Identity Security for Software Development (John Walsh, Uzi Ailon Matt Barker) (Z-Library)

Identity Security for Softw are D evelopm ent Identity Security for Software Development Best Practices That Every Developer Must Know John Walsh, Uzi Ailon & Matt Barker

9 7 8 1 0 9 8 1 5 8 0 4 0 ISBN: 978-1-098-15804-0 SECURIT Y Maintaining secrets, credentials, and machine identities in secure ways is an important, though often overlooked, aspect of secure software development. DevOps security often addresses vulnerabilities, but it neglects broader discussions like authentication, authorization, and access control, potentially leaving the door open for breaches. That’s where an identity security strategy integrated in your code, infrastructure, and environments from day one can help. In this practical book, authors John Walsh, Uzi Ailon, and Matt Barker provide conceptual frameworks, technology overviews, and useful code snippets to bridge the gap between development, IT, and security to integrate robust identity security across apps, CI/CD pipelines, Kubernetes and cloud native, hybrid and multicloud, process automation, IoT, and more. You’ll learn: • What developers need to know about managing secrets and identity to build safer apps • What machine identities, secrets, and credentials are —and how to secure them • How to secure the software supply chain to build safer apps • How identity security fits into modern software development practices John Walsh is a software security expert with over 15 years of experience. He is known for clearly communicating the complexities of securing the software supply chain. Uzi Ailon is a seasoned software engineering professional focused on the business objectives of Fortune 500 companies and the unique challenges enterprises face in balancing innovation with security. Matt Barker was cofounder and CEO of Jetstack, best known for its open source project “cert-manager.” He now leads workload identity architecture for CyberArk. Identity Security for Software Development

John Walsh, Uzi Ailon, and Matt Barker Identity Security for Software Development Best Practices That Every Developer Must Know

978-1-098-15804-0 [LSI] Identity Security for Software Development by John Walsh, Uzi Ailon, and Matt Barker Copyright © 2025 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Development Editor: Gary O’Brien Production Editor: Katherine Tozer Copyeditor: Doug McNair Proofreader: Kim Cofer Indexer: Potomac Indexing, LLC Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea May 2025: First Edition Revision History for the First Edition 2025-05-06: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098158033 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Identity Security for Software Develop‐ ment, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the authors and do not represent the publisher’s views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. This work is part of a collaboration between O’Reilly and CyberArk®. See our statement of editorial independence. This book may include trademarks and tradenames of third parties. All such trademarks and tradenames are the property of their respective owners. The use of these trademarks and tradenames does not imply any affiliation with or endorsement by such parties.

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. What You Need to Know About Identity Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Why Identity Security Matters 1 Zero Trust Identity Security 2 The Modern Enterprise Makes Identity Security Difficult 4 Machine Identity Challenges 5 Common Attack Types 7 Identity Security Concepts 9 Summary 11 2. Secure Coding Practices for Identity Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 The Zero Trust Model 13 Best Practices 14 General Secure Coding Best Practices 14 Identity Security Best Practices 19 Understanding Security Standards 26 CWE 26 OWASP 26 NIST 27 PCI DSS 27 HIPAA 27 Summary 28 3. Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 AuthN 30 Username and Password 30 MFA 31 v

Token-Based AuthN 31 Biometric AuthN 32 Common AuthN Techniques 32 Risk Analysis During AuthN 38 AuthN Best Practices 40 AuthZ 40 OAuth 2.0 41 JWT 43 Access Control Lists 44 Extensible Access Control Markup Language 45 Summary 46 4. Overview of Identity and Access Management Solutions and Protocols. . . . . . . . . . . . . 47 Core Components of IAM 48 Identity Management 48 Access Management 49 AuthN 50 AuthZ 50 Identity Governance and Administration 52 Why Does IAM Matter? 53 Consumer Applications 54 Enterprise Applications 54 How IAM Relates to OWASP 55 Identity Lifecycle Management 57 Identity Provisioning and Deprovisioning 57 Role Management 57 Workflow and Approval Processes 58 Identity Synchronization and Reconciliation 58 IAM Architecture Models 59 Centralized IAM Model 59 Decentralized IAM Model 60 Hybrid IAM Model 61 IAM in Cloud Environments 62 Key Standards in IAM 63 SAML: Centralized AuthN for SSO 63 OAuth 2.0: Securing Third-Party Access to Resources 64 OIDC: Adding Identity to OAuth 2.0 64 LDAP: Centralized Directory Services 65 System for Cross-Domain Identity Management: Simplifying User Provisioning 66 FIDO: Passwordless AuthN for Strong Security 66 Emerging Trends in IAM 66 vi | Table of Contents

AI in IAM 67 Blockchain in IAM 67 Summary 68 5. Secrets Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Why Does Secrets Management Matter? 71 Principles of Secrets Management 73 Principle #1: Encryption 73 Principle #2: Access Control 74 Principle #3: Monitoring and Auditing 74 Principle #4: Compliance 75 Principle #5: Testing 76 Principle #6: Automation 76 Principle #7: Centralization 77 Secrets Management in Code 78 Secrets Management Tools and Frameworks 79 Setting Up a Secrets Policy 80 Creating a Secrets Store by Using ESO 81 Setting a Secret 82 Retrieving a Secret 82 Summary 83 6. Cloud Security and Cloud Native Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Background on Cloud Computing and Security 86 Watch Out for Security Misconfigurations 88 Cloud Native Versus Lift and Shift 90 The Four Cs of Cloud Native Security 91 How Different CSPs Structure Resources 93 Guiding Principles for Securing Cloud Applications 96 Comparing IAM Services 98 Permissions 98 Access 100 Switching Between CSPs 101 Summary 103 7. Securing Kubernetes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 How Kubernetes Works 107 Kubernetes Security Challenges 108 Secrets Management in Kubernetes 109 Best Practices for Kubernetes Security 112 Use Service Accounts Diligently 112 Leverage the Kubernetes RBAC Framework 113 Table of Contents | vii

Securing Your Pods and Containers 116 Ensure Network Security 123 Identity Management on Kubernetes Using SPIFFE 127 Using cert-manager for TLS Identity Security Automation 129 Using Service Meshes to Secure Clusters 132 Identity Management in Service Meshes 133 AuthZ in Service Meshes 133 Trading Off Performance and Security 135 Service Mesh Best Practices 135 Summary 137 8. Security Automation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Why Does Security Automation Matter? 140 Types of Security Automation 141 What Security Processes Can Be Automated? 142 Security Automation at Work 143 Security Automation Tools 144 Security Automation Best Practices 148 Infrastructure as Code 149 Policy as Code 151 Secure Automation Tools 153 Security Automation with AI 153 Example: Security Automation with Ansible and Conjur Open Source 154 Summary 157 9. CI/CD Pipeline Security and Software Supply Chains. . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Why Does Securing Your CI/CD Pipeline Matter? 161 Securing Secrets in a CI/CD Pipeline 161 A Jenkins Example 161 What OWASP Says About CI/CD Security 162 Foundations of CI/CD Security 166 Source Code Threats 167 Hardening the Build Process 170 Managing Artifacts 171 Integrating Security Testing into CI/CD Pipelines 172 Monitoring and Incident Response 175 Provenance, Attestations, and Digital Signatures 176 Summary 179 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 viii | Table of Contents

Preface If you’re a developer, an engineer, or someone working alongside development teams, chances are you’re already making identity security decisions—whether you realize it or not. The rise of cloud services, automation, and AI-driven tools has woven identity security into the fabric of modern development workflows. Developers are provisioning cloud resources, integrating APIs, managing service accounts, and han‐ dling secrets—often without considering the security implications. While AI and automation accelerate software development—making it easier than ever to generate code, configure infrastructure, and deploy applications at scale—they also introduce new risks. Embedding credentials in generated scripts, configuring access policies for AI-assisted deployments, and managing machine identities across automated pipelines are all identity-related decisions that can either strengthen or weaken security. The challenge is that many developers don’t always realize they’re making security-critical choices until something goes wrong. This book is here to help you know what you don’t know about identity security. It’s designed for developers and the dev adjacent—professionals who are code literate or at least not afraid of diving into some code. Rather than turning you into a security expert overnight, this book will uncover the gotchas, pitfalls, and hidden risks that could leave your applications exposed. But this book isn’t just for developers. Security teams can use it to better understand how developers work, the challenges they face, and why identity security decisions so often fall into their hands. Too often, security and development teams operate in silos, struggling to collaborate effectively. Security wants to reduce risk, and devel‐ opers want to ship software quickly—but these goals don’t have to be at odds. By understanding identity security from a developer’s perspective, security teams can offer more relevant guidance, start meaningful conversations, and work together with development teams to build secure software without slowing things down. ix

Identity security isn’t just about users logging in. Machines, applications, services, and workloads all have identities, and securing them is just as critical as securing human access. Attackers know this—API keys, cloud credentials, and machine identities are prime targets for breaches because they often provide a direct path to sensitive systems. Yet, many development teams don’t fully recognize these risks—or only think about them when something goes wrong. The problem isn’t that developers don’t care about security. It’s that identity security has often been treated as someone else’s job. But as software development acceler‐ ates, identity-related decisions are increasingly landing in the hands of developers— whether they’re prepared for it or not. This book won’t drown you in abstract security theory. Instead, it provides a broad and practical perspective on securing identity in software development. It will give you a solid foundation and help you integrate security into your development work‐ flows without slowing you down. By the time you finish, you won’t just have a better understanding of identity secu‐ rity—you’ll also recognize the risks you didn’t even know were there. Whether you’re a developer trying to secure your applications or a security professional looking to engage with developers more effectively, this book will help you bridge the gap. The lines between developers, IT/operations, and security blur every day. We have a shared responsibility to safeguard the integrity, confidentiality, and availability of the systems we create. This book, Identity Security for Software Development, is your guide to developing software with security at its core and identity built into the fabric of its code. Our Approach We wrote this book to equip developers, engineers, and security teams with the knowledge and tools they need to secure identities from the first line of code to the last push to production. Identity security isn’t just another security checkbox—it’s a fundamental part of building resilient, secure applications. Our goal is to provide you with the knowledge, strategies, and practical techniques you need to embed security into every layer of your applications. We cover both the fundamentals of secure coding and the subtleties of identity security, focusing on real-world approaches—from secure authentication and authorization mechanisms to protecting sensitive data and mitigating common threats. Each chapter in this book covers a specific area of identity security for software development—authentication, authorization, secrets management, machine identity, continuous integration and continuous security (CI/CD), cloud security, and Kuber‐ netes security, among others. Any of these topics could easily provide enough subject x | Preface

matter for a book on its own, but the goal here isn’t to provide technical deep dives. Instead, this book is designed to give those who are new to identity security a strong foundation, helping them understand best practices, recognize risks they might not have considered, and avoid costly mistakes before they happen. We recognize that not all readers will follow the same path. If you’re new to iden‐ tity security, we recommend that you start with the foundational chapters before exploring more advanced topics. If you’re facing a specific challenge—like securing API keys, managing credentials in Kubernetes, or integrating identity into a CI/CD pipeline—you can jump straight to the relevant chapters without needing to read the entire book cover to cover. This book is also meant to bridge the gap between security and development teams. Security professionals can use it to better understand how developers work, where identity security fits into modern development workflows, and how to provide guid‐ ance that speeds up rather than slows down development. By fostering collaboration, we aim to help organizations build secure software without slowing down innovation. Ultimately, identity security isn’t just about preventing breaches—it’s about designing applications that are secure by default, resilient to attack, and built with security woven into every stage of development. This book will help you get there. Who Should Read This Book? This book is intended for developers, engineers, and dev-adjacent professionals who are involved in building, deploying, and securing software. Whether you’re a coder just starting your journey, a seasoned developer, a DevOps engineer managing cloud infrastructure, or a security professional working with development teams, this book will help you understand identity security in the context of modern software development. Many developers and engineers already interact with identity security—often without realizing it. As automation, AI, and cloud native technologies accelerate development, identity-related security decisions are becoming part of daily workflows. This book will help you recognize those security-related moments, understand best practices, and avoid common mistakes before they lead to security incidents. At the same time, security professionals can use this book to gain a developer’s perspective on identity security—which will help them understand where identity risks emerge in the software development lifecycle, how development teams approach security, and how to collaborate more effectively with them to embed security into development workflows without slowing down innovation. Preface | xi

This book also is for anyone who wants to do the following: • Develop a strong foundation in identity security—covering authentication, authorization, secrets management, and machine identity. • Build secure, resilient software systems that integrate security into development workflows without adding unnecessary friction. • Safeguard user identities and sensitive data in modern applications. • Mitigate common identity-related vulnerabilities and security threats that affect software development. • Understand how to secure identities in cloud environments, CI/CD pipelines, and Kubernetes workloads. • Bridge the gap between security and development teams, fostering better collabo‐ ration to build secure software faster. No matter your role, if you’re involved in writing, deploying, or securing software, this book will help you recognize and address identity security risks before they become problems. What You’ll Find Inside We’ve structured this book to provide both conceptual knowledge and practical guidance. You’ll find coverage of the following topics: Foundations of secure coding We start with the basics, laying a strong foundation in secure coding principles, practices, and standards used by developers worldwide. Identity security We expand the discussion into identity security, covering topics such as authen‐ tication (AuthN), authorization (AuthZ), single sign-on (SSO), and multifactor authentication (MFA). Data security We teach you how to protect sensitive data through encryption, access controls, and secure storage practices. Common vulnerabilities We explore real-world examples of common security vulnerabilities and teach you how to prevent them. Security throughout the software development lifecycle We cover how to integrate security into your development process, from design to deployment, including security automation and CI/CD pipelines. xii | Preface

