/devsecops-reference-architectures

A collection of DevSecOps reference architectures

Primary LanguageRubyMIT LicenseMIT

DevSecOps Reference Architectures

Build Status

This is a collection of DevSecOps reference architectures. I was tired of crawling through low resolution slideshares and email-grabbing web forms, therefore I started this repo to share reference architectures - for free - for everyone - for contributing.

Contributing

Feel free to contribute via pull requests or issues. If you find slides in a higher quality, please let me know!

Please provide the following data for new architectures:

  • Name of the source of the architecture
  • Image of the reference architecture
  • Year when the architecture was designed
  • Optional: Link to the source for more information
  • Optional: Summary of the architecture. What makes it special? Where does it differentiate? What is the problem it solves?
  • Optional: Software stack. That makes it easier to search for architectures that use a specific tool.

Acknowledgements

Thanks to Sonatype and their reference architecture slideset (mirror).

Most of the referenced tools can be found in the more structured Awesome DevSecOps list.

Architectures

OWASP AppSec Rugged DevOps Pipeline Project - 2015

The OWASP AppSec Rugged DevOps Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the sample implementation, documentation and references of this project will allow you to setup your own AppSec Pipeline.

Software Stack: Bandit, OWASP Dependency-Check, Checkmarx, SSLLabs, Arachni, wappalyzer, Synk, WPScan, brakeman, OWASP ZAP, Retire.js

2015-owasp-appsec

DevOpsSec - Jim Bird - 2016

How do you build security and compliance into your DevOps platforms and pipelines? With this O’Reilly report, security analysts, security engineers, and pen testers will learn how to leverage the same processes and tools—such as version control, containers, and Continuous Delivery—that DevOps practitioners use to automate software delivery and infrastructure changes. In other words, you’ll understand how to use DevOps to secure DevOps.

Software Stack: Upguard, Gauntlt, OWASP Dependency-Check, Bundler Audit, Retire.js, OWASP SafeNuGet, Gerrit, Phabricator, Atlassian Crucible, Sonarqube, OWASP ZAP, Mittn, Chef Vault, Keywhiz, HashiCorp Vault, Netflix SimianArmy, Signal Sciences, Alert Logic, CloudPassage Halo, Dome9 SecOps, Evident, Illumio, Threat Stack, Waratek, Prevoty, Contrast Security, tCell, Twistlock, DevOps Audit Defense Toolkit,

2016-bird-1

2016-bird-2

US Defense Threat Reduction Agency - Joint Improvised Thread Defeat Organisation - Leo Garciga - 2017

The talk goes into detail why they went DevOps, how DevOps can be secure according to NIST SP 800, how automation prevents human error and reduces human delay.

Software Stack: Docker, Jira, Jenkins, Selenium, Twistlock, Sonarqube, Sonatype, Apache Maven

2017-garciga-1

2017-garciga-2

DevOps Audit Defense Toolkit - IT Revolution - 2015

The Toolkit summarizes the techniques they use to mitigate risk, and also provides a section answering the most common questions about value creation, compliance, and DevOps. The information in this document should help organizations wanting to pursue DevOps and continuous delivery explain their approach and improve communication between IT and audit.

2015-audit-defense

DevSecOps Cycle - Larry Maccherone - 2017

Fully annotated DevSecOps cycle with threat modeling, code review, abuse case tests, pentest, compliance validation, config validation, logging, monitoring, intrusion detection.

2017-devsecops-cycle-maccherone

Practical DevSecOps / DevSecOps Studio Project - TeachEra - 2017

DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started, mostly automatic and battle tested during our Free Practical DevSecOps Course. DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices.

Software Stack: OWASP ZAP, Gauntlt, Bandit, brakeman, Metasploit, Nmap, Findbugs, DevSec Ansible OS Hardening, Inspec, Docker, GitLab, Jenkins, Ansible, Elastic

2017-devsecops-teachera

2017-devsecops-teachera-devsecops-studio

GitLab DevOps Platfrom

With GitLab, you get a complete CI/CD toolchain in a single application. With GitLab, DevSecOps architecture is built into the CI/CD process. Every merge request is scanned through its pipeline for security issues and vulnerabilities in your code and its dependencies using automated tests. Unlike traditional application security tools primarily intended for use by security pros, GitLab secure code capabilities are built into the CI/CD workflows where the developers live. We empower developers to identify vulnerabilities and remove them early in the development cycles.

Software Stack: Gitlab Free / Core to Gold / Ultimate

2020-gitlab-process

2020-gitlab-cicd