DevSecOps Taken Notes from articles in addition to
(resources|courses|tools) for DevSecOps.
Some links are resources and some links are notes which have been manually taken. Names which have
at the beginning, are taken notes.
Design / Plan Phase Actions:
Threat Models
&Security Requirements
should be designed and definedRisks
&Plans
for preventing threats from happening should be identified
- SDL (Security Development Lifecycle) by Microsoft
- How to Ensure Security at the Speed of DevSecOps by Gitlab
Develop Phase Actions:
Secure Coding
Static Analysis Security Testing (SAST)
: Can be integrated into developers environment (Find security issues in code)- when developer is actively coding (e.g. a SAST IDE Plugin)
Build Phase Actions:
Static Application Security Testing (SAST)
: Find security issues in codeSoftware Composition Analysis (SCA)
&Software Bill of Material (SBOM)
: Find components and compare them against a database like National Vulnerability DatabaseSecret Management
: Find SecretsInteractive Application Security Testing (IAST)
: Test in an automated way and find vulnerabilities faster in run-time
- What Is SAST on Synopsys
- Beginners Guide to SAST Using SonarQube by Packt.com
- SAST Using Snyk and SonarQube by OpenSourceforu.com
- What is Software Composition Analysis (SCA) on Synopsys
- Guide to Software Composition Analysis by Snyk
- Software Bill of Materials: How to generate an SBOM from container images using Syft
- Grype Open Source Vulnerability Scanner Demo
- Interactive Application Security Testing (IAST) by Snyk
- Interactive Application Security Testing by OWASP
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
Test Phase Actions:
Interactive Application Security Testing (IAST)
: Test in an automated way and find vulnerabilities faster in run-timeDynamic Application Security Testing (DAST)
: Evaluate application fromoutside
automaticallyPenetration Testing
: Evaluate applicationblack box
by ethical hackers
- Integrating Dastardly with your CI/CD platform (generic instructions) by PortSwigger
- Dynamic Application Security Testing with ZAP and GitHub Actions
- Dynamic Application Security Testing by Gitlab
Deploy Phase Actions:
Hardening & Secure Configuration
Security Scanning
- OWASP Docker Security Cheat Sheet
- Docker Security
- Docker Security Best Practices by Aquasec
- Docker Security Scanning by Snyk
- Automate Container Security Scanning
- Making your NGINX Server more secure to host your web apps
Operate & Monitor Phase Actions:
Run-time Application Self-Protection (RASP)
Security Audit
Monitor
: Metrics, Monitoring and alertingSecurity Patch
- Runtime Application Self-Protection (RASP) by Rapid7
- Top 7 RASP Software
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
This part contains DevSecOps integration
resources separated by different CI/CD tools like Gitlab, Azure DevOps and...
- DevSecOps with Azure DevOps: Secure CI/CD with Azure DevOps by Raghu at Udemy
- DevSecOps with GitLab: Secure CI/CD with GitLab (2023) by Raghu at Udemy
Useful tools in DevSecOps Notes
- Dependency Track README
- Dependency Track SSL Setup
- Dependency Track Report Chart Creation Per Product Dependency Track Reporting Chart Creator
- Dependency Track & DefectDojo Integration Defect Dojo and Dependency Track integration automation script