Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Crafting Secure Software
  • Toc
  • feedback
Crafting Secure Software

Crafting Secure Software

By : Greg Bulmash, Thomas Segura
5 (1)
close
Crafting Secure Software

Crafting Secure Software

5 (1)
By: Greg Bulmash, Thomas Segura

Overview of this book

Drawing from GitGuardian's extensive experience in securing millions of lines of code for organizations worldwide, Crafting Secure Software takes you on an exhaustive journey through the complex world of software security and prepares you to face current and emerging security challenges confidently. Authored by security experts, this book provides unique insights into the software development lifecycle (SDLC) and delivers actionable advice to help you mitigate and prevent risks. From securing code-writing tools and secrets to ensuring the integrity of the source code and delivery pipelines, you’ll get a good grasp on the threat landscape, uncover best practices for protecting your software, and craft recommendations for future-proofing against upcoming security regulations and legislation. By the end of this book, you’ll have gained a clear vision of the improvements needed in your security posture, along with concrete steps to implement them, empowering you to make informed decisions and take decisive action in safeguarding your software assets.
Table of Contents (11 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
Conventions used
Get in touch
Download a free PDF copy of this book
Free Chapter
1
Chapter 1: Introduction to the Security Landscape
Chapter 1: Introduction to the Security Landscape
The evolving application security landscape
Supply chain attack case: SolarWinds
Where GitGuardian stands in the landscape
Summary
2
Chapter 2: The Software Supply Chain and the SDLC
Chapter 2: The Software Supply Chain and the SDLC
What is the software supply chain?
Common supply chain attack vectors and defenses
Threat modeling
Risk assessment
Real-world SSC attacks
Summary
3
Chapter 3: Securing Your Code-Writing Tools
chevron up
Chapter 3: Securing Your Code-Writing Tools
Securing your IDE
Securing your VCS and SCM
Securing built-in CI/CD tools
Benefits and dangers of LLM-generated code
Summary
4
Chapter 4: Securing Your Secrets
Chapter 4: Securing Your Secrets
What are secrets?
Secrets in code
Secrets in tools
Secrets in artifacts
The importance of identity and access management (IAM)
Summary
5
Chapter 5: Securing Your Source Code
Chapter 5: Securing Your Source Code
Package managers and repositories
Testing SAST, DAST, and SCA
Creating and reading an SBOM
Think like a hacker: Ethical hacking
Summary
6
Chapter 6: Securing Your Delivery
Chapter 6: Securing Your Delivery
What are build pipelines?
Securing build pipelines
Securing containers and artifacts
Securing deployments
Proactively detecting and rotating exposed secrets
Summary
7
Chapter 7: Security Compliance and Certification
Chapter 7: Security Compliance and Certification
What are legislators and regulators concerned about?
What are they demanding, and how can you address it?
Security frameworks
Proving you’re taking the right steps: Certification
Summary
8
Chapter 8: Best Practices to Drive Security Buy-In
Chapter 8: Best Practices to Drive Security Buy-In
Best practices to create a robust security defense
ROI in cybersecurity
Success stories
Summary
9
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Download a free PDF copy of this book
Appendix: Glossary of Acronyms and Abbreviations: Index
Appendix: Glossary of Acronyms and Abbreviations: Index
Why subscribe?

Securing built-in CI/CD tools

Each major SCM has its own native CI/CD tool. There are GitHub Actions, GitLab CI/CD, and Bitbucket Pipelines, to name a few. Let’s look at a few high-level concerns to consider.

Be sure and intentional about "which" does "what"

Continous integration and continuous delivery (CI/CD) are two different pipelines. CI brings all the pieces together and builds and tests the artifacts. All the SAST, DAST, SCA, secrets scanning, and so on can be done in the CI pipeline, but can also be triggered by hooks and run before commits or to inspect pull requests before merging.

CD is intended to deploy the artifacts built in CI. They can be delivered to production or a testbed/staging environment. Some companies employ a green/blue method in which the last good deployment is demoted to the blue (backup) environment while the new artifacts are deployed to green (production). Should the latest code fail, the system can switch over to...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 4
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete