DevSecOps
DevSecOps copied to clipboard
nxenon
♾️ Collection of DevSecOps Notes + Resources + Courses + Tools
♾️ DevSecOps
DevSecOps Taken Notes from articles in addition to (resources|courses|tools) for DevSecOps.
📝 Notes & Resources
Some links are resources and some links are notes which have been manually taken. Names which have + at the beginning, are taken notes.
🪜 Design / Plan
Design / Plan Phase Actions:
Threat Models&Security Requirementsshould be designed and definedRisks&Plansfor preventing threats from happening should be identified
Development Lifecycle
- + SDL (Security Development Lifecycle) by Microsoft
- + How to Ensure Security at the Speed of DevSecOps by Gitlab
Threat Model
- + Threat Modeling by OWASP
- + Structured Threat Modeling Process by OWASP
🧑💻 Develop
Develop Phase Actions:
Secure CodingStatic Analysis Security Testing (SAST): Can be integrated into developers environment (Find security issues in code)- when developer is actively coding (e.g. a SAST IDE Plugin)
Secure Coding
- + OWASP Secure Coding Practices
SAST in Developer's Environment
⚒️ Build
Build Phase Actions:
Static Application Security Testing (SAST): Find security issues in codeSoftware Composition Analysis (SCA)&Software Bill of Material (SBOM): Find components and compare them against a database like National Vulnerability DatabaseSecret Management: Find SecretsInteractive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time
Static Application Security Testing (SAST)
- + What Is SAST on Synopsys
- Beginners Guide to SAST Using SonarQube by Packt.com
- SAST Using Snyk and SonarQube by OpenSourceforu.com
Software Composition Analysis (SCA)
- + What is Software Composition Analysis (SCA) on Synopsys
- + Guide to Software Composition Analysis by Snyk
- Software Bill of Materials: How to generate an SBOM from container images using Syft
- Grype Open Source Vulnerability Scanner Demo
Secret Management
Interactive Application Security Testing (IAST)
- Interactive Application Security Testing (IAST) by Snyk
- Interactive Application Security Testing by OWASP
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
🧪 Test
Test Phase Actions:
Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time- See IAST Section
Dynamic Application Security Testing (DAST): Evaluate application fromoutsideautomaticallyPenetration Testing: Evaluate applicationblack boxby ethical hackers
Dynamic Application Security Testing (DAST)
- Integrating Dastardly with your CI/CD platform (generic instructions) by PortSwigger
- Dynamic Application Security Testing with ZAP and GitHub Actions
- Dynamic Application Security Testing by Gitlab
Penetration Testing
⚓ Deploy
Deploy Phase Actions:
Hardening & Secure ConfigurationSecurity Scanning
Hardening & Secure Configuration & Security Scanning
- OWASP Docker Security Cheat Sheet
- Docker Security
- Docker Security Best Practices by Aquasec
- Docker Security Scanning by Snyk
- Automate Container Security Scanning
- Making your NGINX Server more secure to host your web apps
🖥️ Operate & Monitor
Operate & Monitor Phase Actions:
Run-time Application Self-Protection (RASP)Security AuditMonitor: Metrics, Monitoring and alertingSecurity Patch
Runtime Application Self-Protection (RASP)
- Runtime Application Self-Protection (RASP) by Rapid7
- Top 7 RASP Software
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
Security Audit
Monitor
🪈 CI/CD (DevOps) - Pipeline Tools
This part contains DevSecOps integration resources separated by different CI/CD tools like Gitlab, Azure DevOps and...
♻️ Azure DevOps
😺 Gitlab CI/CD
🎒 Courses
- DevSecOps with Azure DevOps: Secure CI/CD with Azure DevOps by Raghu at Udemy
- DevSecOps with GitLab: Secure CI/CD with GitLab (2023) by Raghu at Udemy
🔗 Other Resources
⛏️ DevSecOps Tools
Useful tools in DevSecOps + Notes
Vulnerability Management
DefectDojo
- + DefectDojo Installation & Setup Notes
nxenon