Agile Application Security. Enabling Security in a Continuous Delivery Pipeline
- Autorzy:
- Laura Bell, Michael Brunton-Spall, Rich Smith
- Ocena:
- Bądź pierwszym, który oceni tę książkę
- Stron:
- 386
- Dostępne formaty:
-
ePubMobi
Opis ebooka: Agile Application Security. Enabling Security in a Continuous Delivery Pipeline
Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally hasn't integrated well with traditional security management techniques. And most security professionals aren’t up to speed in their understanding and experience of agile development. To help bridge the divide between these two worlds, this practical guide introduces several security tools and techniques adapted specifically to integrate with agile development.
Written by security experts and agile veterans, this book begins by introducing security principles to agile practitioners, and agile principles to security practitioners. The authors also reveal problems they encountered in their own experiences with agile security, and how they worked to solve them.
You’ll learn how to:
- Add security practices to each stage of your existing development lifecycle
- Integrate security with planning, requirements, design, and at the code level
- Include security testing as part of your team’s effort to deliver working software in each release
- Implement regulatory compliance in an agile or DevOps environment
- Build an effective security program through a culture of empathy, openness, transparency, and collaboration
Wybrane bestsellery
-
Agile i Scrum, Scrum i Agile. Opanowawszy branżę IT, powoli, ale konsekwentnie, zdobywają inne biznesowe przyczółki i rozgaszczają się w firmach na dobre… Albo niedobre, gdy budzą niezrozumienie, protesty, a czasem nawet chęć ucieczki! Agile i Scrum brzmią tak nowocześnie, w teorii świetnie...(23.94 zł najniższa cena z 30 dni)
25.92 zł
39.90 zł(-35%) -
Podczas projektowania wielu procesów produkcyjnych, łącznie z budową oprogramowania, za kluczowe kryteria uznaje się szybkość wykonywania zadań, wydajność czy niskie koszty. Tymczasem opracowanie produktu o wyjątkowej wartości rynkowej wymaga nieco innego podejścia. Celem produkcji nie jest przec...
Mapowanie historyjek użytkownika. Przepis na produkt idealny Mapowanie historyjek użytkownika. Przepis na produkt idealny
(35.40 zł najniższa cena z 30 dni)38.35 zł
59.00 zł(-35%) -
O tym, ile problemów sprawia niedbale napisany kod, wie każdy programista. Nie wszyscy jednak wiedzą, jak napisać ten świetny, „czysty” kod i czym właściwie powinien się on charakteryzować. Co więcej – jak odróżnić dobry kod od złego? Odpowiedź na te pytania oraz sposoby tworzen...(47.40 zł najniższa cena z 30 dni)
51.35 zł
79.00 zł(-35%) -
Mistrz czystego kodu. Kodeks postępowania profesjonalnych programistów Podręcznik profesjonalnego programisty! Robert C. Martin, znany jako Uncle Bob, to jeden z prawdziwych gwiazdorów branży IT, człowiek o niezwykłej charyzmie, rewelacyjnym podejściu do słuchaczy i poczuciu h...
Mistrz czystego kodu. Kodeks postępowania profesjonalnych programistów Mistrz czystego kodu. Kodeks postępowania profesjonalnych programistów
(29.40 zł najniższa cena z 30 dni)31.85 zł
49.00 zł(-35%) -
Zarządzanie projektami kusi niejedną osobę, która planuje zmianę kariery zawodowej lub jej dalszy rozwój. Aby podejść do tego tematu profesjonalnie, warto poznać bliżej i przyswoić kilka terminów, takich jak Agile, czyli zwinne metodyki pracy, w szczególności – Scrum. To pojęcie oznacza spr...
Agile w akcji. Kurs video. Scrum jako narzędzie sukcesu projektowego Agile w akcji. Kurs video. Scrum jako narzędzie sukcesu projektowego
(39.90 zł najniższa cena z 30 dni)49.50 zł
99.00 zł(-50%) -
Przewodnik, który trzymasz w ręku, powstał właśnie po to, by zasypać otchłań między działem HR i pozostałymi dywizjami organizacji w procesie transformacji. Kate ma nadzieję, że dzięki książce uda jej się pomóc zarówno osobom przeprowadzającym transformację, jak i działom HR firm i organizacji. W...
