Skip to content

Latest commit

 

History

History
147 lines (120 loc) · 9.69 KB

README.md

File metadata and controls

147 lines (120 loc) · 9.69 KB

DevSecOps  

♾️ DevSecOps

DevSecOps Taken Notes from articles in addition to (resources|courses|tools) for DevSecOps.

📝 Notes & Resources

Some links are resources and some links are notes which have been manually taken. Names which have + at the beginning, are taken notes.

🪜 Design / Plan

Design / Plan Phase Actions:

  • Threat Models & Security Requirements should be designed and defined
  • Risks & Plans for preventing threats from happening should be identified

Development Lifecycle

Threat Model

🧑‍💻 Develop

Develop Phase Actions:

  • Secure Coding
  • Static Analysis Security Testing (SAST): Can be integrated into developers environment (Find security issues in code)
    • when developer is actively coding (e.g. a SAST IDE Plugin)

Secure Coding

SAST in Developer's Environment

⚒️ Build

Build Phase Actions:

  • Static Application Security Testing (SAST): Find security issues in code
  • Software Composition Analysis (SCA) & Software Bill of Material (SBOM): Find components and compare them against a database like National Vulnerability Database
  • Secret Management: Find Secrets
  • Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time

Static Application Security Testing (SAST)

Software Composition Analysis (SCA)

Secret Management

Interactive Application Security Testing (IAST)

🧪 Test

Test Phase Actions:

  • Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time
  • Dynamic Application Security Testing (DAST): Evaluate application from outside automatically
  • Penetration Testing: Evaluate application black box by ethical hackers

Dynamic Application Security Testing (DAST)

Penetration Testing

⚓ Deploy

Deploy Phase Actions:

  • Hardening & Secure Configuration
  • Security Scanning

Hardening & Secure Configuration & Security Scanning

🖥️ Operate & Monitor

Operate & Monitor Phase Actions:

  • Run-time Application Self-Protection (RASP)
  • Security Audit
  • Monitor: Metrics, Monitoring and alerting
  • Security Patch

Runtime Application Self-Protection (RASP)

Security Audit

Monitor

🪈 CI/CD (DevOps) - Pipeline Tools

This part contains DevSecOps integration resources separated by different CI/CD tools like Gitlab, Azure DevOps and...

♻️ Azure DevOps

😺 Gitlab CI/CD

🎒 Courses

🔗 Other Resources

⛏️ DevSecOps Tools

Useful tools in DevSecOps + Notes

SCA

Dependency Track

Vulnerability Management

DefectDojo

🔃 Reference