/devsecops

devsecops

Tools and links: Integrations

DefectDojo has the ability to import reports from other security tools.

Acunetix Scanner

XML format.

Anchore-Engine

JSON vulnerability report generated by anchore-cli tool, using a command like anchore-cli --json image vuln <image:tag> all

Aqua

JSON report format.

Arachni Scanner

Arachni JSON report format.

AppSpider (Rapid7)

Use the VulnerabilitiesSummary.xml file found in the zipped report download.

AWS Security Hub

The JSON output from AWS Security Hub exported with the aws securityhub get-findings command.

AWS Scout2 Scanner

JS file in scout2-report/inc-awsconfig/aws_config.js.

AWS Prowler Scanner

Prowler file can be imported as a CSV file (-M csv).

Bandit

JSON report format

Blackduck Hub

2 options:

  • Import the zip file as can be created by Blackduck export. The zip file must contain the security.csv and files.csv in order to produce findings that bear file locations information.
  • Import a single security.csv file. Findings will not have any file location information.

Brakeman Scan

Import Brakeman Scanner findings in JSON format.

Bugcrowd

Import Bugcrowd results in CSV format.

Bundler-Audit

Import the text output generated with bundle-audit check

Burp XML

When the Burp report is generated, the recommended option is Base64 encoding both the request and response fields - e.g. check the box that says "Base64-encode requests and responses". These fields will be processed and made available in the 'Finding View' page.

Burp Enterprise Scan

Import HTML reports from Burp Enterprise Edition

CCVS Report

Import JSON reports from CCVS API

Checkov Report

Import JSON reports of Infrastructure as Code vulnerabilities.

Clair Scan

Import JSON reports of Docker image vulnerabilities.

Clair Klar Scan

Import JSON reports of Docker image vulnerabilities from clair klar client.

Cobalt.io Scan

CSV Report

Crashtest Security

Import JSON Report Import XML Report in JUnit Format

Contrast Scanner

CSV Report

Checkmarx

Detailed XML Report

Choctaw Hog parser

From: https://github.com/newrelic/rusty-hog Import the JSON output.

DawnScanner

Import report in JSON generated with -j option

Dependency Check

OWASP Dependency Check output can be imported in Xml format.

Dependency Track

The Finding Packaging Format (FPF) from OWASP Dependency Track can be imported in JSON format.

See here for more info on this JSON format: https://docs.dependencytrack.org/integrations/file-formats/

DrHeader

Import of JSON report from https://github.com/Santandersecurityresearch/DrHeader

ESLint

ESLint Json report format (-f json)

Fortify

Import Findings from XML file format.

Generic Findings Import

Import Generic findings in CSV format.

Hadolint

Hadolint Dockerfile scan in json format.

Harbor Vulnerability

Import findings from Harbor registry container scan: https://github.com/goharbor/harbor

JFrogXRay

Import the JSON format for the "Security Export" file.

Gosec Scanner

Import Gosec Scanner findings in JSON format.

Gitleaks

Import Gitleaks findings in JSON format.

GitLab SAST Report

Import SAST Report vulnerabilities in JSON format: https://docs.gitlab.com/ee/user/application_security/sast/#reports-json-format

GitLab Dependency Scanning Report

Import Dependency Scanning Report vulnerabilities in JSON format: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format

Github Vulnerability

Import findings from Github vulnerability scan: https://help.github.com/en/github/managing-security-vulnerabilities

Github v4 graphql query to fetch data::

  query getVulnerabilitiesByOwner($owner: String!) {
  search(query: $owner, type: REPOSITORY, first: 100) {
    nodes {
      ... on Repository {
        name<br/>
        vulnerabilityAlerts(last: 100) {
          nodes {
            id<br/>
            securityVulnerability {
              severity<br/>
              package {
                name
              }
              advisory {
                description<br/>
                summary<br/>
                identifiers {
                  type<br/>
                  value
                }
                references {
                  url
                }
              }
            }
          }
        }
      }
    }
  }
}

HuskyCI Report

Import JSON reports from HuskyCI

IBM AppScan DAST

XML file from IBM App Scanner.

Immuniweb Scan

XML Scan Result File from Immuniweb Scan.

Kiuwan Scanner

Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan.

kube-bench Scanner

Import JSON reports of Kubernetes CIS benchmark scans.

Microfocus Webinspect Scanner

Import XML report

MobSF Scanner

Export a JSON file using the API, api/v1/report_json.

Mozilla Observatory Scanner

Import JSON report.

Nessus (Tenable)

Reports can be imported in the CSV, and .nessus (XML) report formats.

Netsparker

Vulnerabilities List - JSON report

Nexpose XML 2.0 (Rapid7)

Use the full XML export template from Nexpose.

Nikto

XML output

Nmap

XML output (use -oX)

Node JS Scan

Node JS Scan output file can be imported in JSON format.

Node Security Platform

Node Security Platform (NSP) output file can be imported in JSON format.

NPM Audit

Node Package Manager (NPM) Audit plugin output file can be imported in JSON format. Only imports the 'advisories' subtree.

Openscap Vulnerability Scan

Import Openscap Vulnerability Scan in XML formats.

OpenVAS CSV

Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS.

OssIndex Devaudit

Import JSON formatted output from OSSIndex Devaudit.

Oss Review Toolkit

Import ORT Evaluated model reporter in JSON Format. (Example)[https://github.com/DefectDojo/sample-scan-files/blob/master/ort/evaluated-model-reporter-output.json]

PHP Security Audit v2

Import PHP Security Audit v2 Scan in JSON format.

PHP Symfony Security Checker

Import results from the PHP Symfony Security Checker.

Probely

Synchronize Probely Plus findings with DefectDojo.

To setup this integration set the DefectDojo URL and API key on the Integrations page on Probely. Then, select which Product, Engagement, and, optionally, the Test you want to synchronize to. The API key needs to belong to a staff user.

Works with DefectDojo 1.5.x and 1.6.x. Probely also supports non-public DefectDojo instances.

For detailed instructions on how to configure Probely and DefectDojo, see https://help.probely.com/en/articles/3811515-how-to-integrate-probely-with-defectdojo

Qualys Scan

Qualys output files can be imported in API XML format. Qualys output files can be imported in WebGUI XML format.

Qualys Webapp Scan

Qualys WebScan output files can be imported in XML format.

Retire.js

Retire.js JavaScript scan (--js) output file can be imported in JSON format.

Risk Recon API Importer

Import findings from Risk Recon via the API. Configure your own JSON report as follows

.. code-block:: JSON

{
    "url_endpoint": "https://api.riskrecon.com/v1",
    "api_key": "you-api-key", 
    "companies": [
        {
            "name": "Company 1",
            "filters": {
                "domain_name": [],
                "ip_address": ["127.0.0.1"],
                "host_name": ["localhost"],
                "asset_value": [],
                "severity": ["critical", "high"],
                "priority": [],
                "hosting_provider": [],
                "country_name": []
            }
        },
        {
            "name": "Company 2",
            "filters": {
                "ip_address": ["0.0.0.0"]
            }
        }
    
    ],
    "filters": {
        "domain_name": [],
        "ip_address": [],
        "host_name": [],
        "asset_value": [],
        "severity": ["critical"],
        "priority": [],
        "hosting_provider": [],
        "country_name": []
    }
}
  • More than one company finding list can be queried with it's own set of filters. Company 1 shows all available fitlers, while Company 2 shows that empty filters need not be present.
  • To query all companies in your Risk Recon instance, simple remove the "companies" field entirely.
  • If the "companies" field is not present, and filtering is still requested, the "filters" field can be used to filter all findings across all companies. It carries the same behavior as the company filters. The "filters" field is disregarded in the prescense of the "companies" field.
  • Removing both fields will allow retrieval of all findings in the Risk Recon instance.

Safety Scan

Safety scan (--json) output file can be imported in JSON format.

SARIF

OASIS Static Analysis Results Interchange Format (SARIF). SARIF is supported by many tools. More details about the format here: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif

ScoutSuite

Multi-Cloud security auditing tool. It uses APIs exposed by cloud providers. Scan results are located at scan-reports/scoutsuite-results/scoutsuite_*.json files. Multiple scans will create multiple files if they are runing agains different Cloud projects. See https://github.com/nccgroup/ScoutSuite

SKF Scan

Output of SKF Sprint summary export.

Snyk

Snyk output file (snyk test --json > snyk.json) can be imported in JSON format.

SonarQube Scan (Aggregates findings per cwe, title, description, file_path.)

SonarQube output file can be imported in HTML format.

To generate the report, see https://github.com/soprasteria/sonar-report

Version: >= 1.1.0

SonarQube Scan Detailed (Import all findings from SonarQube html report.)

SonarQube output file can be imported in HTML format.

To generate the report, see https://github.com/soprasteria/sonar-report

Version: >= 1.1.0

SonarQube API Import

SonarQube API will be accessed to gather the report. No report file required.

Follow below steps to setup API Import:

  1. Configure the Sonarqube Authentication details by navigating to Configuration->Tool Configuration. Note the url should be in the formation of http://<sonarqube_hostname>/api. Select the tool type to SonarQube.
  2. In the Product settings fill the details for the SonarQube Project Key (Key name can be found by navigating to a specific project and selecting the value from the url http://<sonarqube_host>/dashboard?id=<key_name>
  3. Once all of the above setting are made , the API Import should be able to auto import all vulnerability information from the sonarqube instance.

SpotBugs

XML report of textui cli.

Sonatype

JSON output.

SSL Labs

JSON Output of ssllabs-scan cli.

Sslscan

Import XML output of sslscan report.

Sslyze Scan

XML report of SSLyze version 2 scan

SSLyze 3 Scan (JSON)

JSON report of SSLyze version 3 scan

Testssl Scan

Import CSV output of testssl scan report.

Trivy

JSON report of trivy scanner <https://github.com/aquasecurity/trivy>_.

Trufflehog

JSON Output of Trufflehog.

Trustwave

CSV output of Trustwave vulnerability scan.

Twistlock

JSON output of the twistcli tool. Example:

.. code-block:: bash

./twistcli images scan <REGISTRY/REPO:TAG> --address https://<SECURE_URL_OF_TWISTLOCK_CONSOLE> --user --details --output-file=<PATH_TO_SAVE_JSON_FILE>

The CSV output from the UI is now also accepted.

Visual Code Grepper (VCG)

VCG output can be imported in CSV or Xml formats.

Veracode

Detailed XML Report

Wapiti Scan

Import XML report.

Whitesource Scan

Import JSON report

Wpscan Scanner

Import JSON report.

Xanitizer

Import XML findings list report, preferably with parameter 'generateDetailsInFindingsListReport=true'.

Zed Attack Proxy

ZAP XML report format.

The importers analyze each report and create new Findings for each item reported. DefectDojo collapses duplicate Findings by capturing the individual hosts vulnerable.

.. image:: /_static/imp_1.png :alt: Import Form

Additionally, DefectDojo allows for re-imports of previously uploaded reports. DefectDojo will attempt to capture the deltas between the original and new import and automatically add or mitigate findings as appropriate.

.. image:: /_static/imp_2.png :alt: Re-Import Form

Bulk import of findings can be done using a CSV file with the following column headers:

Date: :: Date of the finding in mm/dd/yyyy format.

Title: :: Title of the finding

CweId: :: Cwe identifier, must be an integer value.

Url: :: Url associated with the finding.

Severity: :: Severity of the finding. Must be one of Info, Low, Medium, High, or Critical.

Description: :: Description of the finding. Can be multiple lines if enclosed in double quotes.

Mitigation: :: Possible Mitigations for the finding. Can be multiple lines if enclosed in double quotes.

Impact: :: Detailed impact of the finding. Can be multiple lines if enclosed in double quotes.

References: :: References associated with the finding. Can be multiple lines if enclosed in double quotes.

Active: :: Indicator if the finding is active. Must be empty, True or False

Verified: :: Indicator if the finding has been verified. Must be empty, True, or False

FalsePositive: :: Indicator if the finding is a false positive. Must be True, or False.

Duplicate: :: Indicator if the finding is a duplicate. Must be True, or False. Acunetix Scan - XML format Acunetix360 Scan - Acunetix360 JSON format. Anchore Engine Scan - Anchore-CLI JSON vulnerability report format. Anchore Enterprise Policy Check - Anchore-CLI JSON policy check report format. Anchore Grype - A vulnerability scanner for container images and filesystems. JSON report generated with '-o json' format;; https://github.com/anchore/grype AppSpider Scan - AppSpider (Rapid7) - Use the VulnerabilitiesSummary.xml file found in the zipped report download. Aqua Scan - Arachni Scan - Arachni JSON report format (generated with arachni_reporter --reporter 'json').;; https://www.arachni-scanner.com/download/ AuditJS Scan - AuditJS Scanning tool using SonaType OSSIndex database with JSON output format; NPM; https://github.com/sonatype-nexus-community/auditjs AWS Prowler Scan - Export of AWS Prowler in CSV or JSON format.;AWS;https://github.com/prowler-cloud/prowler AWS Scout2 Scan - JS file in scout2-report/inc-awsconfig/aws_config.js. AWS Security Hub Scan - AWS Security Hub exports in JSON format. Azure Security Center Recommendations Scan - Import of Microsoft Defender for Cloud (formerly known as Azure Security Center) recommendations in CSV format. Bandit Scan - JSON report format Blackduck Component Risk - Upload the zip file containing the security.csv and files.csv. Blackduck Hub Scan - Upload the zip file containing the security.csv and components.csv for Security and License risks. Brakeman Scan - Import Brakeman Scanner findings in JSON format. BugCrowd Scan - BugCrowd CSV report format Bundler-Audit Scan - 'bundler-audit check' output (in plain text) Burp Enterprise Scan - Import Burp Enterprise Edition findings in HTML format Burp GraphQL API - Import Burp Enterprise Edition findings from the GraphQL API Burp REST API - Import Burp REST API scan data in JSON format (/scan/[task_id] endpoint). Burp Scan - When the Burp report is generated, the recommended option is Base64 encoding both the request and response fields. These fields will be processed and made available in the 'Finding View' page. CargoAudit Scan - Import JSON output for cargo audit scan report. Checkmarx OSA - Checkmarx Open Source Analysis for dependencies (json). Generate with jq -s . CxOSAVulnerabilities.json CxOSALibraries.json Checkmarx Scan - Detailed XML Report. Aggregates vulnerabilities per categories, cwe, name, sinkFilename Checkmarx Scan detailed - Detailed XML Report. Import all vulnerabilities from checkmarx without aggregation Checkov Scan - Import JSON reports of Infrastructure as Code vulnerabilities.;;https://github.com/bridgecrewio/checkov Choctaw Hog Scan - Choctaw Hog Scan - JSON Report;secrets;https://github.com/newrelic/rusty-hog Clair Klar Scan - Import JSON reports of Docker image vulnerabilities from clair klar client.;docker;https://github.com/leahnp/clair-klar-kubernetes-demo Clair Scan - Import JSON reports of Docker image vulnerabilities.;docker;https://github.com/arminc/clair-scanner Cloudsploit Scan - Cloudsploit report file can be imported in JSON format (option --json).;docker;https://github.com/jumanjihouse/docker-cloudsploit;6years Cobalt.io API Import - Cobalt.io findings can be directly imported using the Cobalt.io API. An API Scan Configuration has to be setup in the Product. Cobalt.io Scan - CSV Report Contrast Scan - CSV Report Coverity API - Import Coverity API view data in JSON format (/api/viewContents/issues endpoint). Crashtest Security JSON File - JSON Report;paid Crashtest Security XML File - XML Report;paid CredScan Scan - Import CSV output of CredScan scan report.;azure CycloneDX Scan - Reports can be imported CycloneDX (XML) report formats. DawnScanner Scan - Dawnscanner (-j) output file can be imported in JSON format. Dependency Check Scan - OWASP Dependency Check output can be imported in Xml format. Dependency Track Finding Packaging Format (FPF) Export - The Finding Packaging Format (FPF) from OWASP Dependency Track can be imported in JSON format. See here for more info on this JSON format. Detect-secrets Scan - Import JSON output for detect-secrets scan report. Dockle Scan - Import JSON output for Dockle scan report. DrHeader JSON Importer - Import result of DrHeader JSON output. DSOP Scan - Import XLSX findings from DSOP vulnerability scan pipelines. ESLint Scan - JSON report format Fortify Scan - Import Findings from XML file format. Generic Findings Import - Import Generic findings in CSV format. Github Vulnerability Scan - Import vulnerabilities from Github API. GitLab API Fuzzing Report Scan - GitLab API Fuzzing Report report file can be imported in JSON format (option --json). GitLab Container Scan - GitLab Container Scan report file can be imported in JSON format (option --json). GitLab DAST Report - GitLab DAST Report in JSON format (option --json). GitLab Dependency Scanning Report - Import GitLab SAST Report vulnerabilities in JSON format. GitLab SAST Report - Import GitLab SAST Report vulnerabilities in JSON format. GitLab Secret Detection Report - GitLab Secret Detection Report file can be imported in JSON format (option --json). Gitleaks Scan - Import Gitleaks Scan findings in JSON format. Gosec Scanner - Import Gosec Scanner findings in JSON format. HackerOne Cases - Import HackerOne cases findings in JSON format. Hadolint Dockerfile check - Import Hadolint Dockerfile check findings in JSON format. Harbor Vulnerability Scan - Import vulnerabilities from Harbor API. Horusec Scan - JSON output of Horusec cli. HuskyCI Report - Import HuskyCI Report vulnerabilities in JSON format. IBM AppScan DAST - XML file from IBM App Scanner. Immuniweb Scan - XML Scan Result File from Imuniweb Scan. IntSights Report - IntSights report file can be imported in JSON format. JFrog Xray Scan - Import Xray findings in JSON format. JFrog Xray Unified Scan - Import Xray Unified (i.e. Xray version 3+) findings in JSON format. KICS Scan - Import JSON output for KICS scan report. Kiuwan Scan - Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan. kube-bench Scan - Import JSON reports of Kubernetes CIS benchmark scans. Meterian Scan - Meterian JSON report output file can be imported. Microfocus Webinspect Scan - Import XML report MobSF Scan - Export a JSON file using the API, api/v1/report_json. Mobsfscan Scan - Import JSON report for mobsfscan report file. Mozilla Observatory Scan - Import JSON report. Nessus Scan - Reports can be imported as CSV or .nessus (XML) report formats. Nessus WAS Scan - Reports can be imported as CSV or .nessus (XML) report formats. Netsparker Scan - Netsparker JSON format. Nexpose Scan - Use the full XML export template from Nexpose. Nikto Scan - XML output (old and new nxvmlversion="1.2" type) or JSON output Nmap Scan - XML output (use -oX) Node Security Platform Scan - Node Security Platform (NSP) output file can be imported in JSON format. NPM Audit Scan - NPM Audit Scan json output up to v6 can be imported in JSON format. Nuclei Scan - Import JSON output for nuclei scan report. Openscap Vulnerability Scan - Import Openscap Vulnerability Scan in XML formats. OpenVAS CSV - Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS. ORT evaluated model Importer - Import Outpost24 endpoint vulnerability scan in XML format. OssIndex Devaudit SCA Scan Importer - Import OssIndex Devaudit SCA Scan in json format. Outpost24 Scan - Import Outpost24 endpoint vulnerability scan in XML format. PHP Security Audit v2 - Import PHP Security Audit v2 Scan in JSON format. PHP Symfony Security Check - Import results from the PHP Symfony Security Checker by Sensioslabs. pip-audit Scan - Import pip-audit JSON scan report. PMD Scan - CSV Report Qualys Infrastructure Scan (WebGUI XML) - Qualys WebGUI output files can be imported in XML format. Qualys Scan - Qualys WebGUI output files can be imported in XML format. Qualys Webapp Scan - Qualys WebScan output files can be imported in XML format. Retire.js Scan - Retire.js JavaScript scan (--js) output file can be imported in JSON format. Risk Recon API Importer - Risk Recon ApI will be accessed to gather finding information. Report format here. SARIF - SARIF report file can be imported in SARIF format. Scantist Scan - Import Scantist Dependency Scanning Report vulnerabilities in JSON format. Scout Suite Scan - JS file in scoutsuite-results/scoutsuite_results_*.js. Semgrep JSON Report - Import Semgrep output (--json) SKF Scan - Output of SKF Sprint summary export. Snyk Scan - Snyk output file (snyk test --json > snyk.json) can be imported in JSON format. Solar Appscreener Scan - Solar Appscreener report file can be imported in CSV format from Detailed_Results.csv. SonarQube API Import - SonarQube findings can be directly imported using the SonarQube API. An API Scan Configuration has to be setup in the Product. SonarQube Scan - Aggregates findings per cwe, title, description, file_path. SonarQube output file can be imported in HTML format. Generate with https://github.com/soprasteria/sonar-report version >= 1.1.0 SonarQube Scan detailed - Import all findings from sonarqube html report. SonarQube output file can be imported in HTML format. Generate with https://github.com/soprasteria/sonar-report version >= 1.1.0 Sonatype Application Scan - Can be imported in JSON format SpotBugs Scan - XML report of textui cli. SSL Labs Scan - JSON Output of ssllabs-scan cli. Sslscan - Import XML output of sslscan report. SSLyze 3 Scan (JSON) - Import JSON report of SSLyze version 3 scan. Sslyze Scan - Import XML report of SSLyze version 2 scan. Terrascan Scan - Import JSON output for Terrascan scan report. Testssl Scan - Import CSV output of testssl scan report. TFSec Scan - Import JSON output for TFSec scan report. Trivy Scan - Import trivy JSON scan report. Trufflehog Scan - JSON Output of Trufflehog. Trufflehog3 Scan - JSON Output of Trufflehog. Trustwave Fusion API Scan - Trustwave Fusion API report file can be imported in JSON format Trustwave Scan (CSV) - CSV output of Trustwave vulnerability scan. Twistlock Image Scan - JSON output of twistcli image scan or CSV. VCG Scan - VCG output can be imported in CSV or Xml formats. Veracode Scan - Detailed XML Report Wapiti Scan - Import XML report WFuzz JSON report - Import WFuzz findings in JSON format. WhiteHat Sentinel - WhiteHat Sentinel output from api/vuln/query_site can be imported in JSON format. Whitesource Scan - Import JSON report Wpscan - Import JSON report Xanitizer Scan - Import XML findings list report, preferably with parameter 'generateDetailsInFindingsListReport=true'. Yarn Audit Scan - Yarn Audit Scan output file can be imported in JSON format. ZAP Scan - ZAP XML report format.

Document from: https://creativefusion.medium.com/massive-resources-learning-paths-and-collection-for-devsecops-cacfda8f17be

Massive Resources, Learning Paths, and Collection for DevSecOps

Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services, and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program and anything you need, all learning paths.

We intend for it to be an awesome list that grows and changes as the community learns and improves how DevSecOps is implemented and adopted. To be included in this list, the information, tools, vendors, or initiative must provide for Free or Open Source capabilities that help with the DevSecOps mission. Links that lead to a commercial aspect are noted with a (P).

Table of Contents

  • Information

  • Guidelines

  • Presentations

  • Initiatives

  • Keeping Informed

  • Wardley Maps for Security

  • Training

  • Labs

  • Vulnerable Test Targets

  • Conferences

  • Podcasts

  • Books

  • Tools

  • Dashboards

  • Automation

  • Hunting

  • Testing

  • Alerting

  • Threat Intelligence

  • Attack Modeling

  • Secret Management

  • Red Team

  • Visualization

  • Sharing

  • ChatOps

Information

We-ve been working across the industry to learn more about the different types of DevOps + Security initiatives. This collection has been pulled together and includes Podcasts, Videos, Presentations, and other Media to help you learn more about DevSecOps, SecDevOps, DevOpsSec, and/or DevOps + Security.

Guidelines

While we-re not into the paper way of doing things, sharing sound advice and good recommendations can make software stronger. We aim to make these guidelines better through code.

Presentations

Many talks are now targeting the change of adding Security into the DevOps environment. We-ve added some of the most notable ones here.

Initiatives

There are a variety of initiatives underway to migrate security and compliance into DevOps. We-ve included links for active projects here:

Keeping Informed

We-ve discovered a treasure trove of mailing lists and newsletters where DevSecOps like us are sharing their skills and insights.

Wardley Maps for Security

One way for people to continue to evolve their capabilities and share common understanding is through the development of Wardley Maps. We-re collecting this information and providing some good examples here.

Training

DevSecOps requires an appetite for learning and agility to quickly acquire new skills. We-ve collected these links to help you learn how to do DevSecOps with us.

Labs

Labs are hands-on learning opportunities to grow your skills in Dev, Sec, and Ops. All skills are useful and need to be grown so that you can have the empathy, knowledge, and trade to operate the DevSecOps style.

Vulnerable Test Targets

It-s important to build up knowledge by learning how to break applications left vulnerable by security mistakes. This section contains a list of vulnerable apps that can be deployed to learn what not to do. These same apps can be made safe by remediating the intentional vulnerabilities to learn how to prevent attackers from gaining access to underlying infrastructure or data.

Conferences

A body of knowledge for combining DevOps and Security has been delivered via conferences and meetups. This is a shortlist of the venues that have dedicated a portion of their agenda to it.

Podcasts

A small collection of DevOps and Security podcasts.

Books

Books focussed around DevSecOps, bringing the security focus upfront.

Tools

This collection of tools is useful in establishing a DevSecOps platform. We have divided the tools into several categories that help with the different divisions of DevSecOps.

Dashboards

Visualization is an important element of identifying, sharing and evolving the security information that passes from the beginning of the creative process through to operations.

Automation

Automation platforms have the advantage of providing scripted remediation when security defects are surfaced.

Hunting

This list of tools provides the capabilities necessary for finding security anomalies and identifying rules that should be automated and extended to support scale demands.

Testing

Testing is an essential element of a DevSecOps program because it helps to prepare teams for Rugged operations and to determine security defects before they can be exploited.

Alerting

Once you discover something important, response time is critical and essential to the Incident Response required to remediate a security defect. These links include some of the projects that provide for Alerting and Notifications.

Threat Intelligence

There are many sources for Threat Intelligence in the world. Some of these come from IP Intelligence and others from Malware repositories. This category contains tools that are useful in capturing threat intelligence and collating it.

Attack Modeling

DevSecOps requires a common attack modeling capability that can be done at speed and scale. Thankfully there are efforts underway to create these useful taxonomies that help us operationalize attack modeling and defenses.

Secret Management

To support security as code, sensitive credentials and secrets need to be managed, security, maintained, and rotated using automation. The projects below provide DevOps teams with some good options for securing sensitive details used in building and deploying full-stack software deployments.

Red Team

These are tools that we find helpful during Red Team and War Game exercises. The projects in this section help with reconnaissance, exploit development, and other activities common within the Kill Chain.

Visualization

Making DevSecOps discoveries is already hard enough with all the APIs and Command-Line tools. This list provides tools to visualize your work either via flowcharts, graphs, or maps.

Sharing

A collection of tools to help with sharing knowledge and telling the story.

ChatOps

One of the greatest changes you can make in your organization is boundaryless communications. Setting up ChatOps can enable everyone to come together and solve problems.

Good practices Securing the code

  • Conformance to process:

  • Code reviews

  • Coding Standards

  • Verifiable builds

  • Test coverage

  • Static Analysis

  • Vulnerability Scanning

  • Verifiable deployments

  • Audit Traceability

  • Inmutable infrastructure

  • Docker

  • Image OS

  • Standard Tooling ??? - Controversial

  • Enforce compliance in the pipeline

The pipeline must have 16 gates

  • Source code version control

  • Optimum branching strategy

  • Static analysis

  • 80% Code coverage

  • Vulnerability scan

  • Open source scan

  • Artifact version control

  • Auto provision

  • Immutable servers

  • Integration testing

  • Performance testing

  • Build, deploy, testing automated for every commit

  • Automated Rollback

  • Automated Change Order

  • Zero downtime release

  • Feature Toggle

Security fundamentals

  • Vulnerability management (Automating, dashboard)

  • Continuous scanning - AppSec Pipeline

  • Asset inventory

Nice talks and blogs about DevOps

Nice talks and blogs about DevSecOps

DevOps Course

DevSecOps Tools

Secure Software Guidelines - SDLC

Frameworks

  • Secure Software Development Life Cycle Processes by Carnegie Mellon University Frameworks and standards such as the Capability Maturity Model Integration2 (CMMI) framework, Team Software Process (TSP),3 the FAA-iCMM, the Trusted CMM/Trusted Software Methodology (T-CMM/TSM), and the Systems Security Engineering Capability Maturity Model (SSE-CMM). In addition, two approaches, Software Assurance Maturity Model (SAMM) and Software Security Framework (SSF), which were just released, have been added to give the reader as much current information as possible.

  • Building Security In Maturity Model (BSIMM) - _Synopsys) - A framework for software security created by observing and analyzing data from leading software security initiatives.

  • Secure Development Lifecycle - Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.

  • Secure Software Development Framework - NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.

  • Software Assurance Maturity Model - OWASP - A framework to measure and improve the maturity of the secure development lifecycle.

Security by Design

security-design-with-principles 2021 bottom-up-security-testing-security-in-all-levels 2021 8-security-design-principles-business-solutions Security Design Principles

Open Source Static Analysis Tools

  • C/C++ - Clang Static Analyzer, Phasar, Cppcheck

  • C#/.NET - Puma Scan, Security Code Scan

  • Golang - gosec, glasgo

  • Java - SpotBugs, Frameworks: Soot, WALA

  • JavaScript/Typescript - NodeJsScan, eslint, tslint, eslint-pluginno-unsanitized

  • Python - bandit, dlint, pyre-check (data-flow analysis to find

  • web app bugs)

  • Ruby - Brakeman

  • Semgrep - Python, JavaScript, Golang, Java, -

Massive list: mre/awesome-static-analysis

Intentionally Vulnerable Applications

let you practice your skills at exploiting them.

  • Bad SSL - The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.

  • Cfngoat - Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.

  • Damn Vulnerable Web App 1 - Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.

  • Juice Shop - OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.

  • NodeGoat - OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.

  • Terragoat - Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure, and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.

  • Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.

SRE

DevOps Podcasts

Samples applying DevSecOps

Cloud & DevSecOps Learning Resources

Cybrary

A paid/free IT learning site (cybrary. it)

Cloud-Native Computing Foundation (CNCF)

Part of the Linux Foundation, bringing together the world-s top developers, end-users, and vendors.

KodeKloud

Learning platform that had video courses with built-in web-based CLI/hands-on learning activities for Kubernetes, Terraform, Git, and more.

Udemy

Online learning site featuring a massive library of course selections.

ACloudGuru

Leading Cloud-learning platform provider includes built-in labs and playgrounds

Cloud Academy

StackRox

AWS

Google Cloud

Open Policy Agent (OPA)

Compliance

GitLab

Carnegie Melon Software Engineering Institute

Department of Defense

Red Hat

Miscellaneous Resources

More Awesome DevSecOps Resources

Consider following me if you want to see more juicy content like this!

Enjoy! Source: https://creativefusion.medium.com/massive-resources-learning-paths-and-collection-for-devsecops-cacfda8f17be