DevSecOps
DevSecOps copied to clipboard
♾️ Collection of DevSecOps Notes + Resources + Courses + Tools
♾️ DevSecOps
DevSecOps Taken Notes from articles in addition to
(resources|courses|tools) for DevSecOps.
📝 Notes & Resources
Some links are resources and some links are notes which have been manually taken. Names which have +
at the beginning, are taken notes.
🪜 Design / Plan
Design / Plan Phase Actions:
-
Threat Models
&Security Requirements
should be designed and defined -
Risks
&Plans
for preventing threats from happening should be identified
Development Lifecycle
- + SDL (Security Development Lifecycle) by Microsoft
- + How to Ensure Security at the Speed of DevSecOps by Gitlab
Threat Model
- + Threat Modeling by OWASP
- + Structured Threat Modeling Process by OWASP
🧑💻 Develop
Develop Phase Actions:
-
Secure Coding
-
Static Analysis Security Testing (SAST)
: Can be integrated into developers environment (Find security issues in code)- when developer is actively coding (e.g. a SAST IDE Plugin)
Secure Coding
- + OWASP Secure Coding Practices
SAST in Developer's Environment
⚒️ Build
Build Phase Actions:
-
Static Application Security Testing (SAST)
: Find security issues in code -
Software Composition Analysis (SCA)
&Software Bill of Material (SBOM)
: Find components and compare them against a database like National Vulnerability Database -
Secret Management
: Find Secrets -
Interactive Application Security Testing (IAST)
: Test in an automated way and find vulnerabilities faster in run-time
Static Application Security Testing (SAST)
- + What Is SAST on Synopsys
- Beginners Guide to SAST Using SonarQube by Packt.com
- SAST Using Snyk and SonarQube by OpenSourceforu.com
Software Composition Analysis (SCA)
- + What is Software Composition Analysis (SCA) on Synopsys
- + Guide to Software Composition Analysis by Snyk
- Software Bill of Materials: How to generate an SBOM from container images using Syft
- Grype Open Source Vulnerability Scanner Demo
Secret Management
Interactive Application Security Testing (IAST)
- Interactive Application Security Testing (IAST) by Snyk
- Interactive Application Security Testing by OWASP
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
🧪 Test
Test Phase Actions:
-
Interactive Application Security Testing (IAST)
: Test in an automated way and find vulnerabilities faster in run-time- See IAST Section
-
Dynamic Application Security Testing (DAST)
: Evaluate application fromoutside
automatically -
Penetration Testing
: Evaluate applicationblack box
by ethical hackers
Dynamic Application Security Testing (DAST)
- Integrating Dastardly with your CI/CD platform (generic instructions) by PortSwigger
- Dynamic Application Security Testing with ZAP and GitHub Actions
- Dynamic Application Security Testing by Gitlab
Penetration Testing
⚓ Deploy
Deploy Phase Actions:
-
Hardening & Secure Configuration
-
Security Scanning
Hardening & Secure Configuration & Security Scanning
- OWASP Docker Security Cheat Sheet
- Docker Security
- Docker Security Best Practices by Aquasec
- Docker Security Scanning by Snyk
- Automate Container Security Scanning
- Making your NGINX Server more secure to host your web apps
🖥️ Operate & Monitor
Operate & Monitor Phase Actions:
-
Run-time Application Self-Protection (RASP)
-
Security Audit
-
Monitor
: Metrics, Monitoring and alerting -
Security Patch
Runtime Application Self-Protection (RASP)
- Runtime Application Self-Protection (RASP) by Rapid7
- Top 7 RASP Software
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
Security Audit
Monitor
🪈 CI/CD (DevOps) - Pipeline Tools
This part contains DevSecOps integration
resources separated by different CI/CD tools like Gitlab, Azure DevOps and...
♻️ Azure DevOps
😺 Gitlab CI/CD
🎒 Courses
- DevSecOps with Azure DevOps: Secure CI/CD with Azure DevOps by Raghu at Udemy
- DevSecOps with GitLab: Secure CI/CD with GitLab (2023) by Raghu at Udemy
🔗 Other Resources
⛏️ DevSecOps Tools
Useful tools in DevSecOps + Notes
Vulnerability Management
DefectDojo
- + DefectDojo Installation & Setup Notes