Securing DevOps explores how the techniques of DevOps and security should be applied together to make cloud services safer. This introductory book reviews the latest practices used in securing web applications and their infrastructure and teaches you techniques to integrate security directly into your product. You’ll also learn the core concepts of DevOps, such as continuous integration, continuous delivery, and infrastructure as a service.
Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.
About the Technology
An application running in the cloud can benefit from incredible efficiencies, but they come with unique security threats too. A DevOps team’s highest priority is understanding those risks and hardening the system against them.
About the Book
Securing DevOps teaches you the essential techniques to secure your cloud services. Using compelling case studies, it shows you how to build security into automated testing, continuous delivery, and other core DevOps processes. This experience-rich book is filled with mission-critical strategies to protect web applications against attacks, deter fraud attempts, and make your services safer when operating at scale. You’ll also learn to identify, assess, and secure the unique vulnerabilities posed by cloud deployments and automation tools commonly used in modern infrastructures.
An approach to continuous security
Implementing test-driven security in DevOps
Security techniques for cloud services
Watching for fraud and responding to incidents
Security testing and risk assessment
About the Reader
Readers should be comfortable with Linux and standard DevOps practices like CI, CD, and unit testing.
About the Author
Julien Vehent is a security architect and DevOps advocate. He leads the Firefox Operations Security team at Mozilla, and is responsible for the security of Firefox’s high-traffic cloud services and public websites.
Note: Due to the fact that Tails includes uBlock Origin (compared to the normal Tor Browser Bundle), it could be subject to an attack to determine if the user is using Tails (since the userbase for Tails is less than the Tor Browser Bundle) by checking if the website is blocking advertising. Although this can be avoided by disabling uBlock Origin.
It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous information security testing Linux distribution based on Knoppix. Originally, it was designed with a focus on kernel auditing, from which it got its name KernelAuditingLinux. The name is sometimes incorrectly assumed to come from Kali the Hindu goddess. The third core developer, Raphaël Hertzog, joined them as a Debian expert.
Kali Linux is based on the Debian Testing branch. Most packages Kali uses are imported from the Debian repositories.
Kali Linux’s popularity grew when it was featured in multiple episodes of the TV series Mr. Robot. Tools highlighted in the show and provided by Kali Linux include Bluesniff, Bluetooth Scanner (btscanner), John the Ripper, Metasploit Framework, Nmap, Shellshock, and Wget.“
Application security engineer: “Sometimes called a “product security engineer” — a software engineer whose role is to evaluate and improve the security of an organization’s codebase and application architecture.” (B085FW7J86)
Bug bounty hunter: “A freelance penetration tester. Often, large companies will create “responsible disclosure programs” that award cash prizes for reporting security holes. Some bug bounty hunters work full time, but often these are full-time professionals who participate outside of work for extra money.” (B085FW7J86)
CISA – Certified Information Security Auditor Certification
Globally recognized, ISACA’s Certified Information Systems Auditor (CISA) is the gold standard for IT professionals seeking to practice in information security, audit control and assurance. Ideal candidates are able to identify and assess organizational threats and vulnerabilities, assess compliance, and provide guidance and organizational security controls. CISA-certified professionals are able to demonstrate knowledge and skill across the CISA job practice areas of auditing, governance and management, acquisition, development and implementation, maintenance and service management, and asset protection.
To earn the CISA, candidates must pass one exam, submit an application, agree to the code of professional ethics, agree to the continuing professional education requirements, and agree to the organization’s information systems auditing standards. In addition, candidates must possess at least one year of experience working with information systems. Some substitutions for education and experience with auditing are permitted.
To maintain the CISA, candidates earn 120 continuing professional education (CPE) credits over a three year period, with a minimum of 20 CPEs earned annually. Candidates must also pay an annual maintenance fee ($45 for members; $85 for nonmembers).
CISA facts and figures
Certified Information Systems Auditor (CISA)
Prerequisites and required courses
One year of information systems experience or one year of noninformation system auditing experience (some substitutions for education apply)Submit an applicationAgree to the code of professional ethicsAgree to the CPE requirementsAgree to the information auditing standards
ISACA offers a variety of training options, including virtual instructor-led courses, online, on-demand training, review, review manuals, question databases, and more. Numerous books and self-study materials are also available on Amazon.
Certified Information Systems Auditor training
Training opportunities for the CISA certification are plentiful. Udemy offers more than 90 CISA-related courses, lectures, practice exams, question sets and more. On Pluralsight, you’ll find five courses with 22 hours of information systems auditor training that cover all CISA job practice domains.
CISSP – Certified Information Systems Security Professional Certification
The Certified Information Systems Security Professional (CISSP) is an advanced-level certification for IT pros serious about careers in information security. Offered by the International Information Systems Security Certification Consortium, known as (ISC)2 (pronounced “ISC squared”), this vendor-neutral credential is recognized worldwide for its standards of excellence.
CISSP credential holders are decision-makers who possess expert knowledge and technical skills necessary to develop, guide and manage security standards, policies and procedures within their organizations. The CISSP continues to be highly sought after by IT professionals and is well recognized by IT organizations. It is a regular fixture on most-wanted and must-have security certification surveys.
The CISSP is designed for experienced security professionals. A minimum of five years of experience in at least two of (ISC)2’s eight common body of knowledge (CBK) domains, or four years of experience in at least two of (ISC)2’s CBK domains and a college degree or an approved credential, is required for this certification. The CBK domains are security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security.
(ISC)2 also offers three CISSP concentrations targeting specific areas of interest in IT security:
CISSP concentration exams are $599 each, and credential seekers must currently possess a valid CISSP.
An annual fee of $85 is required to maintain the CISSP credential. Recertification is required every three years. To recertify, candidates must earn 40 continuing professional education (CPE) credits each year for a total of 120 CPEs within the three-year cycle.
CISSP facts and figures
Certified Information Systems Security Professional (CISSP) Optional CISSP concentrations include: • CISSP Architecture (CISSP-ISSAP) • CISSP Engineering (CISSP-ISSEP) • CISSP Management (CISSP-ISSMP)
Prerequisites and required courses
At least five years of paid, full-time experience in at least two of the eight (ISC)2 domains or four years of paid, full-time experience in at least two of the eight (ISC)2 domains and a college degree or an approved credential.Agree to the (ISC)2 Code of Ethics.Submit the CISSP application.Complete the endorsement process.
Number of exams
One for CISSP (English CAT exam: 100-150 questions, three hours to complete; non-English exam: 250 questions, six hours) One for each concentration area
A variety of training materials is available, including instructor-led, live online, on-demand and private training. An exam outline is available for candidate review, as well as study guides, a study app, interactive flashcards and practice tests.
Certified Information Systems Security Professional (CISSP) training
Given the popularity of the CISSP certification, there is no shortage of available training options. These include classroom-based training offered by (ISC)2, as well as online video courses, practice exams and books from third-party companies.
Pluralsight’s CISSP courses include 18 courses and 33 hours of e-learning that cover the security concepts required for the certification exam. Current courses include business continuity management, information classification, investigations and incident management, security controls and framework, communications and network security, cryptography application, risk and asset management, security architecture, security engineering, security management, personnel security, physical (or environmental) security, and more. Available for a low monthly fee, the CISSP is part of a subscription plan that gives IT professionals access to Pluralsight’s complete library of video training courses.
When you’re ready to test your security knowledge, you can take a simulated exam that mimics the format and content of the real CISSP exam. Udemy offers CISSP practice exam to help you prepare for this challenging exam.
CompTIA’s Security+ is a well-respected, vendor-neutral security certification. Security+ credential holders are recognized as possessing superior technical skills, broad knowledge and expertise in multiple security-related disciplines.
While Security+ is an entry-level certification, successful candidates should possess at least two years of experience working in network security and should consider first obtaining the Network+ certification. IT pros who obtain this certification possess expertise in areas such as threat management, cryptography, identity management, security systems, security risk identification and mitigation, network access control, and security infrastructure. The CompTIA Security+ credential is approved by the U.S. Department of Defense to meet Directive 8140/8570.01-M requirements. In addition, the Security+ credential complies with the standards for ISO 17024.
The Security+ credential requires a single exam, currently priced at $339. (Discounts may apply to employees of CompTIA member companies and full-time students.) Training is available but not required.
IT professionals who earned the Security+ certification prior to Jan. 1, 2011, remain certified for life. Those who certify after that date must renew the certification every three years to stay current. To renew, candidates are required to complete 50 continuing education units (CEUs) or complete the CertMaster CE online course prior to the expiration of the three-year period. CEUs can be obtained by engaging in a variety of activities, such as teaching, blogging, publishing articles or white papers, and participating in professional conferences and similar activities.
