What do you think?
Rate this book
DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement
A structured approach to integrating security capabilities into your engineering process is an essential requirement for producing secure software without compromising the integrity of the DevOps framework.
DevSecOps provides a clear path to building systems and protocols that promotes taking ownership of software security and supports the DevOps philosophy. Learn how to:
· Establish a security-first culture within your DevOps teams
· Produce high-quality, secure software at pace
· Automate integrated security testing
· Use feedback loops to continuously improve the security of your products
· Measure security within your value streams
DevSecOps provides a clear path to building systems and protocols that promotes taking ownership of software security and supports the DevOps philosophy. Learn how to:
· Establish a security-first culture within your DevOps teams
· Produce high-quality, secure software at pace
· Automate integrated security testing
· Use feedback loops to continuously improve the security of your products
· Measure security within your value streams
- GenresTechnologyTechnical
282 pages, Kindle Edition
Published December 14, 2020
94 people are currently reading
78 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 4 of 4 reviews
July 19, 2022
Currently at around 60%.
Terminologies could have better defined.
At the very least, DevSecOps itself seems undefined. Terms like appsec engineers, development engineers, application engineers, etc sprinkled here and there without in author's opinion how they function differently from each other.
Sections/chapters could be made shorter/removed.
The whole chapter of education is about different ways to learn cybersecurity, online, offline, in person, in a class, etc. Some sections are summaries of previous works, e.g. STRIDE for threat modelling, clean code from, well, the Clean Code.
Some unsubstantiated claims. For one, in chapter 5, it says, paraphrased, having a CI/CD pipeline makes separation of duties more challenging. Why is separation of duties needed in this context in the first place remains unanswered. The whole DevOps movement is meant to break organization silo, to "shift left", to be agile. It isn't immediately obviously to me why all of a sudden we want separation of duties here.
Might update my review later.
Terminologies could have better defined.
At the very least, DevSecOps itself seems undefined. Terms like appsec engineers, development engineers, application engineers, etc sprinkled here and there without in author's opinion how they function differently from each other.
Sections/chapters could be made shorter/removed.
The whole chapter of education is about different ways to learn cybersecurity, online, offline, in person, in a class, etc. Some sections are summaries of previous works, e.g. STRIDE for threat modelling, clean code from, well, the Clean Code.
Some unsubstantiated claims. For one, in chapter 5, it says, paraphrased, having a CI/CD pipeline makes separation of duties more challenging. Why is separation of duties needed in this context in the first place remains unanswered. The whole DevOps movement is meant to break organization silo, to "shift left", to be agile. It isn't immediately obviously to me why all of a sudden we want separation of duties here.
Might update my review later.
April 9, 2021
Gave up after 50 pages.
I’m an ex ops guy, who’s currently in security roles, studying to find a middle ground between both camps.
From the title and description, this book should have been gold dust; I’m now looking elsewhere for the answers I seek.
I’m an ex ops guy, who’s currently in security roles, studying to find a middle ground between both camps.
From the title and description, this book should have been gold dust; I’m now looking elsewhere for the answers I seek.
July 18, 2022
This book should have had a different title. Maybe something like this:
"DevSecOps: How to embed security into your DevOps practices". I'll explain why in a moment.
This book is focused on teaching basic security concepts, techniques and tooling to DevOps engineers. It goes through basic concepts such as the CIA triad, what is risk, etc., and then proposes a layered approach to applying security into an existing DevOps program.
There are three layers the author proposes, in order: Education, Security by Design and Security Automation. The main goal seems to be covering the biggest bases with limited resources (personnel and tooling), which is a very common situation in companies. It is a very reasonable and sensible approach.
It is NOT focused in any way, shape or form, on teaching DevOps to security people. This book's objective is to get DevOps people into security, NOT the other way around.
That being said, i think the book accomplishes its objectives.
An in-depth look at some technical details and some working implementations would have been very nice, but i understand why they may have not been in the scope of this work.
"DevSecOps: How to embed security into your DevOps practices". I'll explain why in a moment.
This book is focused on teaching basic security concepts, techniques and tooling to DevOps engineers. It goes through basic concepts such as the CIA triad, what is risk, etc., and then proposes a layered approach to applying security into an existing DevOps program.
There are three layers the author proposes, in order: Education, Security by Design and Security Automation. The main goal seems to be covering the biggest bases with limited resources (personnel and tooling), which is a very common situation in companies. It is a very reasonable and sensible approach.
It is NOT focused in any way, shape or form, on teaching DevOps to security people. This book's objective is to get DevOps people into security, NOT the other way around.
That being said, i think the book accomplishes its objectives.
An in-depth look at some technical details and some working implementations would have been very nice, but i understand why they may have not been in the scope of this work.
April 12, 2021
Informative
I am new to this game and asked to assist Dev Ops to combine with security. This assisted and provided answers to most of my questions.
I am new to this game and asked to assist Dev Ops to combine with security. This assisted and provided answers to most of my questions.
Displaying 1 - 4 of 4 reviews