𝔖 Scriptorium
✦   LIBER   ✦
πŸ“

Cloud Native Software Security Handbook: Unleash the power of cloud native tools for robust security in modern applications [Team-IRA]

✍ Scribed by Mihir Shah

Publisher
Packt Publishing
Year
2023
Tongue
English
Leaves
373
Category
Library
⬇  Acquire This Volume

No coin nor oath required. For personal study only.

✦ Synopsis

Master widely used cloud-native platforms like Kubernetes, Calico, Kibana, Grafana, Anchor, and more to ensure secure infrastructure and software development

Key Features

  • Learn how to select cloud-native platforms and integrate security solutions into the overall system
  • Leverage cutting-edge tools and platforms and use them, securely, at a global scale in production
  • Discover the laws and regulations that you should be aware of to avoid federal prosecution
Book Description
For a Cloud security engineer, it is crucial to think beyond the few managed services provided by the cloud vendor and truly use the plethora of cloud-native tools available for developers and security professionals, which allow for providing security solutions at scale. In this book, we cover technologies for securing the infrastructure, containers, and runtime environments using vendor-agnostic cloud-native tools under the CNCF.
The book begins by introducing the what and whys of the cloud-native environment along with a primer about the platforms that we would be exploring ongoing in the book. We then progress in the book as one would in the development phase of an application. We continue by exploring the System design choices and security trade-offs and then secure application coding techniques that every developer should be mindful of. As we move into more advanced topics, we look into the security architecture of the system and threat modelling practices, and we conclude by explaining the laws and guidelines regulating security practices in the cloud native space while exploring some real-world repercussions that companies have faced in the past due to a company's immature security practices.
By the end of the book, you'll find yourself better positioned in creating secure safe code and system designs.

What you will learn
  • Learn security concerns and challenges for cloud-based app development
  • Explore various tools for securing config, networks, and runtime
  • Implementing threat modeling for risk mitigation strategies
  • Implement various security solutions for the CI/CD pipeline
  • Discover best practices for logging, monitoring, and alerting
  • Understand regulatory compliance product impact on cloud security
Who This Book Is For
The target audience for the book would be developers, security professionals, and DevOps teams who are involved in designing, developing, and deploying cloud-native applications. It is intended for those with a technical background who want to gain a deeper understanding of cloud-native security and learn about the latest tools and technologies for securing cloud-native infrastructure and runtime environments. Having prior experience with cloud vendors and their managed services would be a plus to leveraging all the tools and platforms explained in this book.

Table of Contents
  1. Foundations of Cloud Native
  2. Cloud Native Systems Security Management
  3. Cloud Native Application Security
  4. Building an AppSec Culture
  5. Threat Modeling for Cloud Native
  6. Securing the Infrastructure
  7. Cloud Security Operations
  8. DevSecOps Practices for Cloud Native
  9. Legal and Compliance
  10. Cloud Native Vendor Management and Security Certifications

✦ Table of Contents

Cover
Title Page
Copyright and Credits
Contributors
Table of Contents
Preface
Part 1: Understanding Cloud Native Technology and Security
Chapter 1: Foundations of Cloud Native
Understanding the cloud-native world
Why consider using cloud-native architecture?
Cloud models
Approach to thinking cloud-native
Components of a cloud-native system
Orchestration
Monitoring
Logging and tracing
Container registries
Service meshes
Security
Summary
Quiz
Further readings
Chapter 2: Cloud Native Systems Security Management
Technical requirements
Secure configuration management
Using OPA for secure configuration management
Requiring encryption for all confidential data
Restricting access to sensitive resources
Enforcing resource limits
Secure image management
Why care about image security?
Best practices for secure image management
Clair
Harbor
Creating an HTTPS connection for the repository
Scanning for vulnerabilities in images
Summary
Quiz
Further readings
Chapter 3: Cloud Native Application Security
Technical requirements
Overview of cloud-native application development
Differences between traditional and cloud-native app development
The DevOps model
Cloud-native architecture and DevOps
Introduction to application security
Overview of different security threats and attacks
Integrating security into the development process
OWASP Top 10 for cloud native
Not shift-left
Security and development trade-off
Supplemental security components
OWASP ASVS
Secrets management
How to create secrets in Vault
Summary
Quiz
Further reading
Part 2: Implementing Security in Cloud Native Environments
Chapter 4: Building an AppSec Culture
Technical requirements
Overview of building an AppSec program
Understanding your security needs
Identifying threats and risks in cloud-native environments
Bug bounty
Evaluating compliance requirements and regulations
Building an effective AppSec program for cloud-native
Security tools for software in development
Threat modeling
Providing security training and awareness to all stakeholders
Developing policies and procedures
Incident response and disaster recovery
Cloud security policy
Identity and access management policies
Continuous monitoring and improvement
Summary
Quiz
Further readings
Chapter 5: Threat Modeling for Cloud Native
Technical requirements
Developing an approach to threat modeling
An overview of threat modeling for cloud native
Integrating threat modeling into Agile and DevOps processes
Developing a threat matrix
Cultivating critical thinking and risk assessment
Fostering a critical thinking mindset
Developing risk assessment skills
Threat modeling frameworks
STRIDE
PASTA
LINDDUN
Kubernetes threat matrix
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Impact
Summary
Quiz
Further readings
Chapter 6: Securing the Infrastructure
Technical requirements
Approach to object access control
Kubernetes network policies
Calico
Using Calico with Kubernetes
Principles for authentication and authorization
Authentication
Authorization
Importance of authentication and authorization
Kubernetes authentication and authorization mechanisms
Defense in depth
Infrastructure components in cloud-native environments
Compute components – virtual machines, containers, and serverless computing
Networking components – VPCs, subnets, load balancers, and ingress controllers
Storage services – block storage, object storage, and databases
Falco – real-time monitoring for cloud workloads
Summary
Quiz
Further readings
Chapter 7: Cloud Security Operations
Technical requirements
Novel techniques in sourcing data points
Centralized logging with the EFK stack
Creating alerting and webhooks within different platforms
Creating alerting rules in Prometheus
Configuring webhook notifications for different platforms (e.g., Slack)
Automating incident response with custom scripts and tools
Automated security lapse findings
Security Orchestration, Automation, and Response (SOAR) platforms
SOAR platforms on the market
Integrating security tools and automating workflows
Integrating security tools
Automating workflows
Building and maintaining a security automation playbook
Elements of a security automation playbook
Building a security automation playbook
Maintaining a security automation playbook
Summary
Quiz
Further readings
Chapter 8: DevSecOps Practices for Cloud Native
Technical requirements
Infrastructure as Code
The importance of DevSecOps
DevSecOps in practice
Continuous integration and continuous deployment (CI/CD) in DevSecOps
Infrastructure as Code (IaC) and Policy as Code in DevSecOps
Security tools in DevSecOps
Security implications of IaC
Checkov – a comprehensive overview
Policy as Code
Why Policy as Code?
Implementing Policy as Code with OPA
Policy as Code in the broader DevSecOps strategy
Integrating Policy as Code into the CI/CD pipeline
Policy as Code – a pillar of DevSecOps
Policy as Code and Infrastructure as Code – two sides of the same coin
Container security
Secrets management
Network policies
Security in serverless architectures
Security observability
Compliance auditing
Threat modeling and risk assessment
Incident response
Security training and culture
Continuous learning and improvement – the DevSecOps mindset
The role of automation in DevSecOps
The importance of collaboration in DevSecOps
The power of open source in DevSecOps
Future trends – the evolution of DevSecOps
Summary
Quiz
Further readings
Part 3: Legal, Compliance, and Vendor Management
Chapter 9: Legal and Compliance
Overview
Comprehending privacy in the cloud
The importance of privacy in the cloud-native landscape
The CCPA and its implications for cloud-native
Other significant US privacy laws and their implications for cloud-native
Audit processes, methodologies, and cloud-native adoption
Importance of audit processes and methodologies in cloud-native adoption
Common audit processes and methodologies
Laws, regulations, and standards
The CFAA and its implications for cloud-native software security
The FTCA and its implications for cloud-native software security
Overview of compliance standards and their implications for cloud-native software security
Case studies – incidents related to standards and their implications for security engineers
Summary
Quiz
Further readings
Chapter 10: Cloud Native Vendor Management and Security Certifications
Security policy framework
Understanding cloud vendor risks
Understanding security policy frameworks
Implementing security policy frameworks with cloud vendors
Effective security policy framework in a cloud environment
Best practices for implementing a security policy framework with cloud vendors
Government cloud standards and vendor certifications
Industry cloud standards
The importance of adhering to government and industry cloud standards
Vendor certifications
Enterprise risk management
The significance of ERM in cloud security
Incorporating vendor management into your enterprise risk management program
Risk analysis
Risk analysis – a key step in vendor evaluation
Tools and techniques for evaluating vendor risk
Best practices for vendor selection
Building and managing vendor relationships
Case study
Background
Risk analysis and vendor selection
Establishing strong vendor relationship
Managing the relationship
Successful outcomes
Summary
Quiz
Further readings
Index
Other Books You May Enjoy

πŸ“œ SIMILAR VOLUMES

Cloud Native Security Cookbook: Recipes
πŸ“ Cloud Native Security Cookbook: Recipes for a Secure Cloud
✍ Josh Armitage πŸ“‚ Library πŸ“… 2022 πŸ› O'Reilly Media 🌐 English

With the rise of the cloud, every aspect of IT has been shaken to its core. The fundamentals for building systems are changing, and although many of the principles that underpin security still ring true, their implementation has become unrecognizable. This practical book provides recipes for AWS, Az

Cloud Native Security
πŸ“ Cloud Native Security
✍ Chris Binnie, Rory McCune πŸ“‚ Library πŸ“… 2021 πŸ› Wiley 🌐 English

<p><b>Explore the latest and most comprehensive guide to securing your Cloud Native technology stackΒ </b></p> <p><i>Cloud Native Security</i>Β delivers aΒ detailed study into minimizing the attack surfaces found on today’s Cloud Native infrastructure. Throughout the work hands-on examplesΒ walk through

Security for Cloud Native Applications :
πŸ“ Security for Cloud Native Applications : The practical guide for securing modern applications using AWS, Azure, and GCP
✍ Estrin, Eyal; πŸ“‚ Library πŸ“… 2024 πŸ› BPB Publications 🌐 English

Your practical handbook for securing cloud-native applications KEY FEATURES ● An overview of security in cloud-native applications, such as modern architectures, containers, CI/CD pipeline, and so on. ● Using automation, such as infrastructure as code and policy as code, to achieve security at scale

Cloud Native Security Cookbook
πŸ“ Cloud Native Security Cookbook
✍ Josh Armitage πŸ“‚ Library πŸ“… 2022 πŸ› O'Reilly Media 🌐 English

With the rise of the cloud, every aspect of IT has been shaken to its core. The fundamentals for building systems are changing, and although many of the principles that underpin security still ring true, their implementation has become unrecognizable. This practical book provides recipes for AWS, Az

Policy as Code: Improving Cloud Native S
πŸ“ Policy as Code: Improving Cloud Native Security
✍ Jimmy Ray πŸ“‚ Library πŸ“… 2024 πŸ› O'Reilly Media 🌐 English

<p><span>In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintainβ€”Kubernetes, c