CompTIA Security+ facts and figures
Prerequisites and required courses
None. CompTIA recommends at least two years of experience in IT administration (with a security focus) and the Network+ credential before taking the Security+ exam. Udemy offers a complete and comprehensive course for the certification.
Number of exams
One: SY0-501 (90 questions, 90 minutes to complete; 750 on a scale of 100-900 required to pass)
Cost of exam
$339 (discounts may apply; search for “SY0-501 voucher”)
Exam objectives, sample questions, the CertMaster online training tool, training kits, computer-based training and a comprehensive study guide are available at CompTIA.org.
CompTIA Security+ training
You’ll find several companies offering online training, instructor-led and self-study courses, practice exams, and books to help you prepare for and pass the Security+ exam.
Pluralsight offers a series of Security+ video training courses as part of its monthly subscription plan for the latest SY0-501 exam. Split up into six sections, the training series is more than 18 hours long and covers network security; compliance and operational security; threats and vulnerabilities; application, data, and host security; access control and identity management; and cryptography.
To test your security knowledge before attempting the real exam, Kaplan IT Training offers a Security+ practice exam build-your-own training package course. Candidates can choose a 30-day assessment option that includes a single set of exam questions, plus quizzes and references and explanations. For an additional fee, candidates can upgrade to a 180-day subscription that includes multiple exam options, key concept flashcards, access to InstructorLink experts, discussion boards and more. Mobile eLearning, along with access to practice labs, are also available.
CISM – Certified Information Security Manager Certification
The Certified Information Security Manager (CISM) is a top security credential for IT professionals responsible for managing, developing and overseeing information security systems in enterprise-level applications, or for developing best organizational security practices. The CISM credential was introduced to security professionals in 2003 by the Information Systems Audit and Control Association (ISACA).
ISACA’s organizational goals are specifically geared toward IT professionals interested in the highest quality standards with respect to audit, control and security of information systems. The CISM credential targets the needs of IT security professionals with enterprise-level security management responsibilities. Credential holders possess advanced and proven skills in security risk management, program development and management, governance, and incident management and response.
Holders of the CISM credential, which is designed for experienced security professionals, must agree to ISACA’s code of ethics, pass a comprehensive examination, possess at least five years of security experience (three of which must have been in information security management in three or more of the job practice analysis areas,) comply with the organization’s continuing education policy and submit a written application. Some combinations of education and experience may be substituted for the experience requirement.
The CISM credential is valid for three years, and credential holders must pay an annual maintenance fee of $45 (ISACA members) or $85 (nonmembers.) Credential holders are also required to obtain a minimum of 120 continuing professional education (CPE) credits over the three-year term to maintain the credential. At least 20 CPEs must be earned every year.
CISM facts and figures
Certified Information Security Manager (CISM)
Prerequisites and required courses
To obtain the CISM credential, candidates must do the following:Pass the CISM exam.Agree to the ISACA code of professional ethics.Possess a minimum of five years of information security work experience, including at least three years of work experience in information security management in three or more of the job practice analysis areas. Experience must be verifiable and obtained in the preceding 10-year period prior to the application date or within five years after passing the exam. There are some exceptions to this requirement depending on current credentials held.Apply for CISM certification. (The processing fee is $50.) The credential must be obtained within five years of passing the exam.Agree to the CISM continuing education policy.
Number of exams
One exam (150 questions, four hours to complete). (Exams are offered several times during designated exam windows only. In 2019, there were two designated exam windows. Exam windows for 2020 have not yet been announced.)
Cost of exam
Exam fees: member $575; nonmember $760Exam fees are nontransferable and nonrefundable.
Training and study materials in various languages, information on Job Practice Areas, primary references, publications, articles, the ISACA Journal, review courses, exam prep community, terminology lists, a glossary and more are available at ISACA.org. Additionally, Udemy offers comprehensive training for the certification exam.
Other ISACA certification program elements
In addition to the CISM, ISACA offers numerous certifications for those interested in information security and best practices. Other credentials worth considering include the following:
Certified Information Systems Auditor (CISA)
Certified in the Governance of Enterprise IT (CGEIT)
Certified in Risk and Information Systems Control (CRISC)
The CISA designation was created for professionals working with information systems auditing, control or security and is popular enough with employers to earn it a place on the leaderboard. The CGEIT credential targets IT professionals working in enterprise IT management, governance, strategic alignment, value delivery, and risk and resource and performance management. IT professionals seeking careers in all aspects of risk management will find the CRISC credential nicely meets their needs.
