DevSecOps
Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies
Table of Contents
- Resources
- 0. DevSecOps Overview
- 1. Design
- 2. Develop
- 3. Build
- 4. Test
- 5. Deploy
- 6. Operate and Monitor
- Jenkins stage
- Tools
- 0. Precommit
- 1. Secrets management
- 2. SCA
- 3. SAST
- 4. DAST
- 5. Containers
- 6. Kubernetes
- Awesome resources
Resources
0. DevSecOps Overview
- Overview
1. Design
- Development Lifecycle
- Threat Model
2. Develop
3. Build
- SAST(Static Application Security Testing)
4. Test
- DAST(Dynamic Application Security Testing)
- Penetration testing
5. Deploy
- Security Hardening & Config
- Security Scanning
6. Operate and Monitor
- RASP(Run-time Application Security Protection)
- Security Patch
- Security Audit
- Security Monitor
- Security Analysis
Jenkins stage
- sonarQube(SAST)
- unit Test (Junit & Jacoco)
- mutation Test (PIT)
- Vulnerability scan -Docker
- dependency check
- Trivy
- OPA conftest
- kubernetes deployment
- kubesec scan
- OPA scan
- trivy
- integration test
- owasp zap (DAST)
- CIS benchmark (kube-bench)
- monitoring
Tips :
- integration test check valid request and response api request
- we install openapi plugin in spring or other framework then get api-docs for pentesting woth zap proxy
- we use slack hook for send notification from jenkin, after any error or warm in report
- prometheus is a good notification manager and make graph with graphana
- use kiali for monitoring GUI kubernetis
- use mTls with istio for secure comunication betwean pods
- falco is opensource cloud native runtime security project
- helm id package manager for kubernetis like yum
Tools
Pre-commit
| Name | URL | Description |
|---|---|---|
| git-secrets | https://github.com/awslabs/git-secrets | AWS labs tool preventing you from committing secrets to a git repository |
| Talisman | https://github.com/thoughtworks/talisman | A tool to detect and prevent secrets from getting checked in |
Secrets management
| Name | URL | Description |
|---|---|---|
| GitLeaks | https://github.com/zricethezav/gitleaks | Gitleaks is a scanning tool for detecting hardcoded secrets |
SCA
| Name | URL | Description |
|---|---|---|
| Snyk | https://github.com/snyk/snyk | Snyk scans and monitors your projects for security vulnerabilities |
| npm-check | https://www.npmjs.com/package/npm-check | Check for outdated, incorrect, and unused dependencies. |
SAST
| Name | URL | Description |
|---|---|---|
| Bandit | https://github.com/PyCQA/bandit | Python specific SAST tool |
| nodejsscan | https://github.com/ajinabraham/nodejsscan | NodeJs SAST scanner with GUI |
| SonarQube community | https://github.com/SonarSource/sonarqube | Detect security issues in code review with Static Application Security Testing (SAST) |
DAST
| Name | URL | Description |
|---|---|---|
| Zap proxy | https://owasp.org/www-project-zap/ | Zap proxy providing various docker containers for CI/CD pipeline |
| Nuclei | https://github.com/projectdiscovery/nuclei | Template based security scanning tool |
Containers
| Name | URL | Description |
|---|---|---|
| Docker bench | https://github.com/docker/docker-bench-security | Docker benchmarking against CIS |
| Trivy | https://github.com/aquasecurity/trivy | Comprehensive scanner for vulnerabilities in container images |
Kubernetes
| Name | URL | Description |
|---|---|---|
| kube-bench | https://github.com/aquasecurity/kube-bench | Kubernetes benchmarking tool |
| kube-hunter | https://github.com/aquasecurity/kube-hunter | Active scanner for k8s (purple) |