Kompetentny Scrum Master. Przewodnik po rozwoju Scrum Masterów i Agile Coachów dla HR, zarządzających oraz samych zainteresowanych Kompetentny Scrum Master. Przewodnik po rozwoju Scrum Masterów i Agile Coachów dla HR, zarządzających oraz samych zainteresowanych
(29.94 zł najniższa cena z 30 dni)32.43 zł
49.90 zł(-35%) -
This book is your go-to guide on how to become a successful TPM and thriving in the fast-paced tech industry. It will help you use your technical skills to drive decisions, manage confidently, and communicate effectively. Then, take all of this and discover the career paths that are open to you!
Technical Program Manager's Handbook. Empowering managers to efficiently manage technical projects and build a successful career path Technical Program Manager's Handbook. Empowering managers to efficiently manage technical projects and build a successful career path
-
This book shows you how Microsoft Orleans can make a developer's life easy when it comes to building interactive distributed applications. You'll cover fundamentals such as the Orleans programming model, run time, and virtual actor concepts and get ready to leverage Orleans to build highly scalab...
Distributed .NET with Microsoft Orleans. Build robust and highly scalable distributed applications without worrying about complex programming patterns Distributed .NET with Microsoft Orleans. Build robust and highly scalable distributed applications without worrying about complex programming patterns
-
This mini book will walk you through the fundamentals, principles, and key concepts of Agile, Agile project management, and Agile Delivery. After reading this book, you will have a thorough understanding of Agile and be able to put Agile into practice at work and in your personal projects.
The Mini Book of Agile. Everything you really need to know about Agile, Agile Project Management and Agile Delivery The Mini Book of Agile. Everything you really need to know about Agile, Agile Project Management and Agile Delivery
-
SCRUM, czyli zwinne (ang. Agile) podejście do wytwarzania usług i produktów, wymyślono po to, by realizować zadania w krótszym czasie, z użyciem mniejszej ilości zasobów i w jak najlepszym „dopasowaniu” do oczekiwań klienta. Zespoły pracujące w Scrumie, starzy agile’owi wyjadacz...
Mapa Agile & Scrum. Jak się odnaleźć jako Scrum Master Mapa Agile & Scrum. Jak się odnaleźć jako Scrum Master
(35.40 zł najniższa cena z 30 dni)38.35 zł
59.00 zł(-35%)
Ebooka "Agile Application Security. Enabling Security in a Continuous Delivery Pipeline" przeczytasz na:
-
czytnikach Inkbook, Kindle, Pocketbook, Onyx Boox i innych
-
systemach Windows, MacOS i innych
-
systemach Windows, Android, iOS, HarmonyOS
-
na dowolnych urządzeniach i aplikacjach obsługujących formaty: PDF, EPub, Mobi
Masz pytania? Zajrzyj do zakładki Pomoc »
Audiobooka "Agile Application Security. Enabling Security in a Continuous Delivery Pipeline" posłuchasz:
-
w aplikacji Ebookpoint na Android, iOS, HarmonyOs
-
na systemach Windows, MacOS i innych
-
na dowolnych urządzeniach i aplikacjach obsługujących format MP3 (pliki spakowane w ZIP)
Masz pytania? Zajrzyj do zakładki Pomoc »
Kurs Video "Agile Application Security. Enabling Security in a Continuous Delivery Pipeline" zobaczysz:
-
w aplikacjach Ebookpoint i Videopoint na Android, iOS, HarmonyOs
-
na systemach Windows, MacOS i innych z dostępem do najnowszej wersji Twojej przeglądarki internetowej
Szczegóły ebooka
- ISBN Ebooka:
- 978-14-919-3879-9, 9781491938799
- Data wydania ebooka:
- 2017-09-08 Data wydania ebooka często jest dniem wprowadzenia tytułu do sprzedaży i może nie być równoznaczna z datą wydania książki papierowej. Dodatkowe informacje możesz znaleźć w darmowym fragmencie. Jeśli masz wątpliwości skontaktuj się z nami sklep@ebookpoint.pl.
- Język publikacji:
- angielski
- Rozmiar pliku ePub:
- 2.8MB
- Rozmiar pliku Mobi:
- 6.4MB
Spis treści ebooka
- Preface
- Who Should Read This Book
- The Agile Practitioner
- The Security Practitioner
- The Agile Security Practitioner
- Who Should Read This Book
- Navigating This Book
- Part 1 - Fundamentals
- Part 2 - Agile and Security
- Part 3 - Pulling it all together
- Conventions Used in This Book
- Using Code Examples
- OReilly Safari
- How to Contact Us
- Acknowledgments
- 1. Getting started with security
- This isnt just a technology problem
- Not just for geeks
- Security is about risk
- Vulnerability, Likelihood and Impact
- We are all vulnerable - Vulnerability
- Not impossible just improbable - Likelihood
- Measuring the cost - Impact
- Risk can be minimised, not avoided
- We live in an imperfect world and have to make hard decisions
- Threat Actors and Knowing your enemy
- There is an attacker for everyone
- Motivation, Resources, Access
- Security Values : Protecting our data, systems and people
- Know what you are trying to protect
- Confidentiality, Integrity and Availability
- Confidentiality, keep it secret ..
- Integrity, . keep it safe
- Availability, keeping the doors open and the lights on
- Non-repudiation
- Compliance, regulation and security standards
- Common Security Misconceptions/Mistakes
- Security is absolute
- Security is a point that can be reached
- Security is static
- Security requires special <insert item/device/budget>
- So welcome, lets get started
- 2. Agile Enablers
- Build Pipeline
- Automated Testing
- Continuous Integration
- Infrastructure as Code
- Release Management
- Visible Tracking
- Centralised Feedback
- The only good code is deployed code
- Operating Safely and at Speed
- 3. Welcome to the agile revolution
- Agile: a potted landscape
- Scrum, the most popular of agile methodologies
- Sprints and Backlogs
- Stand-Ups
- Scrum Feedback Loops
- Extreme Programming
- The Planning Game
- The On-site Customer
- Pair Programming
- Test Driven Development
- Shared Design Metaphor
- Kanban
- Kanban Board: Make Work Visible
- Constant Feedback
- Continuous Improvement
- Lean
- Agile methods in general
- What about DevOps?
- Agile and Security
- 4. Working with your existing agile lifecycle
- Traditional Application Security Models
- Per iteration rituals
- Tools embedded in the lifecycle
- Pre iteration involvement
- Tooling for planning and discovery
- Post iteration involvement
- Tools to enable the team
- Compliance and audit tools
- Setting Secure Baselines
- What about when you scale?
- Building security teams that enable
- Building tools that people will use
- Documenting security techniques
- Key Takeaways
- 5. Security and Requirements
- Dealing with Security in Requirements
- Agile requirements: telling stories
- What do stories look like?
- Conditions of Satisfaction
- Tracking and managing stories: the Backlog
- Dealing with Bugs
- Getting Security into Requirements
- Security Stories
- Privacy, Fraud, Compliance and Encryption
- SAFECode Security Stories
- Security Personas and Anti-Personas
- Attacker Stories: Put your Black Hat on
- Writing Attacker Stories
- Attack Trees
- Building an attack tree
- Maintaining and using attack trees
- Infrastructure and Operations Requirements
- Key Takeaways
- 6. Agile Vulnerability Management
- Vulnerability Scanning and Patching
- First, understand what you need to scan
- Then, decide how to scan and how often
- Tracking Vulnerabilities
- Managing Vulnerabilities
- Vulnerability Scanning and Patching
- Dealing with Critical Vulnerabilities
- Securing your Software Supply Chain
- Vulnerabilities in Containers
- Fewer, Better Suppliers
- How to fix Vulnerabilities in an Agile Way
- Test Driven Security
- Zero Bug Tolerance
- Collective Code Ownership
- Security Sprints, Hardening Sprints and Hack Days
- Taking on and Paying down Security Debt
- Key Takeaways
- 7. Risk for Agile Teams
- Security says No
- Understanding Risks and Risk Management
- Risks and Threats
- Dealing with Risk
- Making Risks Visible
- Accepting and Transferring Risks
- Changing contexts for risks
- Risk Management in Agile and DevOps
- Speed of delivery
- Incremental design and refactoring
- Self organised, autonomous teams
- Automation
- Agile risk mitigation
- Handling Security Risks in Agile and DevOps
- Key Takeaways
- 8. Threat Assessments and Understanding Attacks
- Understanding Threats: Paranoia and Reality
- Understanding Threat Actors
- Threat Actor Archetypes
- Insiders
- Outsiders
- Threats and Attack Targets
- Threat Intelligence
- Threat Assessment
- Understanding Threats: Paranoia and Reality
- Your Systems Attack Surface
- Mapping your Application Attack Surface
- Managing your Application Attack Surface
- Agile Threat Modelling
- Understanding Trust and Trust Boundaries
- Building your Threat Model
- Good Enough is Good Enough
- Thinking like an Attacker
- STRIDE: A Structured Model to Understand Attackers
- Incremental Threat Modeling and Risk Assessments
- Assess Risks Upfront
- Review threats as the design changes
- Getting Value out of Threat modelling
- Common Attack Vectors
- Key Takeaways
- 9. Building secure and usable systems
- Design to resist compromise
- Security vs Usability
- Technical controls
- Deterrant controls
- Resistive controls
- Protective controls
- Detective controls
- Compensating controls
- Security architecture
- Perimeterless security
- Assume Compromised
- Complexity and Security
- Key Takeaways
- 10. Code Review for Security
- Why do we need to review code?
- Types of Code Reviews
- Formal Inspections
- Rubber Ducking or Desk Checking
- Pair Programming (and Mob Programming)
- Peer Code Reviews
- Code Audits
- Automated Code Reviews
- What kind of review approach works best for your team?
- When should you review code?
- Before code changes are committed
- Gated Checks before Release
- Post Mortem and Investigation
- How to review code
- Take advantage of Coding guidelines
- Using Code Review Checklists
- Dont make these mistakes
- Review code a little bit at a time
- What Code needs to be Reviewed?
- Who needs to Review Code?
- How many reviewers?
- What experience do reviewers need?
- Automated Code Reviews
- Different Tools find Different Problems
- What tools are good for, and what they arent good for
- Getting developers to use automated code reviews
- Self-Service Scanning
- Reviewing Infrastructure Code
- Code Review Challenges and Limitations
- Reviews take time
- Understanding somebody elses code is hard
- Finding Security Vulnerabilities is even harder
- Adopting Secure Code Reviews
- Build on what the team is doing, or should be doing
- Refactoring: Keeping code simple and secure
- Fundamentals will take you a long way to secure, safe code
- Reviewing Security Features and Controls
- Reviewing Code for Insider Threats
- Key Takeaways
- 11. Agile Security Testing
- How is testing done in Agile?
- If you got bugs, youll get pwned
- The Agile Test Pyramid
- Unit testing and TDD
- What Unit Testing Means to System Security
- Get off of the Happy Path
- Service-Level testing and BDD tools
- Gauntlt (Be Mean to your Code)
- BDD-Security
- Lets look under the covers
- Acceptance Testing
- Functional Security Testing and Scanning
- ZAP Tutorial
- ZAP in Continuous Integration
- BDD-Security and ZAP together
- Challenges with Application Scanning
- Testing your Infrastructure
- Linting
- Unit Testing
- Acceptance Testing
- Creating an automated build and test pipeline
- Nightly Build
- Continuous Integration
- Continuous Delivery - and Continuous Deployment
- Out of Band Testing and Reviews
- Promoting to Production
- Guidelines for creating a successful automated pipeline
- Where security testing fits into your pipeline
- A place for manual testing in Agile
- How do you make Security Testing Work in Agile and DevOps?
- Key Takeaways
- 12. External Reviews, Testing and Advice
- Why do we need External Reviews?
- Vulnerability Assessment
- Penetration Testing
- Red Teaming
- Bug Bounties
- How Bug Bounties Work
- Setting up a Bug Bounty Program
- Are you sure you want to run a Bug Bounty?
