The DevSecOps Playbook (Sean D. Mack) (Z-Library)

THE DevSecOpS PLAYBOOK

THE DevSecOpS PLAYBOOK Deliver Continuous Security at Speed SEAN D. MACK

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada and the united Kingdom. ISBNs: 9781394169795 (paperback), 9781394169818 (epdf), 9781394169801 (epub) No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per- copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750- 8400, fax (978) 750- 4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748- 6011, fax (201) 748- 6008, or online at www.wiley.com/go/permission. Trademarks: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762- 2974, outside the United States at (317) 572- 3993 or fax (317) 572- 4002. If you believe you’ve found a mistake in this book, please bring it to our attention by emailing our reader support team at wileysupport@wiley.com with the subject line “Possible Book Errata Submission.” Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Control Number: 2023944292 Cover image: © lvcandy/Getty Images Cover design: Wiley

v Foreword xiii Introduction xv Chapter 1 Introducing DevSecOps 1 Chapter 2 The Evolution of Cybersecurity (from Perimeter to Zero Trust) 23 Chapter 3 DevSecOps People 47 Chapter 4 DevSecOps Process 77 Chapter 5 DevSecOps Technology 99 Chapter 6 DevSecOps Governance 125 Chapter 7 Driving Transformation in Enterprise Environments 147 Chapter 8 Measuring DevSecOps 169 Chapter 9 Conclusion 195 Acknowledgments 207 About the Author 209 Index 211  Contents at a GlanCe

vii Foreword xiii Introduction xv Chapter 1 Introducing DevSecOps 1 Why DevSecOps? Why Now? 1 DevOps Overview 3 Brief History of DevOps 4 The Three Ways of DevOps 6 The Five Ideals 9 The CALMS Framework 10 DevOps as an Anti- Pattern 11 Agile and DevOps 13 DevOps and ITSM 14 DevSecOps Overview 15 Rugged DevOps Overview 17 DevSecOps Business Results 18 Conclusion 22 Chapter 2 The Evolution of Cybersecurity (from Perimeter to Zero Trust) 23 The Evolution of the Threat Landscape 23 Evolution of Infrastructure 23 The Evolution of Application Delivery 28 The Evolution of the Threat Landscape 29 The Evolution of Cybersecurity Response 32 Defense in Depth 32 Zero Trust 35 Shift Left 38 Benefits of Shift Left 41 Smearing Left 43 Shift Right 44 Shift Left for DevSecOps 45 Conclusion 45 Contents

viii Contents Chapter 3 DevSecOps People 47 Introduction 47 Collaboration at the Core 48 DevSecOps Culture 49 Trust 50 Transparency 53 The Shared Responsibility Model 54 Ownership 55 Accountability 56 The Role of the Security Team 57 Psychological Safety 58 Empowerment 59 Learning Culture 61 Incident Postmortems 63 Security Training Programs 64 Organizing for DevSecOps 66 Building a DevSecOps Culture 69 Security Champions 69 Internal Bug Bounties 70 The Evolution of the Employee (T- Shaped People) 70 Hiring for DevSecOps 72 Key Characteristics 72 Diversity, Equity, and Inclusion 73 Conclusion 74 Chapter 4 DevSecOps Process 77 Introduction 77 Understanding Processes at Scale 78 DevSecOps for IT Service Management 78 Security Incident Management 80 Change Management 82 Adaptive Change Management 83 Change Risk Calculation 84 Guiding Principles for Change Review and Approval 84 Standard Changes and “Change Freezes” 85 Problem Management 89 The Problem Manager Role 91 Blameless Postmortems 92

