DevSecOps Taken Notes from articles in addition to (resources|courses|tools) for DevSecOps.
Some links are resources and some links are notes which have been manually taken. Names which have + at the beginning, are taken notes.
Design / Plan Phase Actions:
Threat Models&Security Requirementsshould be designed and definedRisks&Plansfor preventing threats from happening should be identified
- + SDL (Security Development Lifecycle) by Microsoft
- + How to Ensure Security at the Speed of DevSecOps by Gitlab
Develop Phase Actions:
Secure CodingStatic Analysis Security Testing (SAST): Can be integrated into developers environment (Find security issues in code)- when developer is actively coding (e.g. a SAST IDE Plugin)
Build Phase Actions:
Static Application Security Testing (SAST): Find security issues in codeSoftware Composition Analysis (SCA)&Software Bill of Material (SBOM): Find components and compare them against a database like National Vulnerability DatabaseSecret Management: Find SecretsInteractive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time
- + What Is SAST on Synopsys
- Beginners Guide to SAST Using SonarQube by Packt.com
- SAST Using Snyk and SonarQube by OpenSourceforu.com
- + What is Software Composition Analysis (SCA) on Synopsys
- + Guide to Software Composition Analysis by Snyk
- Software Bill of Materials: How to generate an SBOM from container images using Syft
- Grype Open Source Vulnerability Scanner Demo
- Interactive Application Security Testing (IAST) by Snyk
- Interactive Application Security Testing by OWASP
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
Test Phase Actions:
Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-timeDynamic Application Security Testing (DAST): Evaluate application fromoutsideautomaticallyPenetration Testing: Evaluate applicationblack boxby ethical hackers
- Integrating Dastardly with your CI/CD platform (generic instructions) by PortSwigger
- Dynamic Application Security Testing with ZAP and GitHub Actions
- Dynamic Application Security Testing by Gitlab
Deploy Phase Actions:
Hardening & Secure ConfigurationSecurity Scanning
- OWASP Docker Security Cheat Sheet
- Docker Security
- Docker Security Best Practices by Aquasec
- Docker Security Scanning by Snyk
- Automate Container Security Scanning
- Making your NGINX Server more secure to host your web apps
Operate & Monitor Phase Actions:
Run-time Application Self-Protection (RASP)Security AuditMonitor: Metrics, Monitoring and alertingSecurity Patch
- Runtime Application Self-Protection (RASP) by Rapid7
- Top 7 RASP Software
- Jumpstarting your DevSecOps - Pipeline with IAST & RASP
This part contains DevSecOps integration resources separated by different CI/CD tools like Gitlab, Azure DevOps and...
- DevSecOps with Azure DevOps: Secure CI/CD with Azure DevOps by Raghu at Udemy
- DevSecOps with GitLab: Secure CI/CD with GitLab (2023) by Raghu at Udemy
Useful tools in DevSecOps + Notes
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent