Agile Application Security. Enabling Security in a Continuous Delivery Pipeline Laura Bell, Michael Brunton-Spall, Rich Smith

Spis treści książki

• Preface
  • Who Should Read This Book
    • The Agile Practitioner
    • The Security Practitioner
    • The Agile Security Practitioner
  • Navigating This Book
    • Part 1 - Fundamentals
    • Part 2 - Agile and Security
    • Part 3 - Pulling it all together
  • Conventions Used in This Book
  • Using Code Examples
  • OReilly Safari
  • How to Contact Us
  • Acknowledgments
• 1. Getting started with security
  • This isnt just a technology problem
  • Not just for geeks
  • Security is about risk
    • Vulnerability, Likelihood and Impact
    • We are all vulnerable - Vulnerability
    • Not impossible just improbable - Likelihood
    • Measuring the cost - Impact
    • Risk can be minimised, not avoided
    • We live in an imperfect world and have to make hard decisions
  • Threat Actors and Knowing your enemy
    • There is an attacker for everyone
    • Motivation, Resources, Access
  • Security Values : Protecting our data, systems and people
    • Know what you are trying to protect
    • Confidentiality, Integrity and Availability
      • Confidentiality, keep it secret ..
      • Integrity, . keep it safe
      • Availability, keeping the doors open and the lights on
    • Non-repudiation
    • Compliance, regulation and security standards
  • Common Security Misconceptions/Mistakes
    • Security is absolute
    • Security is a point that can be reached
    • Security is static
    • Security requires special <insert item/device/budget>
  • So welcome, lets get started
• 2. Agile Enablers
  • Build Pipeline
  • Automated Testing
  • Continuous Integration
  • Infrastructure as Code
  • Release Management
  • Visible Tracking
  • Centralised Feedback
  • The only good code is deployed code
  • Operating Safely and at Speed
• 3. Welcome to the agile revolution
  • Agile: a potted landscape
  • Scrum, the most popular of agile methodologies
    • Sprints and Backlogs
    • Stand-Ups
    • Scrum Feedback Loops
  • Extreme Programming
    • The Planning Game
    • The On-site Customer
    • Pair Programming
    • Test Driven Development
    • Shared Design Metaphor
  • Kanban
    • Kanban Board: Make Work Visible
    • Constant Feedback
    • Continuous Improvement
  • Lean
  • Agile methods in general
  • What about DevOps?
  • Agile and Security
• 4. Working with your existing agile lifecycle
  • Traditional Application Security Models
  • Per iteration rituals
    • Tools embedded in the lifecycle
  • Pre iteration involvement
    • Tooling for planning and discovery
  • Post iteration involvement
    • Tools to enable the team
    • Compliance and audit tools
  • Setting Secure Baselines
  • What about when you scale?
  • Building security teams that enable
    • Building tools that people will use
    • Documenting security techniques
  • Key Takeaways
• 5. Security and Requirements
  • Dealing with Security in Requirements
  • Agile requirements: telling stories
    • What do stories look like?
    • Conditions of Satisfaction
  • Tracking and managing stories: the Backlog
  • Dealing with Bugs
  • Getting Security into Requirements
    • Security Stories
    • Privacy, Fraud, Compliance and Encryption
    • SAFECode Security Stories
  • Security Personas and Anti-Personas
  • Attacker Stories: Put your Black Hat on
    • Writing Attacker Stories
  • Attack Trees
    • Building an attack tree
    • Maintaining and using attack trees
  • Infrastructure and Operations Requirements
  • Key Takeaways
• 6. Agile Vulnerability Management
  • Vulnerability Scanning and Patching
    • First, understand what you need to scan
    • Then, decide how to scan and how often
    • Tracking Vulnerabilities
    • Managing Vulnerabilities
  • Dealing with Critical Vulnerabilities
  • Securing your Software Supply Chain
    • Vulnerabilities in Containers
    • Fewer, Better Suppliers
  • How to fix Vulnerabilities in an Agile Way
    • Test Driven Security
    • Zero Bug Tolerance
    • Collective Code Ownership
  • Security Sprints, Hardening Sprints and Hack Days
  • Taking on and Paying down Security Debt
  • Key Takeaways
• 7. Risk for Agile Teams
  • Security says No
  • Understanding Risks and Risk Management
  • Risks and Threats
  • Dealing with Risk
    • Making Risks Visible
    • Accepting and Transferring Risks
    • Changing contexts for risks
  • Risk Management in Agile and DevOps
    • Speed of delivery
    • Incremental design and refactoring
    • Self organised, autonomous teams
    • Automation
    • Agile risk mitigation
  • Handling Security Risks in Agile and DevOps
  • Key Takeaways
• 8. Threat Assessments and Understanding Attacks
  • Understanding Threats: Paranoia and Reality
    • Understanding Threat Actors
    • Threat Actor Archetypes
      • Insiders
      • Outsiders
    • Threats and Attack Targets
    • Threat Intelligence
    • Threat Assessment
  • Your Systems Attack Surface
    • Mapping your Application Attack Surface
    • Managing your Application Attack Surface
  • Agile Threat Modelling
    • Understanding Trust and Trust Boundaries
    • Building your Threat Model
    • Good Enough is Good Enough
    • Thinking like an Attacker
    • STRIDE: A Structured Model to Understand Attackers
    • Incremental Threat Modeling and Risk Assessments
    • Assess Risks Upfront
    • Review threats as the design changes
    • Getting Value out of Threat modelling
  • Common Attack Vectors
  • Key Takeaways
• 9. Building secure and usable systems
  • Design to resist compromise
  • Security vs Usability
  • Technical controls
    • Deterrant controls
    • Resistive controls
    • Protective controls
    • Detective controls
    • Compensating controls
  • Security architecture
    • Perimeterless security
    • Assume Compromised
  • Complexity and Security
  • Key Takeaways
• 10. Code Review for Security
  • Why do we need to review code?
  • Types of Code Reviews
    • Formal Inspections
    • Rubber Ducking or Desk Checking
    • Pair Programming (and Mob Programming)
  • Peer Code Reviews
    • Code Audits
    • Automated Code Reviews
    • What kind of review approach works best for your team?
  • When should you review code?
    • Before code changes are committed
    • Gated Checks before Release
    • Post Mortem and Investigation
  • How to review code
    • Take advantage of Coding guidelines
    • Using Code Review Checklists
    • Dont make these mistakes
    • Review code a little bit at a time
    • What Code needs to be Reviewed?
  • Who needs to Review Code?
    • How many reviewers?
    • What experience do reviewers need?
  • Automated Code Reviews
    • Different Tools find Different Problems
    • What tools are good for, and what they arent good for
    • Getting developers to use automated code reviews
    • Self-Service Scanning
    • Reviewing Infrastructure Code
  • Code Review Challenges and Limitations
    • Reviews take time
    • Understanding somebody elses code is hard
    • Finding Security Vulnerabilities is even harder
  • Adopting Secure Code Reviews
    • Build on what the team is doing, or should be doing
    • Refactoring: Keeping code simple and secure
    • Fundamentals will take you a long way to secure, safe code
  • Reviewing Security Features and Controls
  • Reviewing Code for Insider Threats
  • Key Takeaways
• 11. Agile Security Testing
  • How is testing done in Agile?
  • If you got bugs, youll get pwned
  • The Agile Test Pyramid
  • Unit testing and TDD
    • What Unit Testing Means to System Security
    • Get off of the Happy Path
  • Service-Level testing and BDD tools
    • Gauntlt (Be Mean to your Code)
    • BDD-Security
    • Lets look under the covers
  • Acceptance Testing
  • Functional Security Testing and Scanning
    • ZAP Tutorial
    • ZAP in Continuous Integration
    • BDD-Security and ZAP together
    • Challenges with Application Scanning
  • Testing your Infrastructure
    • Linting
    • Unit Testing
    • Acceptance Testing
  • Creating an automated build and test pipeline
    • Nightly Build
    • Continuous Integration
    • Continuous Delivery - and Continuous Deployment
    • Out of Band Testing and Reviews
    • Promoting to Production
    • Guidelines for creating a successful automated pipeline
    • Where security testing fits into your pipeline
  • A place for manual testing in Agile
  • How do you make Security Testing Work in Agile and DevOps?
