Security for Serverless Developers book links

This document contains links and book references mentioned in the book “Security for Serverless Developers”.

Chapter 1: DevOps Basics

Books

• Agarwal G: Modern DevOps Practices - Second Edition: Implement, secure, and manage applications on the public cloud by leveraging cutting-edge tools (2nd Edition), Packt, 2024, ISBN 978-1805121824
• Forsgren N, Humble J, Kim G: Accelerate - The Science of Lean Software and DevOps, IT Revolution Press, 2018, ISBN 978-1942788331
• Kim G, Humble J, Debois P, Willis J, Forsgren N: The DevOps Handbook - How to Create World-Class Agility, Reliability, & Security in Technology Organizations (2nd Edition), IT Revolution Press, 2021, ISBN 978-1950508402
• Skelton M, Pais M, Malan R: Team Topologies - Organizing Business and Technology Teams for Fast Flow, IT Revolution Press, 2019, ISBN 978-1942788812
• Skelton M, Pais M: Remote Team Interactions Workbook - Using Team Topologies Patterns for Remote Working, IT Revolution Press, 2022, ISBN 978-1950508617

Videos

• 10+ Deploys Per Day: Dev and Ops Cooperation at Flickr (Velocity 09), https://www.youtube.com/watch?v=LdOe18KhtT4 (‘The start of DevOps’)
• DevOps video playlist from GOTO 2024 Conference https://www.youtube.com/playlist?list=PLEx5khR4g7PLCoWS5k9u2WQ8RdKqhKEKn
• Intro to DevOps from deepdives.eu https://www.youtube.com/live/MSalpSklRgs

Websites

• DevOps Topologies https://web.devopstopologies.com/
• How to use value stream mapping to improve software delivery https://dora.dev/guides/value-stream-management/
• Puppet State of DevOps Report archive https://www.puppet.com/resources/history-of-devops-reports
• Why software developers prefer DORA metrics https://www.infoworld.com/article/2338808/why-software-developers-prefer-dora-metrics.html
• The Wrong Way to Use DORA Metrics https://thenewstack.io/the-wrong-way-to-use-dora-metrics/

Chapter 2: Serverless Architecture and Security

Videos

• Cloud Security Risks: Explorint the Latest Threat Landscape Report (IBM Technology) https://www.youtube.com/watch?v=VK0GyUSDwQY
• Itay Rozenman: Serverless Security - New Risks Require New Approaches (GOTO 2021) https://www.youtube.com/watch?v=IeMFRd2TFD4
• Serverless Security Best Practices (AWS re:Invent 2021) https://www.youtube.com/watch?v=nEaAuX4O9TU
• Serverless Security Made Simple (Google Cloud Next ‘19) https://www.youtube.com/watch?v=-q4u8YO2YaA
• Using DevOps, Microservices & Serverless to Accelerate Innovation (AWS re:Invent 2018) https://www.youtube.com/watch?v=eXl6Bumksnk

Chapter 3: Introduction to Security

Papers

• Shaharyar Khan, Ilya Kabanov, Yunke Hua, and Stuart Madnick. 2022. A Systematic Analysis of the Capital One Data Breach: Critical Lessons Learned. ACM Trans. Priv. Secur. 26, 1, Article 3 (February 2023), 29 pages. https://doi.org/10.1145/3546068 (publicly available)

Videos

• OWASP Serverless Top 10 https://www.youtube.com/watch?v=3A49USGCmvU
• OWASP Top 10 2021 - The List and How You Should Use It https://www.youtube.com/watch?v=hryt-rCLJUA

Websites

• 2017 Equifax data breach, Wikipedia https://en.wikipedia.org/wiki/2017_Equifax_data_breach
• The Equifax Hack Has the Hallmarks of State-Sponsored Pros, Bloomberg Business Week, 2017, https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros

Chapter 4: Secure Software Development Practices

Papers

• Chowdhury PD, Hallett J, Patnaik N, Tahaei, M, Rashid A: Developers Are Neither Enemies Nor Users: They Are Collaborators, 2021 IEEE Secure Development Conference (SecDev), IEEE 2021 https://doi.org/10.1109/SecDev51306.2021.00023
• Green M, Smith M: Developers are Not the Enemy!: The Need for Usable Security APIs, IEEE Security & Privacy vol. 14, no. 5, pp. 40-46, IEEE 2016, https://doi.org/10.1109/MSP.2016.111
• Wurster G, van Oorschot PC: The developer is the enemy, Proceedings of the 2008 New Security Paradigms Workshop (NSPW ‘08), ACM 2008, https://doi.org/10.1145/1595676.1595691

Videos

• Leveraging Psychological Needs For Building A Security Culture Amongst Developers - Juliane Reimann https://youtu.be/3m1ASrjfkbk?si=pItJhziSMpGeXltI
• Maturing SDLC At A Fortune 500 Company Based On OWASP SAMM: Successes And Pitfalls https://www.youtube.com/watch?v=hf1U3MP_wBU
• Navigating The Landscape Of Client-Side Request Hijacking On The Web https://www.youtube.com/watch?v=7L4koVoZ7Uw
• OWASP Developer Guide (2024) https://www.youtube.com/watch?v=EV8bwXQNnfI
• OWASP Open Common Requirement Enumeration (OpenCRE) https://www.youtube.com/watch?v=Uhg1dtzwSKM

Websites

• How to use value stream mapping to improve software delivery https://dora.dev/guides/value-stream-management/

Chapter 5: API Gateway Security in Microservices Architecture

Videos

• I didn’t know Amazon API Gateway did that (SVS323) - AWS re:Invent 2023 https://www.youtube.com/watch?v=SlWJCTrMLOA

Websites

• OWASP API Security Top 10 https://owasp.org/API-Security/

Chapter 6: DevSecOps - Integrating Security into the Development Lifecycle

Videos

• Application Threat Modeling Implementation Tips and Tricks - Mohamed Alfateh https://www.youtube.com/watch?v=Fzz-VsqRtWk
• APPSEC Cali 2018 - Threat Modeling Toolkit https://www.youtube.com/watch?v=KGy_KCRUGd4
• Automating Architectural Risk Analysis with the Open Threat Model format - Fraser Scott https://www.youtube.com/watch?v=u8k10f_aNtk
• Automating Security Test Cases Based On ASVS - Aram Hovsepyan https://youtu.be/EZs5W8-mt_I?si=bh9FI4iFdyzCu3mi
• Hacker Traction Through GitHub Actions: Is Your (Open Source) Project Safe? - Stephen Giguere https://youtu.be/-WxtnUHhrlc?si=LdXbw1jm7SjnGupP
• Martin Fowler On Test Driven Development And Self Testing Code https://www.youtube.com/watch?v=JDi3MSUd3zs
• OWASP Based Threat Modelling: Creating A Feedback Model In An Agile Environment - Chaitanya Bhatt https://www.youtube.com/watch?v=pXr75ufG1uM
• OWASP Cornucopia - Johan Sydseter https://www.youtube.com/watch?v=7ZfJBZBY7Bw
• OWASP Dep-scan - Prabhu Subramanian https://youtu.be/4bSwEwZd2vc?si=XnGrsjUslJg7MpOY
• OWASP Open Common Requirement Enumeration (OpenCRE) - Spyros Gasteratos & Paola Garcia Cardenas https://youtu.be/Uhg1dtzwSKM?si=btUNTJ0bkO0Qj1Hk
• Security Champions And Experiments: Building Blocks For Cultural Change - Mads Andersen https://youtu.be/8JlMXx1WJOM?si=Cmt_idzEjSuCL9XX
• “Shift Left” Isn’t What You Expected https://www.youtube.com/watch?v=QzIdRsxQI88
• The State of Secure DevOps - Security enables Velocity https://www.youtube.com/watch?v=bV2xZPBTcBo
• Will Machine Learning Replace The WAF? - John Graham-Cumming https://youtu.be/-WxtnUHhrlc?si=6DANNjpVjgMKUUDc

Websites

• OWASP Cornucopia https://owasp.org/www-project-cornucopia/
• OWASP Projects https://owasp.org/projects/
• OWASP Security Champions Playbook https://github.com/c0rdis/security-champions-playbook/tree/master/Security%20Playbook
• OWASP Snakes And Ladders https://owasp.org/www-project-snakes-and-ladders/
• OWASP Threat Dragon https://owasp.org/www-project-threat-dragon/