Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2020 | Book

Modern Software Engineering Read chapter Read first chapter

DevSecOps for .NET Core

Securing Modern Software Applications

Author: Afzaal Ahmad Zeeshan

Publisher: Apress

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

Automate core security tasks by embedding security controls and processes early in the DevOps workflow through DevSecOps. You will not only learn the various stages in the DevOps pipeline through examples of solutions developed and deployed using .NET Core, but also go through open source SDKs and toolkits that will help you to incorporate automation, security, and compliance.

The book starts with an outline of modern software engineering principles and gives you an overview of DevOps in .NET Core. It further explains automation in DevOps for product development along with security principles to improve product quality. Next, you will learn how to improve your product quality and avoid code issues such as SQL injection prevention, cross-site scripting, and many more. Moving forward, you will go through the steps necessary to make security, compliance, audit, and UX automated to increase the efficiency of your organization. You’ll see demonstrations of the CI phase of DevOps, on-premise and hosted, along with code analysis methods to verify product quality. Finally, you will learn network security in Docker and containers followed by compliance and security standards.

After reading DevSecOps for .NET Core, you will be able to understand how automation, security, and compliance works in all the stages of the DevOps pipeline while showcasing real-world examples of solutions developed and deployed using .NET Core 3.

What You Will Learn

Implement security for the .NET Core runtime for cross-functional workloads Work with code style and review guidelines to improve the security, performance, and maintenance of components Add to DevOps pipelines to scan code for security vulnerabilities Deploy software on a secure infrastructure, on Docker, Kubernetes, and cloud environments Who This Book Is For

Software engineers and developers who develop and maintain a secure code repository.

Table of Contents

Frontmatter
Chapter 1. Modern Software Engineering
Abstract
We stumble upon software in our everyday life, from handheld mobile devices to intelligent components of a smart home all the way to big machines we employ for regular daily tasks. As a software engineer, you get to see your work being used in every aspect of life. As interesting and energizing as it might sound, it has its own problems that one needs to tackle. The same products that help millions “achieve more” could someday cease to function due to a bug. Even worse, that bug might be an attempt to hijack the system for illegal activity. A lot of the software deployed to production follows poor design architecture, gets published in non-tested environments, or is being used by customers who are unaware of the socially engineered risks of software exploitation. Software packages are no longer just executable files sent to a customer upon receipt of payment. Software packages have become more Internet-based, agile, adaptable, accessible, and intelligent.
Afzaal Ahmad Zeeshan
Chapter 2. DevOps with Security
Abstract
DevOps has solved several software engineering problems, including the friction and delay in the software delivery and problem resolution. Being a manifesto designed more than a decade ago, DevOps now needs a redesign in its software development, management, and delivery, approaches. This planning can help solve the loopholes in the pipelines and cycles in DevOps. The starting principles of DevOps needed a quick response for user needs/bugs and less friction between teams—typically the development and operational teams. Although DevOps approaches these problems quite fairly, what it misses is the important aspect of modern software: the maintenance of the software.
Afzaal Ahmad Zeeshan
Chapter 3. Writing Secure Apps
Abstract
With a normal pipeline of DevOps, teams leave the code building and package management responsibilities to the DevOps tool, such as GitLab or Azure DevOps. DevSecOps expects more than that and requires that every developer and IT personnel take responsibility for code security, quality, and reviews. The collaborative nature of open source communities provides a good quality code review and constructive criticism to code changes. A small organization might not be able to enjoy the benefits of hundreds of collaborators online, but they can use their own engineers and architects and develop the initial versions of their product without peer reviews. Regardless of the automation platform, scripts and packages can be introduced in the pipeline that require a merge request to be peer-reviewed. Even before a merge request is created, a well-defined DevOps pipeline can notify the contributor about the potential problems that a change might have.
Afzaal Ahmad Zeeshan
Chapter 4. Automating Everything as Code
Abstract
DevOps cycles also take infrastructure management and operations into account. If you need to automate different aspects of the software development lifecycle, you’ll need to apply automation throughout. In the previous chapter, we discussed the basics of DevOps and build pipelines. Starting in this chapter, we will explore the complete DevOps pipelines, starting from the inception or "issues" phase of a project, feature, or a bug. We will discuss the different steps necessary for a project to succeed. You might have heard different terms with the word “code” in them. One is Infrastructure as Code (IaC). Many vendors also use Security as Code to market their software packages that take automated security checks into account.
Afzaal Ahmad Zeeshan
Chapter 5. Securing Build Systems for DevOps
Abstract
Our infrastructure takes our deployment jobs and CI servers as the agents that deploy the applications on the servers. Previous chapters have laid the foundation of what we will be covering in this chapter. The meat of this chapter will be the security, efficiency, and trust over the build systems. Throughout the chapter, I will explore several DevOps tools that we have covered and build on what you have learned. This chapter is about improving what we built previously to make it a secure and usable infrastructure. A good solution depends on the security practices and test cases that are added to the CI/CD pipeline. Manual testing and configuration add a layer of friction to the deployment.
Afzaal Ahmad Zeeshan
Chapter 6. Automating Production Environments for Quality
Abstract
Previous chapters covered the initial CI phases of the DevOps cycle. A complete DevOps cycle incorporates the production environment as well. From security scanning, to runtime selection, process warmup, continuous monitoring, and protection, DevSecOps takes care of everything. A DevOps engineer must manage the details of the production environment as well as the development cycles. It is important for a secure application to run in a secure environment. If the environment is compromised, your secure application will end up being tampered with (as in the case of an HTTP hosted web application) or taken over completely by an attacker. In this chapter, I discuss security and performance from the point of view of the hosting platform. The term “hosting platform” applies to the environment where your solutions run. A hosting platform for a .NET Core solution is not always a cloud environment, or your go-to web hosting provider. A .NET Core solution can run on a mobile application (as in the case of a Xamarin.Forms application) or it can run on a user's device (as in the case of a desktop application). I discuss the common practices that can help you protect your applications and resources.
Afzaal Ahmad Zeeshan
Chapter 7. Compliance and Security
Abstract
A typical DevOps pipeline finishes as soon as the package has been deployed to a secure environment. DevSecOps introduces extra steps to your pipeline to verify and support the compliance of your product in international markets. The topic of compliance takes more than just a license into account. International markets introduce their own set of legal requirements for a solution provider. European countries, for example, have GDPR (the General Data Protection Regulation). This requires the solution vendors and ISVs to apply a set of rules across their organization (changes such as recruiting a Data Protection Officer) as well as the solution (such as user “consent” for data collection and applying a data removal policy). This compliance rule not only applies to solutions being used from within Europe, but also to the solutions that provide services to Europeans, even from outside Europe.
Afzaal Ahmad Zeeshan
Backmatter
Metadata
Title
DevSecOps for .NET Core
Author
Afzaal Ahmad Zeeshan
Copyright Year
2020
Publisher
Apress
Electronic ISBN
978-1-4842-5850-7
Print ISBN
978-1-4842-5849-1
DOI
https://doi.org/10.1007/978-1-4842-5850-7

Premium Partner

    Image Credits