Contents ix Release Management 93 A DevOps Approach to Security Processes 94 Tabletop Exercises 94 Attack Simulation: Red Team, Blue Team, Purple Team 95 Chaos Engineering 96 Conclusion 98 Chapter 5 DevSecOps Technology 99 Introduction 99 DevSecOps Continuous Integration and Continuous Deployment 101 The Commit Stage 103 The Build Stage 104 The Test Stage 105 The Deploy Stage 107 Infrastructure as Code 108 Secrets Management 110 Privileged Access Management 113 Runtime Application Self- Protection 114 Monitoring and Observability 114 Monitoring 115 Observability 117 Data Silos 119 Event Management with SIEM and SOAR 121 Conclusion 122 Chapter 6 DevSecOps Governance 125 Introduction 125 The Challenge of Compliance 126 The History of Compliance 126 The Burden of Compliance 129 Managing Risk 130 Risk as a Feature 131 Risk Management and Controls 132 DevSecOps Approach to Governance 135 Compliance as Code 135 Build- Time Compliance as Code 136 Inserting Compliance into the Pipeline 136

x Contents Compliance Automation 137 OPA/Rego 137 Runtime Compliance as Code 138 Compliance as Code for Auditing 138 The Role of Audit 139 A Note of Caution on Compliance 140 Compliance Foundations 140 Identity and Access Management 140 Change Management 142 Conclusion 145 Chapter 7 Driving Transformation in Enterprise Environments 147 Introduction 147 The Challenge of Cultural Transformation 149 Resistance to Change 149 Transforming while Delivering 150 Transformational Leadership 151 The Keys to a Successful Transformation 152 Begin with the End in Mind 153 Start Small and Find Early Wins 153 Focus on the Cultural Transformation 154 Measure Progress 155 Leverage Outside Help (As Appropriate) 156 Build a Communications Campaign 157 Audience 157 Communication Channels 158 Transformation Challenges 159 Cultural Inertia 159 Lack of Leadership Support 161 Lack of Contributor Buy- In 162 Lack of Sustained Support 164 Doing Too Much at Once 164 Failure to Communicate Value 165 Conclusion 166 Chapter 8 Measuring DevSecOps 169 Introduction 169 Any Metric Can Be Manipulated 170 Start Small and Iterate 171

Contents xi Keys to a Successful Metrics Program 173 Operational Metrics 174 Number of Incidents 174 Vulnerabilities by Service Level Objective 176 Mean Time to x 177 Reliability 178 Board- Level Metrics 178 Measuring Risk 179 Risk Work 180 Spend 181 Detected Intrusion Attempts 182 Attack Surface 183 Performance vs. Peers 183 Measuring Transformation 184 Transformational Results 184 Transformational Competencies 185 Capability Models 187 Conclusion 193 Chapter 9 Conclusion 195 Introduction 195 People, Process, and Technology 195 Collaboration Is at the Core 197 Making Security Part of How You Work 198 Where to Start 199 Begin with the End in Mind 199 Start Small and Find Early Wins 201 The Future of DevSecOps 202 Artificial Intelligence 203 Experience Management 204 Product Thinking 204 Conclusion 205 Acknowledgments 207 About the Author 209 Index 211  

xiii The friction between traditional security and the rest of the IT organization started increasing as developers needed to deploy more quickly, push out more stable builds, and produce more secure products. Teams created new practices to solve the bottlenecks, and the impossible came into reach. Much like doing multiple deploys a day was once considered insane on the maturity scale, embedding security in the whole organization is now within reach. Security is a first-world citizen in this new alliance between dev and ops. So how do you get started with DevSecOps? I like people who come to me with solutions instead of complaining about problems. This is how I recruit people with the right attitude. To propose solu- tions, you need to know what’s out there, learn about them, and put them in your toolbox to apply them wisely. Dealing with security is no exception. If you are embarking on this journey, The DevSecOps Playbook will provide you with what you need: insights, tools, process, and peo- ple practices. One could say collaboration is all you need, and the rest will come from there. This emphasis on collaboration prompts the question, how is DevSecOps different from DevOps? In mindset there is no differ- ence; they both start from the same principles, similar to how DevOps started from Agile principles. And introducing DevSecOps is no differ- ent from driving any other change in a company. What is important is that by giving DevSecOps its own label, we were able to tag all the related stories and good practices that people were exploring under one umbrella term. The stories and information shared in this book give you the context of how the concept was born. Then you’ll learn about the tools and techniques that will help you. What gives The DevSecOps Playbook a unique perspective is that the author has gone through an actual long-running transformation, not just some theoretical exercise. It translates the DevOps principles Foreword

