♾️ DevSecOps

DevSecOps Taken Notes from articles in addition to (resources|courses|tools) for DevSecOps.

📝 Notes & Resources

Some links are resources and some links are notes which have been manually taken. Names which have + at the beginning, are taken notes.

🪜 Design / Plan

Design / Plan Phase Actions:

• Threat Models & Security Requirements should be designed and defined
• Risks & Plans for preventing threats from happening should be identified

Development Lifecycle

• + SDL (Security Development Lifecycle) by Microsoft
• + How to Ensure Security at the Speed of DevSecOps by Gitlab

Threat Model

• + Threat Modeling by OWASP
• + Structured Threat Modeling Process by OWASP

🧑‍💻 Develop

Develop Phase Actions:

• Secure Coding
• Static Analysis Security Testing (SAST): Can be integrated into developers environment (Find security issues in code)
  • when developer is actively coding (e.g. a SAST IDE Plugin)

Secure Coding

• + OWASP Secure Coding Practices

SAST in Developer's Environment

• SonarLint
  • Using SonarLint with SonarQube in Intellij IDE
  • Real-time Code Quality Scan with SonarLint in Visual Studio Code
• Semgrep
  • Semgrep on Visual Studio Code
  • Semgrep Plugin Page on Jetbrains
• Snyk
  • Snyk Plugin in Visual Studio Code
    • Snyk VS Code Plugin Configuration
  • Snyk Plugin in Jetbrains
    • Snyk Jetbrains Plugin Configuration

⚒️ Build

Build Phase Actions:

• Static Application Security Testing (SAST): Find security issues in code
• Software Composition Analysis (SCA) & Software Bill of Material (SBOM): Find components and compare them against a database like National Vulnerability Database
• Secret Management: Find Secrets
• Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time

Static Application Security Testing (SAST)

• + What Is SAST on Synopsys
• Beginners Guide to SAST Using SonarQube by Packt.com
• SAST Using Snyk and SonarQube by OpenSourceforu.com

Software Composition Analysis (SCA)

• + What is Software Composition Analysis (SCA) on Synopsys
• + Guide to Software Composition Analysis by Snyk
• Software Bill of Materials: How to generate an SBOM from container images using Syft
• Grype Open Source Vulnerability Scanner Demo

Secret Management

• Secret Management: Tools & Best Practice by Snyk
• Secret Management Cheat Sheet by OWASP

Interactive Application Security Testing (IAST)

• Interactive Application Security Testing (IAST) by Snyk
• Interactive Application Security Testing by OWASP
• Jumpstarting your DevSecOps - Pipeline with IAST & RASP

🧪 Test

Test Phase Actions:

• Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time
  • See IAST Section
• Dynamic Application Security Testing (DAST): Evaluate application from outside automatically
• Penetration Testing: Evaluate application black box by ethical hackers

Dynamic Application Security Testing (DAST)

• Integrating Dastardly with your CI/CD platform (generic instructions) by PortSwigger
  • Dastardly, from Burp Suite by PortSwigger
• Dynamic Application Security Testing with ZAP and GitHub Actions
• Dynamic Application Security Testing by Gitlab

Penetration Testing

• Penetration Testing at DevSecOps Speed

⚓ Deploy

Deploy Phase Actions:

• Hardening & Secure Configuration
• Security Scanning

Hardening & Secure Configuration & Security Scanning

• OWASP Docker Security Cheat Sheet
• Docker Security
• Docker Security Best Practices by Aquasec
• Docker Security Scanning by Snyk
• Automate Container Security Scanning
• Making your NGINX Server more secure to host your web apps

🖥️ Operate & Monitor

Operate & Monitor Phase Actions:

• Run-time Application Self-Protection (RASP)
• Security Audit
• Monitor: Metrics, Monitoring and alerting
• Security Patch

Runtime Application Self-Protection (RASP)

• Runtime Application Self-Protection (RASP) by Rapid7
• Top 7 RASP Software
• Jumpstarting your DevSecOps - Pipeline with IAST & RASP

Security Audit

• DevSecOps Compliance - Make your Auditors Job Easier

Monitor

• Monitoring - DevSecOps Guides
• Metrics DevSecOps Need to Monitor - Insights for Professionals

🪈 CI/CD (DevOps) - Pipeline Tools

This part contains DevSecOps integration resources separated by different CI/CD tools like Gitlab, Azure DevOps and...

♻️ Azure DevOps

• Integrating and Running SonarQube into Azure Pipelines by Cumhur Akkaya

😺 Gitlab CI/CD

• GitLab Integration | Mapping your organization into SonarQube

🎒 Courses

• DevSecOps with Azure DevOps: Secure CI/CD with Azure DevOps by Raghu at Udemy
• DevSecOps with GitLab: Secure CI/CD with GitLab (2023) by Raghu at Udemy

🔗 Other Resources

• Open Source Security Report by Snyk

⛏️ DevSecOps Tools

Useful tools in DevSecOps + Notes

SCA

Dependency Track

• Dependency Track README
• + Dependency Track SSL Setup
• + Dependency Track Report Chart Creation Per Product Dependency Track Reporting Chart Creator
• + Dependency Track & DefectDojo Integration Defect Dojo and Dependency Track integration automation script

Vulnerability Management

DefectDojo

• + DefectDojo Installation & Setup Notes
• + DefectDojo SSL (HTTPS)

🔃 Reference

• DevSecOps Roadmap