-
Conformance to process:
- Code reviews
- Coding Standards
- Verifiable builds
- Test coverage
- Static Analysis
- Vulnerability Scanning
- Verifiable deployments
-
Audit Traceability
-
Inmutable infrastructure
- Docker
- Image OS
-
Standard Tooling ??? - Controversial
-
Enforce compliance in the pipeline
- Source code version control
- Optimum branching strategy
- Static analysis
-
80% Code coverage
- Vulnerability scan
- Open source scan
- Artifact version control
- Auto provision
- Inmutable servers
- Integration testing
- Performance testing
- Build, deploy, testing automated for every commit
- Automated Rollback
- Automated Change Order
- Zero downtime release
- Feature Toggle
- Vulnerability management (Automating, dashboard)
- Continuous scanning - AppSec Pipeline
- Asset inventory
- os-primeiros-passos-para-uma-carreira-devops by Gomex
- Devops-exercises
- Delivery Pipelines as enabler for a DevOps culture
- Controlled Chaos: The Inevitable Marriage of DevOps & Security - Blackhat USA 2019
- Designing a Secure Software Development Lifecycle with DevOps - Mike Long
- The Current State of DevSecOps Metrics by Bill Nichols - 2021 - Slides
- Gibler - How to 10X Your Security - 2020
- appsec-cali-2019-lessons-learned-from-the-devsecops-trenches/
- why-am-i-rooting-for-a-new-category-in-owasp-top-10-2021-insecure-build-deployment-environment
- devsecops blogs by Carnegie Mellon University
- Sysadmin landscape
- DevSecOps Ref Architecture
- Open source security tools
- Periodic Table of DevOps Tools - XebiaLabs - A collection of DevSecOps tooling categorised by tool functionality.
- Cloud Security and DevSecOps Best Practices by Sans.org.
- pagerduty_security_training_for_engineers_public.pdf
- secure-coding-practices-quick-reference-guide by OWASP
- Application Security Verification Standard - OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.
- Coding Standards - CERT - A collection of secure development standards for C, C++, Java and Android development.
- Proactive Controls - OWASP - OWASP's list of top ten controls that should be implemented in every software development project.
- Secure Coding Guidelines - Mozilla - A guideline containing specific secure development standards for secure web application development.
- Secure Coding Practices Quick Reference Guide - OWASP - A checklist to verify that secure development standards have been followed.
- Secure Software Development Life Cycle Processes by Carnegie Mellon University Frameworks and standards such as the Capability Maturity Model Integration2 (CMMI) framework, Team Software Process (TSP),3 the FAA-iCMM, the Trusted CMM/Trusted Software Methodology (T-CMM/TSM), and the Systems Security Engineering Capability Maturity Model (SSE-CMM). In addition, Two approaches, Software Assurance Maturity Model (SAMM) and Software Security Framework (SSF), which were just released, have been added to give the reader as much current information as possible.
- Building Security In Maturity Model (BSIMM) - _Synopsys) - A framework for software security created by observing and analysing data from leading software security initiatives.
- Secure Development Lifecycle - Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.
- Secure Software Development Framework - NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.
- Software Assurance Maturity Model - OWASP - A framework to measure and improve the maturity of the secure development lifecycle.
security-design-with-principles 2021 bottom-up-security-testing-security-in-all-levels 2021 8-security-design-principles-business-solutions Security Design Principles
- C/C++ - Clang Static Analyzer, Phasar, Cppcheck
- C#/.NET - Puma Scan, Security Code Scan
- Golang - gosec, glasgo
- Java - SpotBugs, Frameworks: Soot, WALA
- JavaScript/Typescript - NodeJsScan, eslint, tslint, eslint-pluginno-unsanitized
- Python - bandit, dlint, pyre-check (data-flow analysis to find
- web app bugs)
- Ruby - Brakeman
- Semgrep - Python, JavaScript, Golang, Java, ...
Massive list: mre/awesome-static-analysis
let you practice your skills at exploiting them.
- Bad SSL - The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
- Cfngoat - Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
- Damn Vulnerable Web App - Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
- Juice Shop - OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.
- NodeGoat - OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
- Terragoat - Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.
- Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.