.2 Software Assurance Maturity Model—OpenSAMM Page: 140 11.2.1 OpenSAMM Business Functions Page: 141 11.2.2 Core Practice Areas Page: 142 11.3 Levels of Maturity Page: 143 11.3.1 Objective Page: 144 11.3.2 Activities Page: 144 11.3.3 Results Page: 144 11.3.4 Success Metrics Page: 144 11.3.5 Costs Page: 144 11.3.6 Personnel Page: 144 11.3.7 Related Levels Page: 145 11.3.8 Assurance Page: 145 11.4 Using OpenSAMM to Assess Maturity Levels Page: 145 11.5 The Building Security In Maturity Model (BSIMM) Page: 147 11.6 BSIMM Organization Page: 150 11.7 BSIMM Software Security Framework Page: 150 11.7.1 Governance Page: 150 11.7.2 Intelligence Page: 151 11.7.3 SSDL Touchpoints Page: 152 11.7.4 Deployment Page: 152 11.8 BSIMM’s 12 Practice Areas Page: 153 11.9 Measuring Results with BSIMM Page: 153 11.10 The BSIMM Community Page: 153 11.11 Conducting a BSIMM Assessment Page: 153 11.12 Summary Page: 157 Chapter Quick Check Page: 157 Exercises Page: 157 References Page: 158 Chapter 12: Frontiers for AppSec Page: 158 Chapter Overview Page: 159 Chapter Takeaways Page: 159 12.1 Internet of Things (IoT) Page: 159 12.1.1 The Industry Responds Page: 159 12.1.2 The Government Responds Page: 159 12.2 Blockchain Page: 161 12.2.1 Security Risks with Blockchain Implementations Page: 161 12.2.2 Securing the Chain Page: 163 12.3 Microservices and APIs Page: 163 12.4 Containers Page: 165 12.4.1 Container Security Issues Page: 165 12.4.2 NIST to the Rescue Again! Page: 166 12.5 Autonomous Vehicles Page: 167 12.6 Web Application Firewalls (WAFs) Page: 167 12.7 Machine Learning/Artificial Intelligence Page: 168 12.8 Big Data Page: 169 12.8.1 Vulnerability to Fake Data Generation Page: 169 12.8.2 Potential Presence of Untrusted Mappers Page: 170 12.8.3 Lack of Cryptographic Protection Page: 170 12.8.4 Possibility of Sensitive Information Mining Page: 170 12.8.5 Problems with Granularity of Access Controls Page: 170 12.8.6 Data Provenance Difficulties Page: 170 12.8.7 High Speed of NoSQL Databases’ Evolution and Lack of Security Focus Page: 171 12.8.8 Absent Security Audits Page: 171 12.9 Summary Page: 171 Chapter Quick Check Page: 171 Exercises Page: 172 References Page: 172 Chapter 13: AppSec Is a Marathon—Not a Sprint Page: 173 Chapter Overview Page: 175 Chapter Takeaways Page: 175 13.1 Hit the Road Page: 176 13.2 Getting Involved with OWASP Page: 176 13.3 Certified Secure Software Lifecycle Professional (CSSLP®) Page: 177 13.3.1 Why Obtain the CSSLP? Page: 177 13.4 Higher Education Page: 177 13.5 Conclusion Page: 178 Chapter Quick Check Page: 178 Exercises Page: 180 References Page: 180 Appendix A: Security Acceptance Criteria Page: 180 Sample Acceptance Criteria for Seven Categories of Application Security Functions or Attributes Page: 181 Appendix B: Resources for AppSec Page: 185 Training Page: 187 Cyber Ranges Page: 187 Requirements Management Tools Page: 188 Threat Modeling Page: 188 Static Code Scanners: Open Source Page: 188 Static Code Scanners: Commercial Page: 188 Dynamic Code Scanners: Open Source Page: 189 Dynamic Code Scanners: Commercial Page: 189 Maturity Models Page: 189 Software Composition Analysis Page: 190 IAST Tools Page: 190 API Security Testing Page: 190 Runtime Application Self-Protection (RASP) Page: 190 Web Application Firewalls (WAFs) Page: 190 Browser-centric Protection Page: 191 Appendix C: Answers to Chapter Quick Check Questions Page: 191 Glossary Page: 203 Index Page: 205

Description:
This textbook was written from the perspective of someone who began his software security career in 2005, long before the industry began focusing on it. This is an excellent perspective for students who want to learn about securing application development. After having made all the rookie mistakes, the author realized that software security is a human factors issue rather than a technical or process issue alone. Throwing technology into an environment that expects people to deal with it but failing to prepare them technically and psychologically with the knowledge and skills needed is a certain recipe for bad results. Practical Security for Agile and DevOps is a collection of best practices and effective implementation recommendations that are proven to work. The text leaves the boring details of software security theory out of the discussion as much as possible to concentrate on practical applied software security that is useful to professionals. It is as much a book for students’ own benefit as it is for the benefit of their academic careers and organizations. Professionals who are skilled in secure and resilient software development and related tasks are in tremendous demand. This demand will increase exponentially for the foreseeable future. As students integrate the text’s best practices into their daily duties, their value increases to their companies, management, community, and industry. The textbook was written for the following readers: Students in higher education programs in business or engineering disciplines AppSec architects and program managers in information security organizations Enterprise architecture teams with a focus on application development Scrum Teams including: Scrum Masters Engineers/developers Analysts Architects Testers DevOps teams Product owners and their management Project managers Application security auditors Agile coaches and trainers Instructors and trainers in academia and private organizations
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.