DevSecOps Guideline

start

DevSecOps Framework

Keith Davis DevSecOps Consultant

What is DevSecOps?

Resources

Guideline

Contact

Index

In short, I define DevSecOps as the process of automating security within the Software Development Life Cycle

Pipeline Example

Shift Everywhere

Contact

WHAT IS DEVSECOPS

Shift Left Shift Everywhere

Compliance & Auditing Data Protection Reporting

Runtime/ContinuousTesting Breach & Attack Simulation Logging & Monitoring Pentest VDP/Bug-Bounty

Key & Certificate Management Cloud Native Application Protection Platform

Dynamic Application Security Testing Mobile Testing API Security Misconfiguration Check

Interactive Application Security Testing Static Analysis Container Security Software Composition Analysis Infrastructure as Code

07

Governance

06

Operation

05

Deploy

04

Continuous Delivery

03

Commit

Threat Modeling Repository Hardening Secrets Management Linting

02

Pre-Commit

Training Security Champions

01

Init

Contact

OWASP

Image from

Example DevSecOps Pipeline

Contact

dast

sast

Container Scanning

sca

IaC Scanning

secret scanning

API Testing

IAST

Guideline

Contact

GitLeaks - SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos

SecretScanner - Find secrets and passwords in container images and file systems

Others

Github built in feature for secret detection

Github Secret Scanning

Git plugin that prevents sensitive data from being committed

Git Hound

Searches through git repositories for high entropy strings and secrets, digging deep into commit history

truffleHog

Scan your code for security misconfiguration, search for passwords and secrets

Repo-supervisor

Prevents you from committing secrets and credentials into git repositories

git-secrets

Find sensitive information for a git repo

gittyleaks

Secret Scanning

One of OWASP Top Ten issues, Secret Scanning is the process of detecting and preventing the exposure of sensitive information (passwords, keys, etc.) Click on a tool to learn more

Contact

Click on a language for a list of tools

Android/ios

C#

JAVA

C/C++

PHP

JavASCRIPT

GO

Python

Tools by Language

SAST

Static Application Security Testing, SAST, is the process of "scanning" code for code-smells, security flaws, and violations. SAST scanning happens without executing the program

Contact

Seeker Interactive Application Security Testing

HCL AppScan on Cloud

Checkmarx Interactive Application Security Testing (CxIAST)

Click on a tool to learn more

Tools

IAST

Contrast Community Edition (CE)

Interactive Application Security Testing, IAST, is the process of detecting vulnerabilities while the application is being "interacted" with via automation, human, or any other type of activity

Contact

Click on a license type for a list of tools

SCA

Commercial

Free/Open-Source

Software Composition Analysis, SCA, is the process of scanning and managing third party and open-source components within the codebase

Contact

Click on a license type for a list of tools

DAST

Commercial

Free/Open-Source

Dynamic Application Security Testing, DAST, is the process of simulating attacks using tools to "test" a web app for vulnerabilities.

Contact

Click on a product type for a list of tools

API Tools

API TESTING

API RUNTIME

API Posture

API Security Posture: Creates an inventory of APIs, the methods exposed and classifies the data used by each method to provide visibility into the security state of a collection of APIs.API Runtime Security: Provides protection to APIs during their normal running and handling of API requests to detect and prevent malicious requests to an API. API Security Testing: Dynamic assessment of an API’s security state to evaluate the security of a running API by interacting with the API dynamically

Contact

Terraform

Kubernetes

Docker

terraform-compliance

dagda

KUBESEC.IO

kubeaudit

dockle

Click on a tool to learn more

checkov

IaC Scanning

tfsec

terrascan

Infrastructure as Code, IaC, is the process of scanning the code and components that builds infrastructure for misconfigurations and security vulnerabilities

Contact

Click on a tool to learn more

Open Source Tools

Clair

Anchore

Trivy

Falco

Dagda

Harbor

Container Image Scanning

Container image scanning is the process of identifying vulnerabilities within containers and components used within them

Contact

List from EventyCo

All Day DevOps

DevSecCon

DoD DevSecOps Fundamentals Guidebooks

OWASP DevSecOps Guidelines

Microsoft DevSecOps Controls

iSoulution DevOps Security Cheat Sheet

GitGuardian Cheat Sheet

OWASP Cheat Sheet Series

Conferences

OWASP DevSecOps Maturity Model

Guidelines

SANS CloudSec & DevOps Cheatsheet

Cheatsheets

Resources

Contact

Contact me today to help Shift-Everywhere within your company

980-613-4118

DAVISKEITH41@GMAIL.COM

Keith Davis

Contact

Some commericial tools offer limited free services

JavaScript SAST Tools

Some commericial tools offer limited free services

Andriod/iOS SAST Tools

Some commericial tools offer limited free services

PHP SAST Tools

jerry-curl

+Others

Insomnia

ImmuniWeb Neuron

http-tanker

httpie

Hoppscotch

ffuf

Escape

curl

Contrast Security

BurpSuite

Bright

APIsec

42 Crunch

Click a tool to learn more

API-Clarity

graphql-cop

Cherrybomb

Cequence Security - UAP

Beagle Security

Astra

Akto

Automatic API Attack Tool

Aptori

Click a tool to learn more

GitHub SCA

Scantist SCA

Retire.js

OSS Index

Renovate

PHP Security Checker

NPM Audit

Libraries.io

Patton

OSS Review Toolkit

Green-keeper

Dependency-Track

Grafeas

FOSSology

Dependency-Check

Clearly-Defined

DotNET Retire

DepShield

Bytesafe

Some commericial tools offer limited free services

GO SAST Tools

Some commericial tools offer limited free services

C# SAST Tools

Some commericial tools offer limited free services

C/C++ SAST Tools

Xray

Vigilant Ops InSight

Vigiles

Click a tool to learn more

Code-Sentry

VulnDB

Veracode

Software Health Indicator

Snyk

Prisma Cloud

Open Source Lifecycle Management

Ion Channel SA

FOSSA

Debricked

Black Duck Hub

SOOS

Nexus IQ

Merge-Base

Dependabot

DejaCode

Clarity

CAST Highlight

CxSCA

Noname API Security Platform

Traceable AI

Salt Security API Protection Platform

Pynt

API Secure

Click a tool to learn more

API Security

Wallarm

Levo.ai

Cequence Security - UAP

Akto

42Crunch

+Others

Click a tool to learn more

CI Fuzz CLI

Astra Security Suite

Secret-Scanner

Sec-helpers

Ride (REST JSON Payload fuzzer)

purpleteam

Pentest-Tools.com Website Scanner

OSTE Meta Scanner

OpenVAS by Greenbone

OpenApi Security

Nuclei

Nikto

Grendel-Scan

GraphQL Security

Grabber

GoLismero

Deepfence Threat-Mapper

Arachni

AppTrana

Xray

Vigilant Ops InSight

Vigiles

Click a tool to learn more

Code-Sentry

VulnDB

Veracode

Software Health Indicator

Snyk

Prisma Cloud

Open Source Lifecycle Management

Ion Channel SA

FOSSA

Debricked

Black Duck Hub

SOOS

Nexus IQ

Merge-Base

Dependabot

DejaCode

Clarity

CAST Highlight

CxSCA

Some commericial tools offer limited free services

Python SAST Tools

Some commericial tools offer limited free services

Java SAST Tools

Wallarm

Traceable AI

Levo.ai

Click a tool to learn more

Salt Security API Protection Platform

Noname API Security Platform

Contrast Security

API Secure

API Security

Akto

42Crunch