From cyberpunk to DevSecOps: 7 books for which the DevSecOps engineer is still worth learning English

Those who would have been dubbed cyberpunks before, today call themselves more politically correct: DevSecOps. Remember "the whole spectrum of the rainbow," from the legendary film "Hackers"? 1) Green (worldwide UNIX environment); 2) bright orange (computer data protection criteria according to DOD standards); 3) a pink shirt (IBM reference; nicknamed so because of a stupid pink shirt on a peasant from the cover); 4) the book of the devil (bible UNIX); 5) dragon book (compiler development); 6) the red book (networks of the national security administration; known as the vile red book, which has no place on the shelf).







After reviewing once again this legendary film, I wondered: what would cyberpunks of the past read today, which have become DevSecOps in our time? And we got an updated, more modern version of this rainbow spectrum:







- Violet (APT hacker manual)

- Black (corporate cyber-non-security)

- Red (Red Army Handbook)

- Bison book (cultivation of DevOps culture in the community of developers; so named because of the beast from the cover)

- Yellow web (yellow, in the sense of topical, a selection of vulnerabilities of the world wide web)

- Brown (book of the cobbler)

- The Book of Retribution (Bible Safe Code Development)





















1. Violet (APT hacker manual)



Tyler Wrightson. Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organizations. 2015.443 p.









This book is written for one single purpose: to demonstrate that there are no secure systems in the world. Moreover, it is written from the point of view of the criminal, without any compromises. The author shamelessly demonstrates the modern realities of cyber-non-security, and without concealment shares the most intimate details of APT-hacking. Without any hint of tiptoeing around and around contentious topics, for fear of attracting reprehensible attention. Why from an uncompromisingly criminal point of view? Because the author is sure that only in this way can we truly “recognize our enemy by sight,” as Sun Tzu advised in his book “The Art of War”. And because the author is also sure that without this knowledge it is impossible to develop any effective protection against cyber threats.







The book describes the APT hacker's mindset, tools and skills - which allow him to hack into absolutely any organization, regardless of what kind of security system is deployed there. With a demonstration of real examples of hacking, for the implementation of which a modest budget and modest technical skills are quite enough.







To combat traditional criminals in any state, there are well-established schemes. However, in cyberspace, smart criminals are elusive. Therefore, the harsh realities of the modern era of digital technology are such that whoever connects to the Internet, he is under constant attack, both at home and at work. You may not be aware of this report, but when you let the Internet, a computer, a mobile phone, Facebook, Twitter or something like that into your life, you thereby joined the war. Whether you want it or not, you are already among the soldiers of this war.







Even if you “have no valuable data,” you can easily become an accidental victim. Not to mention the fact that a criminal can use your digital equipment in his dark affairs: password cracking, spamming, support for DDoS attacks, etc. The world today has become a playground - for those who are versed in high technology and love to break the rules. And the place of the king of the hill in this game is occupied by APT hackers, whose manifesto boils down to the following words: “We are superheroes, invisibles, and Neo from the Matrix. We can move silently and silently. Manipulate everything we wish. Wherever we want to go. There is no information that we could not get. We fly confidently where others can only crawl. "









2. Black (corporate cyber-non-security)



Scott Donaldson. Enterprise Cybersecurity: How to Build a Successful Cyberdefence Program Against Advanced Threats. 2015.536 p.









The book provides a flexible visual scheme for managing all aspects of the corporate cybersecurity program (CCP), in which the entire CCP is divided into 11 functional areas and 113 subject aspects. This scheme is very convenient for the design, development, implementation, monitoring and evaluation of PDAs. It is also very convenient for risk management. The scheme is universal and easily scales to the needs of organizations of any size. The book emphasizes that absolute invulnerability is fundamentally unattainable. Because having unlimited time left, an enterprising attacker can finally overcome even the most advanced cyber defense. Therefore, the effectiveness of the CCP is evaluated not in absolute categories, but in relative ones - by two relative indicators: how quickly it allows you to detect cyber attacks and how long it allows you to restrain the onslaught of the enemy. The better these indicators, the more time for full-time specialists to assess the situation and take countermeasures.







The book describes in detail all the actors at all levels of responsibility. Explains how to apply the proposed CPC scheme to combine diverse departments, modest budgets, corporate business processes and vulnerable cyber infrastructure into a cost-effective PDA that can withstand advanced cyber attacks; and capable of significantly reducing damage in the event of a breakdown. A cost-effective PDA, which takes into account the limited budget allocated to ensure cybersecurity and which helps to find the necessary compromises that are optimal for your organization. Taking into account daily operational activities and long-term strategic tasks.







Upon first acquaintance with the book, owners of small and medium-sized businesses with limited budgets may find that for them the PDA scheme presented in the book is not affordable on the one hand, and on the other hand is generally unnecessarily cumbersome. And indeed: not all enterprises can afford to take into account all the elements of a comprehensive CPC program. When the general director is also a financial director, secretary, technical support service, the full-scale CCP is clearly not for him. However, to one degree or another, any enterprise has to solve the problem of cybersecurity, and if you read the book carefully, you can see that the presented PDA scheme is easily adaptable to the needs of even the smallest enterprise. So it is suitable for enterprises of all sizes.







Cybersecurity today is a very problematic area. Ensuring cybersecurity begins with a comprehensive understanding of its components. This understanding alone is the first serious step towards cybersecurity. Understanding where to start providing cybersecurity, how to continue and what to improve is a few more serious steps towards ensuring it. These few steps are presented in the book and the PDA scheme allows you to do. It deserves attention, since the authors of the book are recognized cybersecurity experts who have ever fought at the forefront of cybersecurity against APT hackers, defending government, military and corporate interests at different times.









3. Red (Red Army Handbook)



Ben Clark. RTFM: Red Team Field Manual. 2014.96 p.









RTFM is a detailed guide for serious red team representatives. RTFM provides the basic syntax for the basic command line tools (for Windows and Linux). And also original options for their use are presented, in conjunction with such powerful tools as Python and Windows PowerShell. RTFM will save you a whole bunch of time and time again and again - eliminating the need to recall / search for the difficult to remember operating system nuances associated with tools such as Windwos WMIC, DSQUERY command line tools, registry key values, Task Scheduler syntax, Windows- scripts, etc. In addition, more importantly, RTFM helps its reader to adopt the most advanced Red Army techniques.









4. Bison book (cultivation of DevOps-culture in the community of developers; so named because of the beast from the cover)



Jennifer Davis, Ryn Daniels. Effective DevOps: Building a Culture of Collaboration, Affinity, and Tooling at Scale. 2016.410 p.









The most successful of the existing manual on the formation of corporate DevOps-culture. Here DevOps is seen as a new way of thinking and working, allowing you to form “smart teams”. “Smart teams” differ from others in that their members understand the peculiarities of their way of thinking and apply this understanding to the benefit of themselves and their cause. This ability of “smart teams” develops as a result of the systematic practice of ToM (Theory of Mind; the science of self-awareness). The ToM component of DevOps culture allows you to recognize strengths - yours and your colleagues; allows you to improve understanding of yourself and others. As a result, people's ability to cooperate and empathize with each other is increasing. Organizations with a developed DevOps culture are less likely to make mistakes, recover more quickly after failures. Employees of these organizations feel happier. And happy people, as you know, are more productive. Therefore, the goal of DevOps is to develop mutual understanding and common goals to establish long-term and strong working relationships between individual employees and entire departments.







DevOps-culture is a kind of framework that is conducive to sharing valuable practical experience and developing empathy between employees. DevOps is a cultural fabric woven from three threads: continuous performance of duties, development of professional competencies and personal self-improvement. This cultural fabric “envelops” both individual employees and entire departments, allowing them to effectively and continuously develop professionally and personally. DevOps helps to get away from the “old approach” (the culture of reproaches and the search for the guilty) and come to a “new approach” (using the inevitable mistakes not for blaming, but for learning practical lessons). As a result, transparency and trust in the team increase, which is very beneficial for the ability of team members to cooperate with each other. This is the summary of the book.









5. The yellow web (yellow, in the sense of topical, a selection of vulnerabilities of the world wide web)



Michal Zalewski. Tangled WEB: A guide to Securing Modern Web Applications. 2012.300 p.









Just 20 years ago, the Internet was as simple as it was useless. It was a bizarre mechanism that allowed a small handful of students and geeks to visit each other's homepages. The vast majority of such pages were devoted to science, pets and poetry.







The architectural flaws and shortcomings of the implementation of the World Wide Web that we have to put up with today are the price for historical hindsight. After all, it was a technology that never aspired to the global status that it has today. As a result, today we have a very vulnerable cyber infrastructure: as it turned out, the standards, design and protocols of the World Wide Web, which were enough for home pages with dancing hamsters, are completely insufficient, say, for an online store that processes millions of credit card transactions annually.







Looking back over the past two decades, it’s hard not to be disappointed: almost every seemingly useful web application developed to this day has been forced to pay a bloody price for the hindsight of yesterday’s architects of the World Wide Web. Not only did the Internet turn out to be much more in demand than expected, but we also turned a blind eye to some of its uncomfortable characteristics that went beyond our comfort zone. And it would be okay to turn a blind eye in the past - we continue to close them now ... Moreover, even very well-designed and carefully tested web applications still have much more problems than their non-network counterparts.







So, we broke firewood in order. It's time to repent. For the purpose of such repentance, this book was written. This is the first of its kind (and currently the best of its kind) book that provides a systematic and thorough analysis of the current security state of web applications. For such a relatively small volume of the book, the number of nuances discussed in it is simply overwhelming. Moreover, security engineers looking for quick solutions will rejoice at the presence of cheat sheets, which can be found at the end of each section. These cheat sheets describe effective approaches to solve the most pressing problems faced by a web application developer.









6. Brown (book of the fencer)



Tobias Klein. A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security. 2011.208 p.









One of the most interesting books published over the past decade. Her message can be summarized in the following words: "Give the person an exploit, and you will make him a hacker for one day, teach him to exploit errors - and he will remain a hacker for life." By reading “The Fighter's Diary,” you will follow a practicing cybersecurity expert who identifies errors and exploits them — in today's most popular applications. Such as Apple iOS, VLC-media player, web browsers and even the core of Mac OS X. By reading this unique book of its kind, you will gain deep technical knowledge and understanding of what hackers approach to intractable problems; and how ecstatic they are in the process of hunting for bugs.







From the book you will learn: 1) how to use the time-tested methods of searching for bugs, such as tracing user input and reverse engineering; 2) how to exploit vulnerabilities, such as dereferencing of NULL-pointers, buffer overflow, type conversion flaws; 3) how to write code that demonstrates the existence of a vulnerability; 4) how to correctly notify vendors of bugs identified in their software. The bugbug diary is speckled with real examples of vulnerable code, and authoring programs designed to facilitate the process of finding bugs.







For whatever purpose you hunt for bugs, be it entertainment, earnings, or the altruistic desire to make the world a safer place, this book will help you develop valuable skills, because with it, you look over the shoulder of a professional fighter, onto his monitor screen , and also in his head. Those who are familiar with the C / C ++ programming language and x86 assembler will get the most out of the book.









7. The Book of Retribution (The Bible is Safe Code Development)



Michael Howard 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. 2010.394 p.









Today, any software developer is simply required to have the skills to write safe code. Not because it's fashionable, but because the wildlife of cyberspace is quite unfriendly. We all want our programs to be reliable. But they will not be so unless we take care of their cybersecurity.







We are still paying for the sins of cyber-non-security committed in the past. And we will be doomed to pay for them further if we do not learn from our rich history of sloppy software development. This book reveals 24 fundamental points - very uncomfortable for software developers. Uncomfortable in the sense that developers almost always make serious flaws in these moments. The book provides practical tips on how to avoid these 24 serious flaws when developing software, and how to test for existing flaws already existing software written by other people. The story of the book is simple, accessible, and solid.







This book will be a valuable find for any developer, regardless of the language that he uses. It will be of interest to all those who are interested in developing high-quality, reliable and secure code. The book clearly demonstrates the most common and dangerous flaws for several languages ​​at once (C ++, C #, Java, Ruby, Python, Perl, PHP, etc.); and also time-tested and well-proven techniques are given to mitigate these flaws. Atone for past sins, in other words. Use this safe-design bible and never sin again!







The leaders of some software companies use this book to conduct blitz trainings - just before starting to develop new software. They oblige developers to read before starting work those sections from this book that affect the technologies with which they have to deal. The book is divided into four sections: 1) the sins of web software, 2) the sins of development, 3) cryptographic sins, 4) network sins.








All Articles