Part 1. Case study: applying layers of security to a simple DevOps pipeline

In this first part, we’ll build a small DevOps environment to operate a web application with almost no security. Our pipeline is riddled with holes we’ll plug at every level: application, infrastructure, communications, and deployment. The goal is to add security layer by layer while making use of automated testing, as presented in the test-driven security concept from chapter 1.

Security is a journey. The process of building your own pipeline in chapter 2 will highlight various problems organizations commonly run into and provide a starting point to discuss integrating security into the CI/CD pipeline. We’ll first address the application layer in chapter 3 and discuss common attacks on web applications and ways to test and protect against them. In chapter 4, we’ll focus on the infrastructure layer and discuss techniques to protect data in the cloud. Chapter 5 implements HTTPS to secure communications between end users and your infrastructure. Finally, chapter 6 covers the security of the deployment pipeline and methods to guarantee the integrity of the code, from submission by developers to running it in production.

By the time we’re done with part 1, your environment will have solid security and will be ready for part 2, where we'll discuss attacks from the outside.