Book Review: Securing DevOps

I purchased this book in an effort to really get under the skin of connecting a set of Dev(Sec)Ops tools together to an production cloud based capability – it didn’t disappoint. 

The book ‘s author leads Firefox’s Operational Security team.  This makes the book’s content quite interesting, given you would expect a Security Operations leader to be concerned with patching and logging and monitoring.  Those things are most certainly within the book, but are within the context of a developed application. 

That application is developed with a modern, cloud native architecture with all the typical ingredients – Docker, AWS, Serverless etc.  In essence, this hits the sweet-spot of helping developers understand what good security looks like; and helps security folks to be more helpful than just say things like “we need DevSecOps” which can occur; when there is little knowledge beyond the headline. 

The examples given in the book are necessarily straightforward (which is different to simple).  This allows the architecture of the application to be demonstrated, using the power of the chosen demonstration cloud platform (AWS). 

You may guess that I rather liked the book and you would be right.  One area that I thought probably could be added (and I’ll apologise now if I have missed this) is the hardening of Docker containers.  Its pretty fundamental and needs to be checked.  Though, there is an excellent piece around signing Docker containers for Trust. 

Chapter 7 is an excellent chapter, focused on logging and monitoring.  I have often found myself in situations where application developers have not instrumented their applications for logging.  By this I mean logs that can be used later to determine how a user of the system behaved (rather than developers logs such as stack traces).  Within the chapter are nice examples of using brokers and other methods as part of a logging pipeline. 

Other nice touches are an excellent focus on the handling of certificates, and a fictitious but nicely described breach scenario which will help the readers understand how the whole secure architecture delivered by DevSecOps really makes a tangible difference. 

Finally, this was the first book I purchased from Manning (both as a published and a retailer), and being able to have electronic formats of the book as well as paper is excellent for searching and quick reference while working too – (no one can remember everything!). 

Highly recommended.

Leave a Reply

Your email address will not be published. Required fields are marked *