  • Key Takeaways
• 12. External Reviews, Testing and Advice
  • Why do we need External Reviews?
  • Vulnerability Assessment
  • Penetration Testing
  • Red Teaming
  • Bug Bounties
    • How Bug Bounties Work
    • Setting up a Bug Bounty Program
    • Are you sure you want to run a Bug Bounty?
  • Configuration Review
  • Secure Code Audit
  • Crypto Audit
  • Choosing an External Firm
    • Experience with products/organizations like yours
    • Actively researching or updating skills
    • Meet the technical people
  • Getting Your Moneys Worth
    • Dont Waste Their Time
    • Challenge the findings
    • Insist on results that work for you
    • Put results into context
    • Include the engineering team
    • Measure improvement over time
    • Hold review/retrospective/sharing events and share the results
    • Spread remediation across teams to maximise knowledge transfer
    • Rotate firms or swap testers over time
  • Key Takeaways
• 13. Operations and OpSec
  • System Hardening: Setting up Secure Systems
    • Regulatory requirements for hardening
    • Hardening standards and guidelines
    • Challenges with hardening
    • Automated Compliance Scanning
    • Approaches for building hardened systems
    • Automated Hardening Templates
  • Network as Code
  • Monitoring and Intrusion Detection
    • Monitoring to drive feedback loops
    • Using Application Monitoring for security
    • Auditing and Logging
    • Proactive versus Reactive Detection
  • Catching Mistakes at Run-time
  • Run-time Defense
    • Cloud Security Protection
    • RASP
  • Incident Response: Preparing for Breaches
    • Get your Exercise: Game Days and Red Teaming
    • Blameless Postmortems: Learning from Security Failures
  • Securing your Build Pipeline
    • Harden your build infrastructure
    • Understand whats in the cloud
    • Harden your CI/CD Tools
    • Lock Down Configuration Managers
    • Protect Keys and Secrets
    • Lock Down Repos
    • Secure Chat
    • Review the Logs
    • Use Phoenix Servers for Build and Test
    • Monitor your Build and Test Systems
  • SShh Keeping Secrets Secret
  • Key Takeaways
• 14. Compliance
  • Compliance and Security
  • Different Regulatory Approaches
    • PCI DSS: Rules-Based
    • Reg SCI: Outcome-Based
  • Risk Management and Compliance
  • Traceability of Changes
  • Data Privacy
  • How to meet Compliance and Stay Agile
    • Compliance Stories and Compliance in Stories
    • More Code, Less Paperwork
    • Traceability and Assurance in Continuous Delivery
    • Managing Changes in Continuous Delivery
    • Dealing with Separation of Duties
  • Building Compliance into your Culture
    • Keeping Auditors Happy
    • Dealing with Auditors when they arent Happy
  • Certification and Attestation
    • Continuous Compliance and Breaches
    • Certification doesnt mean that you are Secure
  • Key Takeaways
• 15. Security Culture
  • The importance of security culture
    • Defining culture
    • Push, dont pull
  • Building a security culture
  • Principles of effective security
    • Enable, dont block
    • Transparently secure
    • Dont play the blame game
    • Scale security, empower the edges
    • The who is just as important as the how
  • Security outreach
    • Securgonomics
    • Dashboards
  • Key Takeaways
• 16. What does Agile Security mean?
  • Lauras Story
    • Not an engineer but an hacker
    • Your baby is ugly and you should feel bad
    • Speak Little, Listen Much
    • Lets go faster
    • Creating Fans and Friends
    • We are small but we are many
  • Jims story
    • You can Build your own Security Experts
    • Choose People over Tools
    • Security has to start with Quality
    • You can make Compliance an Everyday Thing
  • Michaels Story
    • Security skills are unevenly distributed
    • Security practitioners needs to get a tech refresh
    • Accrediation and Assurance are dying
    • Security is an enabler
  • Richs story
    • The first times free
    • This can be more than a hobby?
    • A little lightbulb
    • Computers are hard, people are harder
    • And now were here
• Index

pokaż cały spis treści

ukryj recenzje