What do you think?
Rate this book
Безопасный DevOps. Эффективная эксплуатация систем
Приложение, запущенное в облаке, обладает множеством преимуществ, но в то же время подвержено особенным угрозам. Задача DevOps-команд — оценивать эти риски и усиливать защиту системы от них.
Книга основана на уникальном опыте автора и предлагает важнейшие стратегические решения для защиты веб-приложений от атак, предотвращения попыток вторжения. Вы увидите, как обеспечить надежность при автоматизированном тестировании, непрерывной поставке и ключевых DevOps-процессах. Научитесь выявлять, оценивать и устранять уязвимости, существующие в вашем приложении. Автор поможет ориентироваться в облачных конфигурациях, а также применять популярные средства автоматизации.
В этой книге:
• Обеспечение непрерывной безопасности.
• Внедрение безопасности на основе тестирования в DevOps.
• Приемы, помогающие повысить надежность облачных сервисов.
• Отслеживание вторжений и реагирование на инциденты .
• Тестирование безопасности и оценка рисков.
Требуется знание Linux и владение стандартными практиками DevOps, такими как CI, CD и модульное тестирование.
Книга основана на уникальном опыте автора и предлагает важнейшие стратегические решения для защиты веб-приложений от атак, предотвращения попыток вторжения. Вы увидите, как обеспечить надежность при автоматизированном тестировании, непрерывной поставке и ключевых DevOps-процессах. Научитесь выявлять, оценивать и устранять уязвимости, существующие в вашем приложении. Автор поможет ориентироваться в облачных конфигурациях, а также применять популярные средства автоматизации.
В этой книге:
• Обеспечение непрерывной безопасности.
• Внедрение безопасности на основе тестирования в DevOps.
• Приемы, помогающие повысить надежность облачных сервисов.
• Отслеживание вторжений и реагирование на инциденты .
• Тестирование безопасности и оценка рисков.
Требуется знание Linux и владение стандартными практиками DevOps, такими как CI, CD и модульное тестирование.
432 pages, Paperback
Published January 1, 2020
27 people are currently reading
318 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 12 of 12 reviews
March 19, 2025
Comprehensive cookbook for DevSecOps. Some parts are a bit outdated but still very educative. There are more cloud native security services and features nowadays to establish a mature CI/CD pipeline so maybe it’s time for a new edition updating the sample case code and tools.
March 3, 2019
The main reason I wanted to read this book was because of the writer, Julien Vehent, who leads the Firefox Operations Security team at Mozilla, and is responsible for the security of Firefox’s high-traffic cloud services and public websites. For me personally, Mozilla is one of the technology companies that puts people before profits and has a very important mission: to keep the internet open and accessible to all. Besides that, I am also very interested in Linux and standard DevOps practices like CI, CD, and unit testing, which are listed as required prior knowledge to be comfortable with before reading this introductory book that "reviews the latest practices used in securing web applications and their infrastructure and teaches you techniques to integrate security directly into your product". While these requirements and the fact that Manning describes it as an introductory book might seem a little bit contradictory, they are just trying to state that you need some prior hands-on experience with CI/CD and unit testing and should be familiar with the Linux command line.
This has allowed the author to skip a lot of introductions that would not be needed in my case, but it does assume that you are also familiar with at least the Cloud and Agile Software Development as well, and have some ideas about what Security adds to DevOps.
The book itself is split up in three main logical parts, being: "Case study: applying layers of security to a simple DevOps pipeline", "Watching for anomalies and protecting services against attacks" and "Maturing DevOps security". The first part starts with a description on building a barebones DevOps pipeline, and then moves on to describes the four layers of security it advocates in this book: protecting web applications, protecting cloud infrastructures, securing communications and securing the delivery pipeline. The second part is split up in four closely related but separate chapters: collecting and storing logs, analyzing logs for fraud and attacks, detecting intrusions and the Caribbean breach: a case study in incident response. These chapters are pretty essential primers on their topic with regards to Security in my opinion, and very well-described and detailed. The third part is filled with food for thought and recommendations, and consists of chapters about: assessing risks, testing security and continuous security.
The back cover of the book summarizes this the best for me, so I'm quoting that here: "This experience-rich book is filled with mission-critical strategies to protect web applications against attacks, deter fraud attempts, and make your services safer when operating at scale". And as Andrew Bovill from Next Century stated it, this is "An amazing resource for secure software development - a must in this day and age - whether or not you’re in DevOps." I would wholeheartedly recommend this book to anyone with a remote interest in DevOps, or even when you only just started out on modern day software development or cloud deployments, as this might be one of the best books that you can get on the subject right now!
This has allowed the author to skip a lot of introductions that would not be needed in my case, but it does assume that you are also familiar with at least the Cloud and Agile Software Development as well, and have some ideas about what Security adds to DevOps.
The book itself is split up in three main logical parts, being: "Case study: applying layers of security to a simple DevOps pipeline", "Watching for anomalies and protecting services against attacks" and "Maturing DevOps security". The first part starts with a description on building a barebones DevOps pipeline, and then moves on to describes the four layers of security it advocates in this book: protecting web applications, protecting cloud infrastructures, securing communications and securing the delivery pipeline. The second part is split up in four closely related but separate chapters: collecting and storing logs, analyzing logs for fraud and attacks, detecting intrusions and the Caribbean breach: a case study in incident response. These chapters are pretty essential primers on their topic with regards to Security in my opinion, and very well-described and detailed. The third part is filled with food for thought and recommendations, and consists of chapters about: assessing risks, testing security and continuous security.
The back cover of the book summarizes this the best for me, so I'm quoting that here: "This experience-rich book is filled with mission-critical strategies to protect web applications against attacks, deter fraud attempts, and make your services safer when operating at scale". And as Andrew Bovill from Next Century stated it, this is "An amazing resource for secure software development - a must in this day and age - whether or not you’re in DevOps." I would wholeheartedly recommend this book to anyone with a remote interest in DevOps, or even when you only just started out on modern day software development or cloud deployments, as this might be one of the best books that you can get on the subject right now!
January 22, 2019
First of all, I think this book is not suitable for junior engineers. It requires some level of experience and familiarity with DevOps, security, cloud and modern software development concepts. In fact the author also shows this attitude by skipping some parts; I don't think this is bad at all.
Having said that, I think the author has done a pretty much good job at gathering so much information at less than 400 pages.
There are some typos and errors here and there:
* Some links in the book do not work (I bought the PDF from Manning)
* Some commands need minor modifications to work on Mac
* Some external services need more explanation and lack some config (like the Duo example)
* It seems some AWS commands/services may have incomplete support on non-US regions (I started with eu-central-1 and after facing some difficulties, switched to us-east-1 and everything was fine then)
Overall, I recommend this book to security engineers. (although it does not matter that much, I should say that the book focuses on some services/products like AWS, Github, CircleCI, ... but it doesn't matter at the end of the day, and you can run all the exercises using the free tier)
Having said that, I think the author has done a pretty much good job at gathering so much information at less than 400 pages.
There are some typos and errors here and there:
* Some links in the book do not work (I bought the PDF from Manning)
* Some commands need minor modifications to work on Mac
* Some external services need more explanation and lack some config (like the Duo example)
* It seems some AWS commands/services may have incomplete support on non-US regions (I started with eu-central-1 and after facing some difficulties, switched to us-east-1 and everything was fine then)
Overall, I recommend this book to security engineers. (although it does not matter that much, I should say that the book focuses on some services/products like AWS, Github, CircleCI, ... but it doesn't matter at the end of the day, and you can run all the exercises using the free tier)
August 20, 2020
I cannot say anything bad about this book, only good. It’s full of quality content and it’s a joy to read. The title says for itself, it’s a book for DevOps engineer. But I would recommend it to anyone who’s just slightly interested in security, clouds or CI/CD. The author builds a CI/CD pipeline throughout the first part of the book and explains useful security practices in the rest of the book. It has many real-life examples and many very good explanations. In fact, I’ve never seen a better explanation of CSRF, PKI, DREAD, and other things.
Quotes
Quotes
April 14, 2019
A great book on cloud security. Very detailed and comprehensive. Of broader interest -to anyone interested in security, not just devops as the title suggests. There is a dedicated devopsy chapter, the rest is broader, touching all layers. Also includes a generalist chapter, providing systematic risk management frameworks.
March 11, 2018
Very comprehensive book on things that need to be done to secure an organization’s applications, data and infrastructure, on both high level strategies and low level tools to use.
February 3, 2022
Very practical and you can incorporate the ideas and examples directly in your security projects at your company. I really liked the real-world case study chapter.
May 29, 2023
Great book
June 28, 2023
A comprehensive list of apects you should take care of to secure your organisation. Rather broad than deep, but still full of examples of concrete tools. Recommended!
June 26, 2022
See potential but have PC problem with BSOD (Virtual machine for docker...)
So maybe reread on new PC
(note for myself)Stopped on docker exs?
So maybe reread on new PC
(note for myself)Stopped on docker exs?
April 4, 2022
Excellent book covering security, from the CI CD pipelines to web applications. Love the details and the code, where key parts are explained one by one. Flows are clearly represented and explained step by step.
Well written, easy to follow, up to date. Plenty of historical background to better understand the current standards. Many suggested security tools (with working links). I love the examples. The author shows us how to set this up, with all the required CLI commands and then goes through the results and output.
Well written, easy to follow, up to date. Plenty of historical background to better understand the current standards. Many suggested security tools (with working links). I love the examples. The author shows us how to set this up, with all the required CLI commands and then goes through the results and output.
February 28, 2020
A much more advanced book than I was anticipating. A lot of applicable things for my team but tons of stuff that went way over my head.
Displaying 1 - 12 of 12 reviews