• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Securing DevOps - Tools of the Trade

 
Ranch Hand
Posts: 75
Mac Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm kind of curious to kwow how much the book delves into tools of the trade?

We personally here use:
Jenkins for Orchestration
Chef for Infrastructure as Code
Junit (and various test frameworks depending on language)
Mock services
SonarQube
Nexus
GitHub
Fortify
AWS
CloudChekr

and I'm looking at Scout2 now

Also, I'm curious to know your "definition" or "elevator pitch" for what is DevOps and what is DevSecOps?

Here is mine:

Actually, I think I will make that a new topic as I'm curious to know what the general audience has an an answer to that.
 
author
Posts: 20
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Securing DevOps is a technical book, so we talk about tools and techniques a lot! Part 1 is a complete implementation of a CI/CD pipeline and all the security components that we can fit into it. It's 100% hands on. Part 2 is also very technical but more focused on presenting tools and techniques and less on helping the reader implement them (you'll have to do homework). Part 3 is a little less focused on tool but we still present half a dozen of them in the chapter on security testing (ZAP, Scout2, bandit, gas, etc.).

So, yeah, we talk about tools a lot
 
David Sachdev
Ranch Hand
Posts: 75
Mac Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Julien Vehent wrote:Securing DevOps is a technical book, so we talk about tools and techniques a lot! Part 1 is a complete implementation of a CI/CD pipeline and all the security components that we can fit into it. It's 100% hands on. Part 2 is also very technical but more focused on presenting tools and techniques and less on helping the reader implement them (you'll have to do homework). Part 3 is a little less focused on tool but we still present half a dozen of them in the chapter on security testing (ZAP, Scout2, bandit, gas, etc.).

So, yeah, we talk about tools a lot



Interesting - I guess I've got a list of tools to look at and evaluate! Thanks!
 
Ranch Hand
Posts: 106
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
DevOps has grown into so much of popularity because the Tools ecosystem evolved with the Concept of
DevOPS , having said that, what is your advise to select set of tools for my requirement

Ex :

I have set of automated test scripts in, which i wanted to run as part of my regression testing before every release
and what would be the ideal tool to select and where would I integrate these scripts in the DevOps pipe lin.e
 
Julien Vehent
author
Posts: 20
5
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One of the most important concept of DevOps is the idea of Pipeline: a serie of steps that your application follows to go from being released by a developer to being deployed to test environments, verified, approved and finally deployed to production. The more efficient and reliable your pipeline is, the faster it becomes to release new versions of the application at fast pace while maintaining the assurance you're not breaking users or downgrading security.

There are several good tools for managing a pipeline. Jenkins is probably the most popular one, but there are others. What I would recommend is running your regression tests and security tests in your pipeline, after your application is deployed to a QA/staging/test environment, and before it is deployed to production.

For example, consider the pipeline below. It deploys a service called "TLS Observatory". The application is first deployed to a staging AWS account automatically, then a set of web security tests called "ZAP Baseline" are executed to verify that the staging environment still complies with the security policy. If all goes well, the tests come back green and the application is deployed to production.

 
Put a gun against his head, pulled my trigger, now he's dead, that tiny ad sure bled
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic