/devsecops-resources

devsecops checklist

Apache License 2.0Apache-2.0

Devops - DevSecOps - Checklist Awesome

DevSecOps

Good practices Securing the code

  • Conformance to process:

    • Code reviews
    • Coding Standards
    • Verifiable builds
    • Test coverage
    • Static Analysis
    • Vulnerability Scanning
    • Verifiable deployments
  • Audit Traceability

  • Inmutable infrastructure

    • Docker
    • Image OS
  • Standard Tooling ??? - Controversial

  • Enforce compliance in the pipeline

Pipeline must have 16 gates

  • Source code version control
  • Optimum branching strategy
  • Static analysis
  • 80% Code coverage

  • Vulnerability scan
  • Open source scan
  • Artifact version control
  • Auto provision
  • Inmutable servers
  • Integration testing
  • Performance testing
  • Build, deploy, testing automated for every commit
  • Automated Rollback
  • Automated Change Order
  • Zero downtime release
  • Feature Toggle

Security fundamentals

  • Vulnerability management (Automating, dashboard)
  • Continuous scanning - AppSec Pipeline
  • Asset inventory

Nice talks and blogs about Devops

Nice talks and blogs about DevSecOps

Devops Course

DevSecOps Tools

Secure Software Guidelines - SDLC

Frameworks

  • Secure Software Development Life Cycle Processes by Carnegie Mellon University Frameworks and standards such as the Capability Maturity Model Integration2 (CMMI) framework, Team Software Process (TSP),3 the FAA-iCMM, the Trusted CMM/Trusted Software Methodology (T-CMM/TSM), and the Systems Security Engineering Capability Maturity Model (SSE-CMM). In addition, Two approaches, Software Assurance Maturity Model (SAMM) and Software Security Framework (SSF), which were just released, have been added to give the reader as much current information as possible.
  • Building Security In Maturity Model (BSIMM) - _Synopsys) - A framework for software security created by observing and analysing data from leading software security initiatives.
  • Secure Development Lifecycle - Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.
  • Secure Software Development Framework - NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.
  • Software Assurance Maturity Model - OWASP - A framework to measure and improve the maturity of the secure development lifecycle.

Security by Design

security-design-with-principles 2021 bottom-up-security-testing-security-in-all-levels 2021 8-security-design-principles-business-solutions Security Design Principles

Open Source Static Analysis Tools

  • C/C++ - Clang Static Analyzer, Phasar, Cppcheck
  • C#/.NET - Puma Scan, Security Code Scan
  • Golang - gosec, glasgo
  • Java - SpotBugs, Frameworks: Soot, WALA
  • JavaScript/Typescript - NodeJsScan, eslint, tslint, eslint-pluginno-unsanitized
  • Python - bandit, dlint, pyre-check (data-flow analysis to find
  • web app bugs)
  • Ruby - Brakeman
  • Semgrep - Python, JavaScript, Golang, Java, ...

Massive list: mre/awesome-static-analysis

Intentionally Vulnerable Applications

let you practice your skills at exploiting them.

  • Bad SSL - The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
  • Cfngoat - Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
  • Damn Vulnerable Web App - Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
  • Juice Shop - OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.
  • NodeGoat - OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
  • Terragoat - Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.
  • Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.

SRE

Devops Podcasts

Samples applying DevSecOps

Awesome DevSecOps Resources