Certified Information Security Manager (CISM) training
Kaplan IT Training offers the SkillSoft CISM 2016 CISM e-learning course. The 180-day subscription includes custom quizzes, practice exam questions, access to experts through the InstructorLink and more. As with other Kaplan courses, a pass guarantee comes with the 180-day subscription.
According to Cyber Risk Analytics‘ “2019 Midyear Quick View Data Breach Report,” the first half of 2019 saw more than 3,800 publicly disclosed breaches with more than 4.1 billion records exposed. This figure represents a 54% increase over reported breaches and a 52% increase in the number of compromised records compared with the same time frame in 2018. More than 60% of the reported breaches were the result of human error, highlighting an ever-increasing need for cybersecurity education, as well as highly skilled and trained cybersecurity professionals.
According to a Cyber Seek report, the number of cybersecurity job openings in the U.S. stands at almost 313,735, with nearly 716,000 cybersecurity professionals employed in today’s workforce. Projections continue to be robust further out: CSO expects that number to hit 500,000 by 2021, with more than 3 million cybersecurity jobs open worldwide that same year.
When evaluating prospective InfoSec candidates, employers frequently look to certification as an important measure of excellence and commitment to quality. We examined five InfoSec certifications we consider to be leaders in the field of information security today:
This year’s list includes entry-level credentials, such as Security+, as well as more advanced certifications, such as the CEH, CISSP, CISM and CISA. We also offer some additional certification options in the last section that cover choices outside our top five, because the field of information security is both wide and varied, with many other options. According to Cyber Seek, more employers are seeking CISA, CISM and CISSP certification holders than there are credential holders which makes these credentials a welcome addition to any certification portfolio.
Absent from our list of the top five is the SANS GIAC Security Essentials (GSEC). The GSEC is still a very worthy credential, but the job board numbers for the CISA were so solid that it merited a spot in the top five.
Security-related job roles cover a lot of ground, such as information security specialist, security analyst, network security administrator, system administrator (with security as a responsibility) and security engineer, as well as specialized roles like malware engineer, intrusion analyst and penetration tester.
Average salaries for information security specialists and security engineers – two of the most common job roles – vary depending on the source. For example, Simply Hired reports $30,263 for specialist positions, whereas Glassdoor’s national average is almost $68,000. For security engineers, Simply Hired reports almost $95,000, while Glassdoor’s average is more than $131,000, with salaries on the high end reported at $144,000.
If you’re serious about advancing your career in the IT field and are interested in specializing in security, certification is a great choice. It’s an effective way to validate your skills and show a current or prospective employer that you’re qualified and properly trained.
Before examining the details of the top five InfoSec certifications, check results from our informal job board survey. It reports the number of job posts nationwide in which our featured certs were mentioned on a given day. This should give you an idea of the relative popularity of each certification.
Job board search results (in alphabetical order, by cybersecurity certification)
Beyond the top 5: More cybersecurity certifications
In addition to these must-have credentials, there are many other certifications available to fit the career needs of any IT professional interested in information security.
While it didn’t make the top five this year, the SANS GIAC Security Essentials (GSEC) remains an excellent entry-level credential for IT professionals seeking to demonstrate that they understand information security terminology and concepts but also possess skills and technical expertise necessary to occupy “hands-on” security roles.
If you find incident response and investigation intriguing, check out the Logical Operations CyberSec First Responder (CFR) certification. This ANSI-accredited and U.S. DoDD-8570 compliant credential recognizes security professionals who can design secure IT environments, perform threat analysis, and respond appropriately and effectively to cyberattacks. Logical Operations offers other certifications, including the Master Mobile Application Developer (MMAD), Certified Virtualization Professional (CVP), Certified Cyber Secure Coder and CloudMASTER.
There are many other certifications to explore or keep your eye on. The associate-level Cisco CCNA Cyber Ops certification is aimed at those who work as analysts in security operations centers (SOCs) in large companies and organizations. Candidates who qualify through the Cisco’s global scholarship program may receive free training, mentoring and testing to help them achieve the CCNA Cyber Ops certification. The CompTIA Cybersecurity Analyst (CySA+), which launched in 2017, is a vendor-neutral certification designed for professionals with three to four years of security and behavioral analytics experience.
The Identity Management Institute (IMI) offers several credentials for identity and access management, data protection, identity protection, identity governance, and more. The IAPP, which focuses on privacy, has a small but growing number of certifications as well.
Hackers are innovators; they constantly find new ways to attack information systems and exploit system vulnerabilities. Savvy businesses proactively protect their information systems by engaging the services and expertise of IT professionals skilled in beating hackers at their own game (often called “white hat hackers” or simply “white hats”). Such professionals use the very skills and techniques hackers themselves use to identify system vulnerabilities and access points for penetration to prevent hackers’ unwanted access to network and information systems.
The Certified Ethical Hacker (CEH) is an intermediate-level credential offered by the International Council of E-Commerce Consultants (EC-Council). It’s a must-have for IT professionals pursuing careers in ethical hacking, and certifies their competence in the five phases of ethical hacking: reconnaissance, enumeration, gaining access, maintaining access and covering tracks. CEH credential holders possess skills and knowledge on hacking practices in areas such as footprinting and reconnaissance, scanning networks, enumeration, system hacking, Trojans, worms and viruses, sniffers, denial-of-service attacks, social engineering, session hijacking, hacking web servers, wireless networks and web applications, SQL injection, cryptography, penetration testing, evading IDS, firewalls, and honeypots. CEH V10 provides a greater focus on emerging attack vectors, along with IoT hacking and vulnerability analysis`
To obtain a CEH (ANSI) certification, candidates must pass one exam. A comprehensive five-day CEH training course is recommended, with the exam presented at the course’s conclusion. Candidates may self-study for the exam but must submit documentation of at least two years of work experience in information security with employer verification. Self-study candidates must also pay an additional $100 application fee. Education may be substituted for experience, but this is evaluated on a case-by-case basis. Candidates who complete any EC-Council-approved training (including iClass platform, academic institutions or through an accredited training center do not need to submit an application prior to attempting the exam.
Because technology in the field of hacking changes almost daily, CEH credential holders are required to obtain 120 continuing education credits for each three-year cycle.
Once a candidate obtains the CEH (ANSI) designation, a logical progression on the EC-Council certification ladder is the Certified Ethical Hacker (Practical) credential. A recent addition to the EC-Council certification portfolio, the CEH (Practical) designation targets the application of CEH skills to real-world security audit challenges and related scenarios. To obtain the credential, candidates must pass a rigorous six-hour practical examination. Conducted on live virtual machines, candidates are presented 20 scenarios with questions designed to validate a candidate’s ability to perform tasks such as vulnerability analysis, identification of threat vectors, web app and system hacking, OS detection, network scanning, packet sniffing, steganography, virus identification and more. Candidates who pass both the CEH (ANSI) and CEH (Practical) exams earn the CEH (Master) designation.
CEH facts and figures
Certified Ethical Hacker (CEH) (ANSI)
Prerequisites and required courses
Training is highly recommended. Without formal training, candidates must have at least two years of information security-related experience and an educational background in information security, pay a nonrefundable eligibility application fee of $100, and submit an exam eligibility form prior to purchasing an exam voucher.
Number of exams
One: 312-50 (ECC Exam)/312-50 (VUE) (125 multiple-choice questions, four hours)
Cost of exam
$950 (ECC exam voucher) Note: An ECC exam voucher allows candidates to test via computer at a location of their choice. Pearson Vue exam vouchers allow candidates to test in a Pearson Vue facility and cost $1,199.
EC-Council instructor-led courses, computer-based training, online courses and more are available at ECCouncil.org. A CEH skills assessment is also available for credential seekers. Additionally, Udemy offers CEP Practice Exams. CEH-approved courseware is available for $850 from EC-Council.
Certified Ethical Hacker (CEH) Training
While EC-Council offers both instructor-led and online training for its CEH certification, IT professionals have plenty of other options for self-study materials, including video training, practice exams and books.
Pluralsight currently offers various ethical hacking courses geared toward the 312-50 exam. With a monthly subscription, you get access to all these courses plus everything else in Pluralsight’s training library. Through Pluralsight’s ethical hacking courses, IT professionals learn about session hijacking, reconnaissance and footprinting, SQL injection, enumeration, social engineering, and how to hack web servers, applications and mobile platforms.
Kaplan IT Training offers a practice exam for the CEH 312-50 certification that includes several sets of exam-like questions, custom quizzes, flashcards and more. An exam prep subscription for 180 days costs $149 and allows candidates access to online study materials, as well as the ability to download the materials for offline study. Backed by its “pass the first time” guarantee, Kaplan IT is so confident that this practice exam will prepare you for the CEH that it will refund its practice test costs if you don’t pass.