Cloud security considerations We teach you about cloud-specific security threats, mitigation strategies, and how different cloud providers support identity security. Kubernetes security We also discuss best practices for securing Kubernetes workloads and service meshes. Finally, remember that you aren’t alone. This book teaches you how to collaborate with the relevant members of your organization, and it will serve as your reference for building safer apps faster. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. This element signifies a general note. O’Reilly Online Learning For more than 40 years, O’Reilly Media has provided technol‐ ogy and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. Preface | xiii

How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://oreilly.com/about/contact.html We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/identity-security-for-software- dev. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media. Watch us on YouTube: https://youtube.com/oreillymedia. Acknowledgments Writing this book has been a journey, and there have been many contributors along the way. We’ve been fortunate that partway through the writing process, Jetstack® (the original creator of Kubernetes cert-manager) and its technical team became part of CyberArk. Jetstack’s expertise with development and platform engineering teams has helped shape this book and pushed us to make it more useful to developers and platform engineers. While many people made huge contributions, we especially want to thank Steve Judd (for his work on the Kubernetes and CI/CD chapters) and Mattias Gees. To the O’Reilly reviewers—Vladislav Bilay, Nielet D’mello, and Marcos Mazoti— thank you for your feedback and expertise. We sincerely appreciate the deep technical reviews and insights from our many colleagues: Alyssa Miles, Ashley Davis, Bran‐ don McCaffrey, Chad Miller, Dan Zadik, Darren Khan, David Lang, Evan Litwak, Ivan Wallis, Josh Kirkwood, Maor Franco, Mark Szalkiewicz, Mike Bykat, Przemek Dybowski, Racheli Lotvin, Shlomi Benita, Shlomo Heigh, and Tim Parmenter. And to Roy Sarkar, thank you for sharing your spidey-sense. Finally, a special thanks to our executive sponsors, Kurt Sand, Kevin Bocek, Charles Chu, Archit Lohokare, and Simon Mouyal. Also, thanks to Chris Smith, for his sponsorship and guidance, and Laura Lasonde, for keeping us all on track. xiv | Preface

CHAPTER 1 What You Need to Know About Identity Security When rideshare company Uber was hacked in 2022, it came close to a total system shutdown. As in many security breaches, hackers exploited a series of human and machine weaknesses to access Uber’s internal systems. In one key incident, an Uber employee, frustrated by a flood of multifactor authentication (MFA) messages sent to their phone by the hacker, granted access approval to Uber’s network, *.corp.uber.com. Once inside, the hacker discovered Microsoft PowerShell scripts with hardcoded administrative credentials that gave them access to several sensitive services, includ‐ ing Amazon Web Services (AWS), Google Drive, Slack, SentinelOne, and the Hack‐ erOne admin console. Within hours, the hacker announced the breach on the company’s own Slack channel and posted screenshots to public sites like HackerOne. While nothing was stolen, had the hacker sought financial gain, this breach would have had devastating impacts. Today, it serves as a textbook case of the power of social engineering and the consequences of multiple failures of identity security. Attackers using a single exploit and moving through a network by stealing identities is a pattern that has happened many times before and will happen again. If you were a developer at Uber, what would you change? Why Identity Security Matters Organizations have dramatically increased the quantities and types of identities to support cloud computing, DevOps automation, the Internet of Things (IoT), AI, and other advancements in digital services. As a result, more identities and more use cases mean you must secure and manage more credentials, secrets, and accounts than ever before. 1

Importantly, the number of machine identities will only continue to grow. The Cyber‐ Ark 2025 Identity Security Threat Landscape Report found that machine identities outnumber humans by a factor of 82 to 1, and this disparity will grow exponentially with the emergence of new AI and AI agent products. The potential volume of unprotected identities cannot be ignored. Identity security is also a sought-after skill because attackers are getting very good at what they do. According to the 2023 Trends in Securing Digital Identities report from the Identity Defined Security Alliance (IDSA), 90% of organizations experienced at least one identity-related breach in the past year, and 68% of those surveyed said the attacks directly impacted their business. These impacts include the costs of recovering from the breach and the negative impact that the breach had on the company’s reputation. Zero Trust Identity Security Traditional barriers, boundaries, roles, responsibilities, and safeguards have melted away so these days, software needs to be written with zero trust in mind. This means that developers can no longer assume that no one will see the code in their integrated development environment (IDE), on GitHub, on their drive, in their test environ‐ ment, or even in their continuous integration and continuous delivery/deployment (CI/CD). This also means that developers are a key part of the process of protecting the software supply chain and the enterprise as a whole—so it isn’t the responsibility of security teams alone. Identity security is how developers, quality assurance (QA), IT, and other teams within an organization secure all identities within their code, development environments, and software supply chains. Zero trust identity security requires ongoing verification of identity and device health, and it can use behavior analysis to detect anomalies, especially for privileged identi‐ ties. Whether packaged as a tool, a framework, or a set of best practices, identity security assumes that any organizational asset can be compromised through a mali‐ cious attack path centered on privileged identity. If you’ve entered a password or used MFA, you’ve seen identity security in action. You don’t trust anyone, that’s your problem. —Peter Parker (aka Spider-Man) I trust my barber. —J. Jonah Jameson What Peter criticizes in the 2002 Spider-Man movie, we say with conviction: identity security must be rooted in skepticism rather than blind trust. Zero trust is a security philosophy in which practitioners assume that an application or system is always 2 | Chapter 1: What You Need to Know About Identity Security

1 It’s not the syntax error of the missing semicolon. (We swear we copied the source site directly!) It’s the hardcoded “Mew!” in the password check. If this were exposed, hackers would have the correct password to exploit the system. vulnerable to attack and do their best to protect against the many ways in which malicious actors operate. This zero trust challenge gets harder as we see more machine identities in use. The growth in automation and an increasingly complex software supply chain mean entities use more secrets (e.g., passwords, tokens, Secure Shell [SSH] keys, API keys, license keys) to access critical and sensitive data and systems. This means you must figure out where these secrets are used and how to best protect them against unau‐ thorized access. Table 1-1 provides examples of the two categories of identities. Table 1-1. Examples of human and machine identities Human identities Machine identities End users Cloud native and containers applications IT administrators DevOps tools and CI/CD pipelines Developers Automation scripts Contractors AI and AI agents Vendors IoT devices QA testers Third-party commercial-off-the-shelf including robotic process automation (RPS) Customer prospects Secure n-tier/Static homegrown apps and web apps Grand Moff Tarkin Imperial code cylindersa a While fictional, these Star Wars props provide a good example of secrets encoded onto a portable device used to access sensitive areas. If you can identify the security issue in the following code snippet (taken from the MITRE Common Weakness Enumeration database), then you have an idea of the issues that an identity security program aims to prevent:1 ## Java int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0) } //Diagnostic Mode return(1); } Managing human and machine identities is a critical aspect of a security team’s responsibilities. Examples of human identity management include the following: Zero Trust Identity Security | 3

2 As explained by OpenAI, the solution included the addition of redundant checks (to ensure that the data returned by Redis matched the requesting user) and a programmatic examination of logs (to ensure that only the authorized user received their messages). • Authentication (AuthN) and authorization (AuthZ) • User lifecycle management • Privileged access management (PAM) • Zero standing privilege Machine identity management includes the following: • Secrets management • Certificate management • Discovery • Strong AuthN mechanisms The Modern Enterprise Makes Identity Security Difficult Remember when ChatGPT was taken offline? In early 2023, OpenAI shut down the popular chatbot in response to a cybersecurity breach. Traced to a user AuthZ bug in Redis, the breach was caused by a data race condition between two message queues: if a user canceled a request within a certain time frame, the system delivered their information to the next user who made a similar request. This information could include the user’s first and last name, email address, payment address, and credit card type, as well as the last four digits of their credit card number and credit card expiration date.2 This example illustrates how the modern enterprise has changed the nature of iden‐ tity security. Explosive growth in the software supply chain means there are more opportunities for risk. Automation, DevOps, cloud computing, the IoT, and AI are reshaping our jobs, and the demand for broader collaborative skills has outpaced the need for focused practitioners of one programming language. Your career in the modern enterprise demands adaptability and versatility, collaborat‐ ing across departments, and performing tasks that traditionally fell under separate roles. Consider Glassdoor’s top three interview questions for enterprise developers: 4 | Chapter 1: What You Need to Know About Identity Security