DevSecOps

Providing Security in DevOps (The Effort to strive for "Secure by Default")

📜 Table of Contents

• Roadmap
• Tools
• Resources
  • 1. DevSecOps Overview
  • 2. Design
  • 3. Develop
  • 4. Build
  • 5. Test
  • 6. Deploy
  • 7. Operations
• Other roadmaps and devsecops information
• Wrapping things Up
• Contribute

💭 Roadmap

🔩 Tools

Spending the time on applying DevSecOps searching, comparing, and making decisions about tools can be daunting. The tools listed here is a good starting point to help and assist and reduce unnecessary time and to apply them quickly 😎

Open https://github.com/Lino-DC/DevSecOps/blob/main/tools/README.md

📦 Resources

1. DevSecOps Overview

• Overview
  1. DevSecOps in Wikipedia

2. Design

• Development Lifecycle
  1. SDL(Secure Development Lifecycle) by Microsoft
  2. DevSecOps basics: 9 tips for shifting left (Gitlab)
  3. 6 Ways to bring security to the speed of DevOps (Gitlab)
• Threat Model
  1. What is Threat Modeling / Wikipedia
  2. Threat Modeling by OWASP
  3. Application Threat Modeling by OWASP
  4. Agile Threat Modeling Toolkit
  5. OWASP Threat Dragon
• Policies

3. Develop

• Secure Coding
  1. Secure coding guide by Apple
  2. Secure Coding Guidelines for Java SE
  3. Go-SCP / Go programming language secure coding practices guide
  4. Android App security best practices by Google
  5. Securing Rails Applications
• Code Authentication
• IDE Security Plugins

4. Build

• SAST(Static Application Security Testing)
  1. Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1
  2. Announcing third-party code scanning tools: static analysis & developer security training
• Dependency Management
• SCA
• IAST

5. Test

• DAST(Dynamic Application Security Testing)
  1. Dynamic Application Security Testing with ZAP and GitHub Actions
  2. Dynamic Application Security Testing (DAST) in Gitlab
  3. DAST using pdiscoveryio Nuclei (github action)
• Penetration testing
  1. Penetration Testing at DevSecOps Speed
• IAST

6. Deploy

• Security Hardening & Config
  1. CIS Benchmarks
• Security Scanning
  1. Best practices for scanning images (docker)

7. Operations

• RASP(Run-time Application Security Protection)
  1. Runtime Application Self-Protection by rapid7
  2. Jumpstarting your devsecops - Pipeline with IAST and RASP
• Security Patching
• Security Audit
• Security Monitoring
• Security Analysis
• Pentesting

🚀 Other roadmaps and devsecops information

U.S. Department of Defense	Larry Maccherone
The DevSecOps Security Checklist	Gitlab security devops diagram

🙏🏼 Wrapping things Up

This is a work in progress roadmap for all to use, it can be improved as time goes on, but the main idea behind this is to help guide you through your Devops journey embracing security from anywhere within your current pipeline.

If you wish to learn more about SDLC (Software Development Lifecycle) and SSDLC (Secure Software Development Lifecycle) then visit SSDLC