Categories
Bibliography Cloud DevOps DevSecOps-Security-Privacy Software Engineering

Securing DevOps: Security in the Cloud – ISBN-13: 978-1617294136

See: Securing DevOps: Security in the Cloud, Publisher ‏ : ‎ Manning Publications; 1st edition (August 24, 2018)

Fair Use Source:

Summary

Securing DevOps explores how the techniques of DevOps and security should be applied together to make cloud services safer. This introductory book reviews the latest practices used in securing web applications and their infrastructure and teaches you techniques to integrate security directly into your product. You’ll also learn the core concepts of DevOps, such as continuous integration, continuous delivery, and infrastructure as a service.

Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.

About the Technology

An application running in the cloud can benefit from incredible efficiencies, but they come with unique security threats too. A DevOps team’s highest priority is understanding those risks and hardening the system against them.

About the Book

Securing DevOps teaches you the essential techniques to secure your cloud services. Using compelling case studies, it shows you how to build security into automated testing, continuous delivery, and other core DevOps processes. This experience-rich book is filled with mission-critical strategies to protect web applications against attacks, deter fraud attempts, and make your services safer when operating at scale. You’ll also learn to identify, assess, and secure the unique vulnerabilities posed by cloud deployments and automation tools commonly used in modern infrastructures.

What’s inside

  • An approach to continuous security
  • Implementing test-driven security in DevOps
  • Security techniques for cloud services
  • Watching for fraud and responding to incidents
  • Security testing and risk assessment

About the Reader

Readers should be comfortable with Linux and standard DevOps practices like CI, CD, and unit testing.

About the Author

Julien Vehent is a security architect and DevOps advocate. He leads the Firefox Operations Security team at Mozilla, and is responsible for the security of Firefox’s high-traffic cloud services and public websites.

Table of Contents

  1. Securing DevOps
  2. Building a barebones DevOps pipeline
  3. Security layer 1: protecting web applications
  4. Security layer 2: protecting cloud infrastructures
  5. Security layer 3: securing communications
  6. Security layer 4: securing the delivery pipeline
  7. Collecting and storing logs
  8. Analyzing logs for fraud and attacks
  9. Detecting intrusions
  10. The Caribbean breach: a case study in incident response
  11. Assessing risks
  12. Testing security
  13. Continuous security

Categories
Bibliography DevOps DevSecOps-Security-Privacy Software Engineering SRE - Reliability engineering - Chaos engineer

B08CTGR1XC ISBN-13: ‎978-1718501126

See: Black Hat Python, 2nd Edition: Python Programming for Hackers and Pentesters

Fair Use Source:

Categories
Bibliography DevOps DevSecOps-Security-Privacy JavaScript Software Engineering

B07V78WH7V

See: Web Security for Developers: Real Threats, Practical Defense Illustrated Edition

Fair Use Source:

Categories
Azure Bibliography DevOps

B08GLHMT32

See: Microsoft Exam Ref MS-500 Microsoft 365 Security Administration with Practice Test Kindle Edition

Fair Use Source:

Categories
Bibliography DevOps DevSecOps-Security-Privacy Windows Desktop

Microsoft Exam Ref MS-500 Microsoft 365 Security Administration

See: B08GLHMT32

See also: Microsoft Certification Exams

Direct from Microsoft, this Exam Ref is the official study guide for the new Microsoft MS-500 Microsoft 365 Security Administration certification exam.

Exam Ref MS-500 Microsoft 365 Security Administration offers professional-level preparation that helps candidates maximize their exam performance and sharpen their skills on the job. It focuses on the specific areas of expertise modern IT professionals need to implement and administer security in any Microsoft 365 environment. Coverage includes:

  • Implementing and managing identity and access
  • Implementing and managing threat protection
  • Implementing and managing information protection
  • Managing governance and compliance features in Microsoft 365

Microsoft Exam Ref publications stand apart from third-party study guides because they:

  • Provide guidance from Microsoft, the creator of Microsoft certification exams
  • Target IT professional-level exam candidates with content focused on their needs, not “one-size-fits-all” content
  • Streamline study by organizing material according to the exam’s objective domain (OD), covering one functional group and its objectives in each chapter
  • Feature Thought Experiments to guide candidates through a set of “what if?” scenarios, and prepare them more effectively for Pro-level style exam questions
  • Explore big picture thinking around the planning and design aspects of the IT pro’s job role

For more information on Exam MS-500 and the Microsoft 365 Certified: Security Administrator Associate, visit microsoft.com/learning.

Fair Use Source:

Categories
Bibliography DevSecOps-Security-Privacy Windows Server

B01MZA0OJU

See: Microsoft Exam Ref 70-744 Securing Windows Server 2016 1st Edition, Kindle Edition

Fair Use Source:

Categories
Bibliography DevSecOps-Security-Privacy Windows Server

Microsoft Exam Ref 70-744 Securing Windows Server 2016

See: B01MZA0OJU

See also: Microsoft Certification Exams

The Exam Ref is the official study guide for Microsoft certification exams. Featuring concise coverage of the skills measured by the exam, challenging Thought Experiments, and pointers to more in-depth material for the candidate needing additional study, exam candidates get professional-level preparation for the exam. The Exam Ref helps candidates determine their readiness for the exam, and provides Exam Tips to help maximize their performance on the exam. The organization of the material mirrors the skills measured by the exam as presented on the certification exam webpage.

Fair Use Source:

Categories
Azure Bibliography DevOps DevSecOps-Security-Privacy

B08F5JHZJG

See: Exam Ref AZ-500 Microsoft Azure Security Technologies

Fair Use Source:

Categories
Azure Bibliography DevOps DevSecOps-Security-Privacy

Microsoft Exam Ref AZ-500 Microsoft Azure Security Technologies

Prepare for Microsoft Exam AZ-500: Demonstrate your real-world knowledge of Microsoft Azure security, including tools and techniques for protecting identity, access, platforms, data, and applications, and for effectively managing security operations. Designed for professionals with Azure security experience, this Exam Ref focuses on the critical thinking and decision-making acumen needed for success at the Microsoft Certified: Azure Security Engineer Associate level.  

Focus on the expertise measured by these objectives:

• Manage identity and access

• Implement platform protection

• Manage security operations

• Secure data and applications

This Microsoft Exam Ref:

• Organizes its coverage by exam objectives

• Features strategic, what-if scenarios to challenge you

• Assumes you have expertise implementing security controls and threat protection, managing identity and access, and protecting assets in cloud and hybrid environments

About the Exam

Exam AZ-500 focuses on the knowledge needed to manage Azure Active Directory identities; configure secure access with Azure AD; manage application access and access control; implement advanced network security; configure advanced security for compute; monitor security with Azure Monitor, Azure Firewall manager, Azure Security Center, Azure Defender, and Azure Sentinel; configure security policies; configure security for storage and databases; and configure and manage Key Vault.

About Microsoft Certification 

Passing this exam fulfills your requirements for the Microsoft Certified: Azure Security Engineer Associate credential, demonstrating your expertise as an Azure Security Engineer capable of maintaining security posture, identifying and remediating vulnerabilities, implementing threat protection, and responding to incident escalations as part of a cloud-based management and security team.

See: B08F5JHZJG

See also: Microsoft Certification Exams

Fair Use Source:

Categories
Cloud DevOps Linux Operating Systems

Tails Linux Operating System

The Amnesic Incognito Live System

Tails logo

Tails, or The Amnesic Incognito Live System, is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity.[4] All its incoming and outgoing connections are forced to go through Tor,[5] and any non-anonymous connections are blocked. The system is designed to be booted as a live DVD or live USB, and will leave no digital footprint on the machine unless explicitly told to do so. The Tor Project provided financial support for its development in the beginnings of the project.[6] Tails comes with UEFI Secure Boot.

History:

Tails was first released on 23 June 2009. It is the next iteration of development on Incognito, a discontinued Gentoo-based Linux distribution.[7] The Tor Project provided financial support for its development in the beginnings of the project.[6] Tails also received funding from the Open Technology FundMozilla, and the Freedom of the Press Foundation.[8]

Laura PoitrasGlenn Greenwald, and Barton Gellman have each said that Tails was an important tool they used in their work with National Security Agency whistleblower Edward Snowden.[9][10][11]

From release 3.0, Tails requires a 64-bit processor to run.[12]

Bundled software:

Networking

Note: Due to the fact that Tails includes uBlock Origin (compared to the normal Tor Browser Bundle), it could be subject to an attack to determine if the user is using Tails (since the userbase for Tails is less than the Tor Browser Bundle) by checking if the website is blocking advertising.[14] Although this can be avoided by disabling uBlock Origin.

(WP)

Sources:

Fair Use Sources:

Categories
Cloud DevOps Linux Operating Systems

Kali Linux Operating System

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing.[3] It is maintained and funded by Offensive Security.[4]

Kali Linux has around 600[5] pre-installed penetration-testing programs(tools), including Armitage (a graphical cyber attack management tool), Nmap (a port scanner), Wireshark (a packet analyzer), metasploit (penetration testing framework, awarded as the best penetration testing software), John the Ripper (a password cracker), sqlmap (automatic SQL injection and database takeover tool), Aircrack-ng (a software suite for penetration-testing wireless LANs), Burp suite and OWASP ZAP web application security scanners,[6][7] etc.

It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous information security testing Linux distribution based on Knoppix. Originally, it was designed with a focus on kernel auditing, from which it got its name Kernel Auditing Linux. The name is sometimes incorrectly assumed to come from Kali the Hindu goddess.[8][9] The third core developer, Raphaël Hertzog, joined them as a Debian expert.[10][11]

Kali Linux is based on the Debian Testing branch. Most packages Kali uses are imported from the Debian repositories.[12]

Kali Linux’s popularity grew when it was featured in multiple episodes of the TV series Mr. Robot. Tools highlighted in the show and provided by Kali Linux include Bluesniff, Bluetooth Scanner (btscanner), John the Ripper, Metasploit Framework, Nmap, Shellshock, and Wget.[13][14][15]

(WP)

Sources:

Fair Use Sources:

Categories
DevSecOps-Security-Privacy Software Engineering

Application Security Engineer

Application security engineer: “Sometimes called a “product security engineer” — a software engineer whose role is to evaluate and improve the security of an organization’s codebase and application architecture.” (B085FW7J86)

Fair Use Sources:

B085FW7J86

Categories
DevSecOps-Security-Privacy Software Engineering

Bug Bounty Hunter – Freelance Penetration Tester

Bug bounty hunter: “A freelance penetration tester. Often, large companies will create “responsible disclosure programs” that award cash prizes for reporting security holes. Some bug bounty hunters work full time, but often these are full-time professionals who participate outside of work for extra money.” (B085FW7J86)

Fair Use Sources:

B085FW7J86

Categories
DevSecOps-Security-Privacy Software Engineering

CISA – Certified Information Security Auditor Certification


See also Cybersecurity Certifications

CISA – Certified Information Security Auditor Certification

Globally recognized, ISACA’s Certified Information Systems Auditor (CISA) is the gold standard for IT professionals seeking to practice in information security, audit control and assurance. Ideal candidates are able to identify and assess organizational threats and vulnerabilities, assess compliance, and provide guidance and organizational security controls. CISA-certified professionals are able to demonstrate knowledge and skill across the CISA job practice areas of auditing, governance and management, acquisition, development and implementation, maintenance and service management, and asset protection.

To earn the CISA, candidates must pass one exam, submit an application, agree to the code of professional ethics, agree to the continuing professional education requirements, and agree to the organization’s information systems auditing standards. In addition, candidates must possess at least one year of experience working with information systems. Some substitutions for education and experience with auditing are permitted.

To maintain the CISA, candidates earn 120 continuing professional education (CPE) credits over a three year period, with a minimum of 20 CPEs earned annually. Candidates must also pay an annual maintenance fee ($45 for members; $85 for nonmembers).

CISA facts and figures

Certification nameCertified Information Systems Auditor (CISA)
Prerequisites and required coursesOne year of information systems experience or one year of noninformation system auditing experience (some substitutions for education apply)Submit an applicationAgree to the code of professional ethicsAgree to the CPE requirementsAgree to the information auditing standards
Number of examsOne exam (150 questions)
Cost of exam$575 members/$760 nonmembers
URLhttp://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx
Self-study materialsISACA offers a variety of training options, including virtual instructor-led courses, online, on-demand training, review, review manuals, question databases, and more. Numerous books and self-study materials are also available on Amazon.

Certified Information Systems Auditor training

Training opportunities for the CISA certification are plentiful. Udemy offers more than 90 CISA-related courses, lectures, practice exams, question sets and more. On Pluralsight, you’ll find five courses with 22 hours of information systems auditor training that cover all CISA job practice domains.

Fair Use Sources:

Categories
DevSecOps-Security-Privacy Software Engineering

CISSP – Certified Information Systems Security Professional Certification


See also Cybersecurity Certifications

CISSP – Certified Information Systems Security Professional Certification

The Certified Information Systems Security Professional (CISSP) is an advanced-level certification for IT pros serious about careers in information security. Offered by the International Information Systems Security Certification Consortium, known as (ISC)2 (pronounced “ISC squared”), this vendor-neutral credential is recognized worldwide for its standards of excellence.

CISSP credential holders are decision-makers who possess expert knowledge and technical skills necessary to develop, guide and manage security standards, policies and procedures within their organizations. The CISSP continues to be highly sought after by IT professionals and is well recognized by IT organizations. It is a regular fixture on most-wanted and must-have security certification surveys.

The CISSP is designed for experienced security professionals. A minimum of five years of experience in at least two of (ISC)2’s eight common body of knowledge (CBK) domains, or four years of experience in at least two of (ISC)2’s CBK domains and a college degree or an approved credential, is required for this certification. The CBK domains are security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security.

(ISC)2 also offers three CISSP concentrations targeting specific areas of interest in IT security:

  • Architecture (CISSP-ISSAP)
  • Engineering (CISSP-ISSEP)
  • Management (CISSP-ISSMP)

CISSP concentration exams are $599 each, and credential seekers must currently possess a valid CISSP.

An annual fee of $85 is required to maintain the CISSP credential. Recertification is required every three years. To recertify, candidates must earn 40 continuing professional education (CPE) credits each year for a total of 120 CPEs within the three-year cycle.

CISSP facts and figures

Certification nameCertified Information Systems Security Professional (CISSP)
Optional CISSP concentrations include:  • CISSP Architecture (CISSP-ISSAP)  
• CISSP Engineering (CISSP-ISSEP)  
• CISSP Management (CISSP-ISSMP)
Prerequisites and required coursesAt least five years of paid, full-time experience in at least two of the eight (ISC)2 domains or four years of paid, full-time experience in at least two of the eight (ISC)2 domains and a college degree or an approved credential.Agree to the (ISC)2 Code of Ethics.Submit the CISSP application.Complete the endorsement process.
Number of examsOne for CISSP (English CAT exam: 100-150 questions, three hours to complete; non-English exam: 250 questions, six hours)
One for each concentration area
Cost of examCISSP is $699; each CISSP concentration is $599
URLhttps://www.isc2.org/Certifications/CISSP
Self-study materialsA variety of training materials is available, including instructor-led, live online, on-demand and private training. An exam outline is available for candidate review, as well as study guides, a study app, interactive flashcards and practice tests.

Certified Information Systems Security Professional (CISSP) training

Given the popularity of the CISSP certification, there is no shortage of available training options. These include classroom-based training offered by (ISC)2, as well as online video courses, practice exams and books from third-party companies.

Pluralsight’s CISSP courses include 18 courses and 33 hours of e-learning that cover the security concepts required for the certification exam. Current courses include business continuity management, information classification, investigations and incident management, security controls and framework, communications and network security, cryptography application, risk and asset management, security architecture, security engineering, security management, personnel security, physical (or environmental) security, and more. Available for a low monthly fee, the CISSP is part of a subscription plan that gives IT professionals access to Pluralsight’s complete library of video training courses.

When you’re ready to test your security knowledge, you can take a simulated exam that mimics the format and content of the real CISSP exam. Udemy offers CISSP practice exam to help you prepare for this challenging exam.

Fair Use Sources: