A collection of software, libraries and frameworks, design and architecture principles, books and videos, important resources and best practices about DevSecOps Reference & Architecture.
Thanks to our daily readers and contributors. The goal is to build a categorized community-driven collection of very well-known resources. Sharing, suggestions and contributions are always welcome!
This is a collection of DevSecOps reference architectures. I was tired of crawling through low resolution slideshares and email-grabbing web forms, therefore I started this repo to share reference architectures - for free - for everyone - for contributing.
Feel free to contribute via pull requests or issues. If you find slides in a higher quality, please let me know!
Please provide the following data for new architectures:
- Name of the source of the architecture
- Image of the reference architecture
- Year when the architecture was designed
- Optional: Link to the source for more information
- Optional: Summary of the architecture. What makes it special? Where does it differentiate? What is the problem it solves?
- Optional: Software stack. That makes it easier to search for architectures that use a specific tool.
Thanks to Sonatype and their reference architecture slideset (mirror).
Most of the referenced tools can be found in the more structured Awesome DevSecOps list.
The OWASP AppSec Rugged DevOps Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the sample implementation, documentation and references of this project will allow you to setup your own AppSec Pipeline.
Software Stack: Bandit, OWASP Dependency-Check, Checkmarx, SSLLabs, Arachni, wappalyzer, Synk, WPScan, brakeman, OWASP ZAP, Retire.js
How do you build security and compliance into your DevOps platforms and pipelines? With this O’Reilly report, security analysts, security engineers, and pen testers will learn how to leverage the same processes and tools—such as version control, containers, and Continuous Delivery—that DevOps practitioners use to automate software delivery and infrastructure changes. In other words, you’ll understand how to use DevOps to secure DevOps.
Software Stack: Upguard, Gauntlt, OWASP Dependency-Check, Bundler Audit, Retire.js, OWASP SafeNuGet, Gerrit, Phabricator, Atlassian Crucible, Sonarqube, OWASP ZAP, Mittn, Chef Vault, Keywhiz, HashiCorp Vault, Netflix SimianArmy, Signal Sciences, Alert Logic, CloudPassage Halo, Dome9 SecOps, Evident, Illumio, Threat Stack, Waratek, Prevoty, Contrast Security, tCell, Twistlock, DevOps Audit Defense Toolkit,
US Defense Threat Reduction Agency - Joint Improvised Thread Defeat Organisation - Leo Garciga - 2017
The talk goes into detail why they went DevOps, how DevOps can be secure according to NIST SP 800, how automation prevents human error and reduces human delay.
Software Stack: Docker, Jira, Jenkins, Selenium, Twistlock, Sonarqube, Sonatype, Apache Maven
The Toolkit summarizes the techniques they use to mitigate risk, and also provides a section answering the most common questions about value creation, compliance, and DevOps. The information in this document should help organizations wanting to pursue DevOps and continuous delivery explain their approach and improve communication between IT and audit.
Fully annotated DevSecOps cycle with threat modeling, code review, abuse case tests, pentest, compliance validation, config validation, logging, monitoring, intrusion detection.
- Teachera - DevSecOps Course (Teachera is not longer active)
- Practical DevSecOps Course - Part 1 - Slideshare,
- DevSecOps Studio Project - GitHub
DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started, mostly automatic and battle tested during our Free Practical DevSecOps Course. DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices.
Software Stack: OWASP ZAP, Gauntlt, Bandit, brakeman, Metasploit, Nmap, Findbugs, DevSec Ansible OS Hardening, Inspec, Docker, GitLab, Jenkins, Ansible, Elastic
With GitLab, you get a complete CI/CD toolchain in a single application. With GitLab, DevSecOps architecture is built into the CI/CD process. Every merge request is scanned through its pipeline for security issues and vulnerabilities in your code and its dependencies using automated tests. Unlike traditional application security tools primarily intended for use by security pros, GitLab secure code capabilities are built into the CI/CD workflows where the developers live. We empower developers to identify vulnerabilities and remove them early in the development cycles.
Software Stack: Gitlab Free / Core to Gold / Ultimate