/cybersecurity-devsecops

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about DevSecOps in Cybersecurity.

Primary LanguageShellApache License 2.0Apache-2.0

DevSecOps = Development + Security + Operations

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about DevSecOps in Cybersecurity.

Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.

What is DevSecOps

DevSecOps—short for development, security, and operations—automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.

devsecops sdlc

DevSecOps makes application and infrastructure security a shared responsibility of development, security, and IT operations teams, rather than the sole responsibility of a security silo. It enables “software, safer, sooner”—the DevSecOps motto–by automating the delivery of secure software without slowing the software development cycle.

DevSecOps is important for the following key reasons: speed, and security

  • Rapid, cost-effective software delivery
  • Improved, proactive security
  • Accelerated security vulnerability patching
  • Automation compatible with modern development
  • A repeatable and adaptive process

Table of Contents

Introduction

“The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required,” describes Shannon Lietz, co-author of the “DevSecOps Manifesto.”

  • This collection has been pulled together and includes: Podcasts, Videos, Presentations, and other Media to help you learn more about DevSecOps, SecDevOps, DevOpsSec, and/or DevOps + Security.

Manifesto

Guidelines

While we're not into the paper-way of doing things, sharing sound advice and good recommendations can make software stronger. We aim to make these guidelines better through code.

Presentations

Many talks are now targeting the change of adding Security into the DevOps environment. We've added some of the most notable ones here.

Initiatives

There are a variety of initiatives underway to migrate security and compliance into DevOps. We've included links for active projects here:

^ back to top ^

Keeping Informed

We've discovered a treasure trove of mailing lists and newsletters where DevSecOps like us are sharing their skills and insights.

^ back to top ^

Wardley Maps for Security

One way for people to continue to evolve their capabilities and share common understanding is through the development of Wardley Maps. We're collecting this information and providing some good examples here.

^ back to top ^

Training

DevSecOps requires an appetite for learning and agility to quickly acquire new skills. We've collected these links to help you learn how to do DevSecOps with us.

Labs

Labs are hands-on learning opportunities to grow your skills in Dev, Sec, and Ops. All skills are useful and need to be grown so that you can have the empathy, knowledge and trade to operate DevSecOps style.

^ back to top ^

Vulnerable Test Targets

It's important to build up knowledge by learning how to break applications left vulnerable by security mistakes. This section contains a list of vulnerable apps that can be deployed to learn what not to do. These same apps can be made safe by remediating the intentional vulnerabilities to learn how to prevent attackers from gaining access to underlying infrastructure or data.

^ back to top ^

Conferences

A body of knowledge for combining DevOps and Security has been delivered via conferences and meetups. This is a short list of the venues that have dedicated a portion of their agenda to it.

^ back to top ^

Podcasts

A small collection of DevOps and Security podcasts.

^ back to top ^

Books

Books focussed around DevSecOps, bringing the security focus up front.

Tools

This collection of tools are useful in establishing a DevSecOps platform. We have divided the tools into several categories that help with the different divisions of DevSecOps.

Dashboards

Visualization is an important element of identifying, sharing and evolving the security information that passes from the beginning of the creative process through to operations.

Automation

Automation platforms have an advantage of providing for scripted remediation when security defects are surfaced.

Hunting

This list of tools provide the capabilities necessary for finding security anomalies and identifying rules that should be automated and extended to support scale demands.

Testing

Testing is an essential element of a DevSecOps program because it helps to prepare teams for Rugged operations and to determine security defects before they can be exploited.

^ back to top ^

Alerting

Once you discover something important, response time is critical and essential to the Incident Response required to remediate a security defect. These links include some of the projects that provide for Alerting and Notifications.

Threat Intelligence

There are many sources for Threat Intelligence in the world. Some of these come from IP Intelligence and others from Malware repositories. This category contains tools that are useful in capturing threat intelligence and collating it.

^ back to top ^

Attack Modeling

DevSecOps requires a common attack modeling capability that can be done at speed and scale. Thankfully there are efforts underway to create these useful taxonomies that help us operationalize attack modeling and defenses.

Secret Management

To support security as code, sensitive credentials and secrets need to be managed, security, maintained and rotated using automation. The projects below provide DevOps teams with some good options for securing sensitive details used in building and deploying full stack software deployments.

^ back to top ^

Red Team

These are tools that we find helpful during Red Team and War Game exercises. The projects in this section help with reconnaissance, exploit development, and other activities common within the Kill Chain.

Visualization

Making DevSecOps discoveries is already hard enough with all the APIs and Command Line tools. This list provides tools to visualize your work either via flowcharts, graphs or maps.

Sharing

A collection of tools to help with sharing knowledge and telling the story.

ChatOps

One of the greatest changes you can make in your organization is boundaryless communications. Setting up ChatOps can enable everyone to come together and solve problems.

^ back to top ^

License

MIT License & cc license

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.