- Configuration Review
- Secure Code Audit
- Crypto Audit
- Choosing an External Firm
- Experience with products/organizations like yours
- Actively researching or updating skills
- Meet the technical people
- Getting Your Moneys Worth
- Dont Waste Their Time
- Challenge the findings
- Insist on results that work for you
- Put results into context
- Include the engineering team
- Measure improvement over time
- Hold review/retrospective/sharing events and share the results
- Spread remediation across teams to maximise knowledge transfer
- Rotate firms or swap testers over time
- Key Takeaways
- 13. Operations and OpSec
- System Hardening: Setting up Secure Systems
- Regulatory requirements for hardening
- Hardening standards and guidelines
- Challenges with hardening
- Automated Compliance Scanning
- Approaches for building hardened systems
- Automated Hardening Templates
- System Hardening: Setting up Secure Systems
- Network as Code
- Monitoring and Intrusion Detection
- Monitoring to drive feedback loops
- Using Application Monitoring for security
- Auditing and Logging
- Proactive versus Reactive Detection
- Catching Mistakes at Run-time
- Run-time Defense
- Cloud Security Protection
- RASP
- Incident Response: Preparing for Breaches
- Get your Exercise: Game Days and Red Teaming
- Blameless Postmortems: Learning from Security Failures
- Securing your Build Pipeline
- Harden your build infrastructure
- Understand whats in the cloud
- Harden your CI/CD Tools
- Lock Down Configuration Managers
- Protect Keys and Secrets
- Lock Down Repos
- Secure Chat
- Review the Logs
- Use Phoenix Servers for Build and Test
- Monitor your Build and Test Systems
- SShh Keeping Secrets Secret
- Key Takeaways
- 14. Compliance
- Compliance and Security
- Different Regulatory Approaches
- PCI DSS: Rules-Based
- Reg SCI: Outcome-Based
- Risk Management and Compliance
- Traceability of Changes
- Data Privacy
- How to meet Compliance and Stay Agile
- Compliance Stories and Compliance in Stories
- More Code, Less Paperwork
- Traceability and Assurance in Continuous Delivery
- Managing Changes in Continuous Delivery
- Dealing with Separation of Duties
- Building Compliance into your Culture
- Keeping Auditors Happy
- Dealing with Auditors when they arent Happy
- Certification and Attestation
- Continuous Compliance and Breaches
- Certification doesnt mean that you are Secure
- Key Takeaways
- 15. Security Culture
- The importance of security culture
- Defining culture
- Push, dont pull
- The importance of security culture
- Building a security culture
- Principles of effective security
- Enable, dont block
- Transparently secure
- Dont play the blame game
- Scale security, empower the edges
- The who is just as important as the how
- Security outreach
- Securgonomics
- Dashboards
- Key Takeaways
- 16. What does Agile Security mean?
- Lauras Story
- Not an engineer but an hacker
- Your baby is ugly and you should feel bad
- Speak Little, Listen Much
- Lets go faster
- Creating Fans and Friends
- We are small but we are many
- Lauras Story
- Jims story
- You can Build your own Security Experts
- Choose People over Tools
- Security has to start with Quality
- You can make Compliance an Everyday Thing
- Michaels Story
- Security skills are unevenly distributed
- Security practitioners needs to get a tech refresh
- Accrediation and Assurance are dying
- Security is an enabler
- Richs story
- The first times free
- This can be more than a hobby?
