The integration of Development, Security, and Operations – commonly known as DevSecOps – has emerged as a pivotal approach to software delivery. This methodology not only emphasizes the importance of automating software delivery processes but also places paramount importance on integrating security practices, right from the initial stages of development.

The essence of DevSecOps lies in its ability to break down traditional silos, fostering a culture of shared responsibility for both software quality and security. It recognizes that in the age of cyber threats and frequent software releases, security cannot be an afterthought; it must be ingrained at every stage of the software life cycle.

This book is a culmination of insights, best practices, and hands-on techniques to implement DevSecOps in real-world environments. It delves deep into the practical aspects, guiding readers through the nuances of setting up robust CI/CD pipelines, integrating security tools, automating security checks, and fostering a culture that values security as much as speed.

Whether you are an IT professional aiming to understand the intricacies of DevSecOps, a security enthusiast keen on integrating security into DevOps practices, or a seasoned practitioner looking for hands-on guidance, this book promises to be a comprehensive resource. Through its pages, we’ll demystify the challenges, celebrate the successes, and, above all, pave the way for a future where software is developed swiftly, securely, and efficiently.

Join me on this enlightening journey as we delve into the world of DevSecOps, exploring its principles, practices, and profound impact on the realm of software delivery.

This book is crafted for a diverse range of readers who are either stepping into the world of DevSecOps or looking to deepen their understanding of its practical applications. Here’s a closer look at who would benefit the most from this resource:

• Software developers and engineers: For professionals who design and code applications, this book offers insights into integrating security measures right from the inception of a project. Understand how to write secure code and identify potential vulnerabilities even before they become threats.
• IT operations professionals: If you’re involved in deploying, monitoring, or managing applications, this guide will introduce you to the tools and practices that ensure smooth and secure deployments, emphasizing the importance of infrastructure as code and automated security checks.
• Security professionals: Those specializing in cybersecurity will benefit from the book’s emphasis on bridging the gap between security and other IT disciplines. Learn how to work collaboratively with development and operations teams, integrate security tools into CI/CD pipelines, and automate security protocols.
• DevOps practitioners: If you’re already familiar with DevOps but wish to delve deeper into the security aspect, this book is for you. Understand how DevSecOps extends and refines the DevOps approach by embedding security in every stage of the software delivery life cycle.
• Technical architects and consultants: Professionals responsible for designing IT ecosystems will gain insights into structuring systems that are both agile and secure, ensuring that security considerations are not just add-ons but foundational elements.
• IT leaders and managers: For decision-makers aiming to implement a DevSecOps culture in their teams or organizations, this book offers a roadmap. Learn about the benefits, challenges, and strategies to promote a culture where security and agility go hand in hand.
• Students and academics: Those in academia, either studying software development, IT management, or cybersecurity, will find this book a valuable addition to their curriculum, offering real-world insights and practical methodologies beyond theoretical knowledge.

This book is a valuable resource for anyone keen on understanding the synergy between development, operations, and security and how to implement practices that ensure faster, more efficient, and most importantly, secure software delivery.

Chapter 1, Introducing DevSecOps, discusses the basics of DevSecOps and the different maturity levels involved in the current state and future attainable state of the practices involved in DevSecOps. It helps organizations understand where they are and where things can be taken next. People are the most important element in any technology and process. You can use the best of technology and processes, but without people, goals can’t be achieved. In this chapter, we will learn about the involvement of different teams and what key performance indicators are.

Chapter 2, DevSecOps Principles, explores the DevSecOps principles, which are the key concepts to pick up a program at any point of the development cycle and take it to the maturity stage.

Chapter 3, Understanding the Security Posture, covers the understanding your security posture of DevSecOps pipeline within an organization. We will also be covering what measures are we taking to secure the environment and why, what measures can we take to monitor an environment?, and where does security stand in the whole development process?

Chapter 4, Understanding Observability, examines what observability is and how it is different from monitoring. Also, we will look at how observability helps DevSecOps.

Chapter 5, Understanding Chaos Engineering, covers the aspects of chaos engineering and how data is fed to a system, well as understanding how the system fails.

Chapter 6, Continuous Integration and Continuous Deployment, discusses what is CI/CD, the benefits of CI/CD, how we can automate the CI/CD pipeline, and the importance of the CI/CD pipeline.

Chapter 7, Threat Modeling, dives into threat modeling, which involves examining applications through the eyes of an attacker in order to identify and highlight security flaws that could be exploited. This makes security a part of the organizational culture, laying the groundwork for a DevSecOps workplace. Threat modeling also helps teams better understand and learn each other’s roles, objectives, and pain points, resulting in a more collaborative and understanding organization. The chapter also covers the free and open source tools for threat modeling.

Chapter 8, Software Composition Analysis (SCA), explores third-party dependencies, which are one of the biggest concerns when we deal with code. Some 80–90 percent of software code contains third-party dependencies or libraries. These dependencies come with their own issues and benefits. In this chapter, we will discuss software composition analysis and its uses. We also cover the free and open source tools for SCA.

Chapter 9, Static Application Security Testing (SAST), examines SAST, which happens early in the Software Development Life Cycle (SDLC) because it does not require a working application and can be performed without executing any code. The chapter also covers the free and open source tools for SAST.

Chapter 10, Infrastructure-as-Code (IaC) Scanning, discusses Infrastructure-as-Code (IaC) scanning, which looks for known vulnerabilities in your IaC configuration files. IaC improves usability and functionality while also assisting developers with infrastructure deployment. The chapter will share the aspects of IaC scanning and usability testing. The chapter also covers the free and open source tools for IaC.

Chapter 11, Dynamic Application Security Testing (DAST), delves into DAST, which is the process of analyzing a web application from the frontend to find vulnerabilities. A DAST scanner looks for results that aren’t part of the expected result set and detects security flaws. The chapter also covers the free and open source tools for DAST.

Chapter 12, Setting Up a DevSecOps Program with Open Source Tools, covers the tools and tips to set up an effective DevSecOps program, covering it from 360 degrees.

Chapter 13, Licenses Compliance, Code Coverage, and Baseline Policies, explores license compliance, which ensures we manage licenses and policies and keep them up to date.

Chapter 14, Setting Up a Security Champions Program, talks about who security champions are and how we can set up a security champions program.

Chapter 15, Case Studies, discusses case studies from organizations that have set up DevSecOps programs. What were the initial setbacks that eventually contributed to the DevSecOps program's success ? We look at the lessons learned along the way.

Chapter 16, Conclusion, concludes the book, focusing on what we have learned from the different chapters and offering a call to action on the way forward.

There are a number of text conventions used throughout this book.

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Select System info from the Administration panel.”

Tips or important notes

Appear like this.

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at customercare@packtpub.com and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Once you’ve read Implementing DevSecOps Practices, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

1. Scan the QR code or visit the link below

https://packt.link/free-ebook/978-1-80323-149-5

2. Submit your proof of purchase
3. That’s it! We’ll send your free PDF and other benefits to your email directly