xiv Foreword to security practices. Therefore, instead of focusing on a few aspects, it covers the right broad spectrum of topics. But don’t let this vast cover- age scare you! It only means that there is a lot to learn. And learn you shall now that you have this book in your hands. — Patrick Debois Founder of DevOpsDays and a creator of the  DevOps movement

xv Welcome to The DevSecOps Playbook: Deliver Continuous Security at Speed. This book is the definitive guide to DevSecOps transformation. With DevSecOps, you can deliver secure products and services to market quicker, helping you to outpace your competition while ensuring security and privacy. This book explores the people, process, and technology of DevSecOps and provides a guide for driv- ing the transformation. Who Should Read ThiS Book? This book is intended for anyone interested in truly understanding DevSecOps and how to apply it to keep businesses more secure. More specifically, this book is for security leaders who want to learn about how to drive DevSecOps transformation to build and deliver secure products and services without impeding the flow of delivery. This book is also for security engineers who want a better understanding of DevOps and the changing security landscape, as well as privacy practi- tioners, auditors, and governance, risk, and compliance specialists who want to understand how a fundamentally different approach to security with DevSecOps can impact the way they do business. This book is focused on DevSecOps in midsize and large enter- prise environments. While the principles of DevSecOps apply to com- panies of any size, the challenges of coordination and collaboration become more acute with the size and age of a company. Details around driving transformation and organizational structures may be more applicable to companies that have established ways of working than to startups taking a greenfield approach. A basic understanding of information technology and cybersecu- rity concepts and terminology may be helpful but is not required. inTRoducTion

xvi IntroductIon Who ThiS Book iS noT FoR This book is not an engineering guide. This book does not tell you how to configure DevSecOps tools (although it covers many tools), and it does not go into detail about secure coding practices. hoW ThiS Book iS oRganized DevSecOps is about more than technology; in fact, it is more about people and collaboration than anything else. Gene Kim, author of the Phoenix Project and one of the foremost thought leaders in DevOps, originally described DevOps as a cultural movement. Because of its cultural nature, DevSecOps impacts all elements of how you do cyber- security. This book uses the classic triad of people, process, and tech- nology to look in depth at all components of DevSecOps. Chapter  1, “Introducing DevSecOps,” starts by providing an overview of DevOps and what DevSecOps is. Chapter  2, “The Evolution of Cybersecurity (from Perimeter to Zero Trust),” provides a foundation for the rest of the book by looking at the evolution of technology and the resulting impact on the approach to cybersecurity. With this background, Chapters 3, “DevSecOps People”, Chapter 4, “DevSecOps Process”, and Chapter 5, “DevSecOps Technology,” look at people, process, and technology and how DevSecOps impacts each of these categories. The remaining chapters dig into key DevSecOps topics in depth. Chapter 6, “DevSecOps Governance,” takes an detailed look at how the concepts of DevSecOps provide a fresh approach to governance and compliance with the opportunity to save millions of dollars and reduce engineering overhead. Chapter 7, “Driving Transformation in Enterprise Environments,” provides insight into how to drive the DevSecOps transformation in your business, laying out some of the key elements for successful transformation and some of the pitfalls to avoid. Chapter 8, “Measuring DevSecOps,” looks at some of the key metrics for measuring your DevSecOps progress and the impact it is having on the business. Chapter 9, “Conclusion,” brings these concepts together by providing some insight into what is coming and the next steps you can take to drive your DevSecOps transformation.

IntroductIon xvii convenTionS uSed in ThiS Book Throughout this book you will find a few conventions to note key terms, technical notation, and auxiliary information. The following conventions will help as you make your way through this book: Lines of programming code are noted using this Courier, fixed- width font. Code that is included within the text looks like these code words within the sentences and paragraphs. You will also see key terms in italics. These are important terms that are given emphasis the first time they appear to indicate their importance. Key concepts— Important ideas from the chapter are called out from their context in this manner to make them easily identifiable and to reiterate critical information. Notes—explain background information or clarify a point. They are also used to direct you to information you can find elsewhere to clarify cer- tain topics. Tips—are used throughout the book to provide practical information or advice related to topics covered in the book. These can be helpful in the imple- mentation of the principles covered. Real- WoRld exampleS Throughout the text, you will find additional information and examples to highlight the points being made through the use of specific, real- world examples.