- A little lightbulb
- Computers are hard, people are harder
- And now were here
- Index
O'Reilly Media - inne książki
-
Software as a service (SaaS) is on the path to becoming the de facto model for building, delivering, and operating software solutions. Adopting a multi-tenant SaaS model requires builders to take on a broad range of new architecture, implementation, and operational challenges. How data is partiti...(237.15 zł najniższa cena z 30 dni)
245.65 zł
289.00 zł(-15%) -
Great engineers don't necessarily make great leaders—at least, not without a lot of work. Finding your path to becoming a strong leader is often fraught with challenges. It's not easy to figure out how to be strategic, successful, and considerate while also being firm. Whether you're on the...(118.15 zł najniższa cena z 30 dni)
126.65 zł
149.00 zł(-15%) -
Data science happens in code. The ability to write reproducible, robust, scaleable code is key to a data science project's success—and is absolutely essential for those working with production code. This practical book bridges the gap between data science and software engineering,and clearl...(211.65 zł najniższa cena z 30 dni)
220.15 zł
259.00 zł(-15%) -
With the massive adoption of microservices, operators and developers face far more complexity in their applications today. Service meshes can help you manage this problem by providing a unified control plane to secure, manage, and monitor your entire network. This practical guide shows you how th...(194.65 zł najniższa cena z 30 dni)
211.65 zł
249.00 zł(-15%) -
Get practical advice on how to leverage AI development tools for all stages of code creation, including requirements, planning, design, coding, debugging, testing, and documentation. With this book, beginners and experienced developers alike will learn how to use a wide range of tools, from gener...(177.65 zł najniższa cena z 30 dni)
164.25 zł
219.00 zł(-25%) -
Rust's popularity is growing, due in part to features like memory safety, type safety, and thread safety. But these same elements can also make learning Rust a challenge, even for experienced programmers. This practical guide helps you make the transition to writing idiomatic Rust—while als...(177.65 zł najniższa cena z 30 dni)
164.25 zł
219.00 zł(-25%) -
Advance your Power BI skills by adding AI to your repertoire at a practice level. With this practical book, business-oriented software engineers and developers will learn the terminologies, practices, and strategy necessary to successfully incorporate AI into your business intelligence estate. Je...(211.65 zł najniższa cena z 30 dni)
220.15 zł
259.00 zł(-15%) -
Microservices can be a very effective approach for delivering value to your organization and to your customers. If you get them right, microservices help you to move fast by making changes to small parts of your system hundreds of times a day. But if you get them wrong, microservices will just ma...(203.15 zł najniższa cena z 30 dni)
211.65 zł
249.00 zł(-15%) -
JavaScript gives web developers great power to create rich interactive browser experiences, and much of that power is provided by the browser itself. Modern web APIs enable web-based applications to come to life like never before, supporting actions that once required browser plug-ins. Some are s...(186.15 zł najniższa cena z 30 dni)
186.15 zł
219.00 zł(-15%) -
How will software development and operations have to change to meet the sustainability and green needs of the planet? And what does that imply for development organizations? In this eye-opening book, sustainable software advocates Anne Currie, Sarah Hsu, and Sara Bergman provide a unique overview...(160.65 zł najniższa cena z 30 dni)
169.14 zł
199.00 zł(-15%)
Dzieki opcji "Druk na żądanie" do sprzedaży wracają tytuły Grupy Helion, które cieszyły sie dużym zainteresowaniem, a których nakład został wyprzedany.
Dla naszych Czytelników wydrukowaliśmy dodatkową pulę egzemplarzy w technice druku cyfrowego.
Co powinieneś wiedzieć o usłudze "Druk na żądanie":
- usługa obejmuje tylko widoczną poniżej listę tytułów, którą na bieżąco aktualizujemy;
- cena książki może być wyższa od początkowej ceny detalicznej, co jest spowodowane kosztami druku cyfrowego (wyższymi niż koszty tradycyjnego druku offsetowego). Obowiązująca cena jest zawsze podawana na stronie WWW książki;
- zawartość książki wraz z dodatkami (płyta CD, DVD) odpowiada jej pierwotnemu wydaniu i jest w pełni komplementarna;
- usługa nie obejmuje książek w kolorze.
Masz pytanie o konkretny tytuł? Napisz do nas: sklep[at]helion.pl.
Książka, którą chcesz zamówić pochodzi z końcówki nakładu. Oznacza to, że mogą się pojawić drobne defekty (otarcia, rysy, zagięcia).
Co powinieneś wiedzieć o usłudze "Końcówka nakładu":
- usługa obejmuje tylko książki oznaczone tagiem "Końcówka nakładu";
- wady o których mowa powyżej nie podlegają reklamacji;
Masz pytanie o konkretny tytuł? Napisz do nas: sklep[at]helion.pl.
Książka drukowana
Oceny i opinie klientów: Agile Application Security. Enabling Security in a Continuous Delivery Pipeline Laura Bell, Michael Brunton-Spall, Rich Smith (0) Weryfikacja opinii następuję na podstawie historii zamówień na koncie Użytkownika umieszczającego opinię. Użytkownik mógł otrzymać punkty za opublikowanie opinii uprawniające do uzyskania rabatu w ramach Programu Punktowego.