DevSecOps Framework
Keith Davis DevSecOps Consultant
start
Contact
Index
What is DevSecOps?
Guideline
Resources
Contact
WHAT IS DEVSECOPS
In short, I define DevSecOps as the process of automating security within the Software Development Life Cycle
Pipeline Example
Shift Everywhere
Contact
Shift Left Shift Everywhere
05
07
06
04
01
02
03
Deploy
Governance
Operation
Init
Pre-Commit
Commit
Continuous Delivery
Interactive Application Security Testing Static Analysis Container Security Software Composition Analysis Infrastructure as Code
Training Security Champions
Compliance & Auditing Data Protection Reporting
Runtime/ContinuousTesting Breach & Attack Simulation Logging & Monitoring Pentest VDP/Bug-Bounty
Key & Certificate Management Cloud Native Application Protection Platform
Dynamic Application Security Testing Mobile Testing API Security Misconfiguration Check
Threat Modeling Repository Hardening Secrets Management Linting
Contact
Example DevSecOps Pipeline
OWASP
Image from
Contact
Guideline
secret scanning
Container Scanning
dast
sca
IAST
sast
API Testing
IaC Scanning
Contact
Secret Scanning
One of OWASP Top Ten issues, Secret Scanning is the process of detecting and preventing the exposure of sensitive information (passwords, keys, etc.) Click on a tool to learn more
Github Secret Scanning
Github built in feature for secret detection
gittyleaks
Find sensitive information for a git repo
git-secrets
Prevents you from committing secrets and credentials into git repositories
Repo-supervisor
Scan your code for security misconfiguration, search for passwords and secrets
Git Hound
Git plugin that prevents sensitive data from being committed
truffleHog
Searches through git repositories for high entropy strings and secrets, digging deep into commit history
Others
GitLeaks - SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos
SecretScanner - Find secrets and passwords in container images and file systems
Contact
SAST
Static Application Security Testing, SAST, is the process of "scanning" code for code-smells, security flaws, and violations. SAST scanning happens without executing the program
Tools by Language
Click on a language for a list of tools
GO
JavASCRIPT
JAVA
C/C++
Python
Android/ios
PHP
C#
Contact
IAST
Interactive Application Security Testing, IAST, is the process of detecting vulnerabilities while the application is being "interacted" with via automation, human, or any other type of activity
Tools
Click on a tool to learn more
Checkmarx Interactive Application Security Testing (CxIAST)
HCL AppScan on Cloud
Seeker Interactive Application Security Testing
Contrast Community Edition (CE)
Contact
SCA
Software Composition Analysis, SCA, is the process of scanning and managing third party and open-source components within the codebase
Click on a license type for a list of tools
Commercial
Free/Open-Source
Contact
DAST
Dynamic Application Security Testing, DAST, is the process of simulating attacks using tools to "test" a web app for vulnerabilities.
Click on a license type for a list of tools
Commercial
Free/Open-Source
Contact
API Tools
API Security Posture: Creates an inventory of APIs, the methods exposed and classifies the data used by each method to provide visibility into the security state of a collection of APIs.API Runtime Security: Provides protection to APIs during their normal running and handling of API requests to detect and prevent malicious requests to an API. API Security Testing: Dynamic assessment of an API’s security state to evaluate the security of a running API by interacting with the API dynamically
Click on a product type for a list of tools
API RUNTIME
API TESTING
API Posture
Contact
IaC Scanning
Infrastructure as Code, IaC, is the process of scanning the code and components that builds infrastructure for misconfigurations and security vulnerabilities
Click on a tool to learn more
Terraform
Docker
Kubernetes
checkov
dagda
KUBESEC.IO
terrascan
dockle
kubeaudit
terraform-compliance
tfsec
Contact
Container Image Scanning
Container image scanning is the process of identifying vulnerabilities within containers and components used within them
Open Source Tools
Click on a tool to learn more
Dagda
Anchore
Clair
Harbor
Falco
Trivy
Contact
Resources
Cheatsheets
Guidelines
Conferences
DevSecCon
SANS CloudSec & DevOps Cheatsheet
OWASP DevSecOps Maturity Model
Microsoft DevSecOps Controls
All Day DevOps
OWASP Cheat Sheet Series
OWASP DevSecOps Guidelines
List from EventyCo
GitGuardian Cheat Sheet
DoD DevSecOps Fundamentals Guidebooks
iSoulution DevOps Security Cheat Sheet
Contact
Keith Davis
DAVISKEITH41@GMAIL.COM
980-613-4118
Contact me today to help Shift-Everywhere within your company
JavaScript SAST Tools
Some commericial tools offer limited free services
Andriod/iOS SAST Tools
Some commericial tools offer limited free services
PHP SAST Tools
Some commericial tools offer limited free services
Click a tool to learn more
Contrast Security
Bright
graphql-cop
42 Crunch
Aptori
ImmuniWeb Neuron
Astra
Akto
BurpSuite
curl
Hoppscotch
Insomnia
Cequence Security - UAP
API-Clarity
Automatic API Attack Tool
httpie
Escape
jerry-curl
Beagle Security
APIsec
Cherrybomb
ffuf
http-tanker
+Others
Click a tool to learn more
Bytesafe
Green-keeper
DepShield
Retire.js
OSS Review Toolkit
DotNET Retire
Clearly-Defined
Patton
Libraries.io
Scantist SCA
Dependency-Check
NPM Audit
FOSSology
GitHub SCA
PHP Security Checker
Grafeas
Dependency-Track
Renovate
OSS Index
GO SAST Tools
Some commericial tools offer limited free services
C# SAST Tools
Some commericial tools offer limited free services
C/C++ SAST Tools
Some commericial tools offer limited free services
Click a tool to learn more
Open Source Lifecycle Management
FOSSA
Black Duck Hub
CxSCA
SOOS
Vigilant Ops InSight
Debricked
CAST Highlight
Ion Channel SA
Prisma Cloud
Veracode
Xray
Clarity
Merge-Base
DejaCode
VulnDB
Snyk
Dependabot
Code-Sentry
Software Health Indicator
Nexus IQ
Vigiles
Click a tool to learn more
Cequence Security - UAP
42Crunch
Salt Security API Protection Platform
Levo.ai
Traceable AI
Akto
API Secure
Noname API Security Platform
Wallarm
Pynt
API Security
Click a tool to learn more
Ride (REST JSON Payload fuzzer)
Deepfence Threat-Mapper
AppTrana
Grendel-Scan
OpenVAS by Greenbone
OSTE Meta Scanner
GoLismero
Arachni
Nikto
Sec-helpers
Astra Security Suite
Nuclei
Grabber
Secret-Scanner
Pentest-Tools.com Website Scanner
GraphQL Security
CI Fuzz CLI
OpenApi Security
purpleteam
+Others
Click a tool to learn more
Open Source Lifecycle Management
FOSSA
Black Duck Hub
CxSCA
SOOS
Vigilant Ops InSight
Debricked
CAST Highlight
Ion Channel SA
Prisma Cloud
Veracode
Xray
Clarity
Merge-Base
DejaCode
VulnDB
Snyk
Dependabot
Code-Sentry
Software Health Indicator
Nexus IQ
Vigiles
Python SAST Tools
Some commericial tools offer limited free services
Java SAST Tools
Some commericial tools offer limited free services
Click a tool to learn more
Traceable AI
42Crunch
Contrast Security
Levo.ai
Akto
Wallarm
API Secure
Noname API Security Platform
Salt Security API Protection Platform
API Security
DevSecOps Guideline
Keith Davis
Created on August 26, 2023
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Essential Microsite
View
Practical Microsite
View
Akihabara Microsite
View
Essential CV
View
Akihabara Resume
View
Interactive Onboarding Guide
View
Basic Shapes Microsite
Explore all templates
Transcript
DevSecOps Framework
Keith Davis DevSecOps Consultant
start
Contact
Index
What is DevSecOps?
Guideline
Resources
Contact
WHAT IS DEVSECOPS
In short, I define DevSecOps as the process of automating security within the Software Development Life Cycle
Pipeline Example
Shift Everywhere
Contact
Shift Left Shift Everywhere
05
07
06
04
01
02
03
Deploy
Governance
Operation
Init
Pre-Commit
Commit
Continuous Delivery
Interactive Application Security Testing Static Analysis Container Security Software Composition Analysis Infrastructure as Code
Training Security Champions
Compliance & Auditing Data Protection Reporting
Runtime/ContinuousTesting Breach & Attack Simulation Logging & Monitoring Pentest VDP/Bug-Bounty
Key & Certificate Management Cloud Native Application Protection Platform
Dynamic Application Security Testing Mobile Testing API Security Misconfiguration Check
Threat Modeling Repository Hardening Secrets Management Linting
Contact
Example DevSecOps Pipeline
OWASP
Image from
Contact
Guideline
secret scanning
Container Scanning
dast
sca
IAST
sast
API Testing
IaC Scanning
Contact
Secret Scanning
One of OWASP Top Ten issues, Secret Scanning is the process of detecting and preventing the exposure of sensitive information (passwords, keys, etc.) Click on a tool to learn more
Github Secret Scanning
Github built in feature for secret detection
gittyleaks
Find sensitive information for a git repo
git-secrets
Prevents you from committing secrets and credentials into git repositories
Repo-supervisor
Scan your code for security misconfiguration, search for passwords and secrets
Git Hound
Git plugin that prevents sensitive data from being committed
truffleHog
Searches through git repositories for high entropy strings and secrets, digging deep into commit history
Others
GitLeaks - SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos
SecretScanner - Find secrets and passwords in container images and file systems
Contact
SAST
Static Application Security Testing, SAST, is the process of "scanning" code for code-smells, security flaws, and violations. SAST scanning happens without executing the program
Tools by Language
Click on a language for a list of tools
GO
JavASCRIPT
JAVA
C/C++
Python
Android/ios
PHP
C#
Contact
IAST
Interactive Application Security Testing, IAST, is the process of detecting vulnerabilities while the application is being "interacted" with via automation, human, or any other type of activity
Tools
Click on a tool to learn more
Checkmarx Interactive Application Security Testing (CxIAST)
HCL AppScan on Cloud
Seeker Interactive Application Security Testing
Contrast Community Edition (CE)
Contact
SCA
Software Composition Analysis, SCA, is the process of scanning and managing third party and open-source components within the codebase
Click on a license type for a list of tools
Commercial
Free/Open-Source
Contact
DAST
Dynamic Application Security Testing, DAST, is the process of simulating attacks using tools to "test" a web app for vulnerabilities.
Click on a license type for a list of tools
Commercial
Free/Open-Source
Contact
API Tools
API Security Posture: Creates an inventory of APIs, the methods exposed and classifies the data used by each method to provide visibility into the security state of a collection of APIs.API Runtime Security: Provides protection to APIs during their normal running and handling of API requests to detect and prevent malicious requests to an API. API Security Testing: Dynamic assessment of an API’s security state to evaluate the security of a running API by interacting with the API dynamically
Click on a product type for a list of tools
API RUNTIME
API TESTING
API Posture
Contact
IaC Scanning
Infrastructure as Code, IaC, is the process of scanning the code and components that builds infrastructure for misconfigurations and security vulnerabilities
Click on a tool to learn more
Terraform
Docker
Kubernetes
checkov
dagda
KUBESEC.IO
terrascan
dockle
kubeaudit
terraform-compliance
tfsec
Contact
Container Image Scanning
Container image scanning is the process of identifying vulnerabilities within containers and components used within them
Open Source Tools
Click on a tool to learn more
Dagda
Anchore
Clair
Harbor
Falco
Trivy
Contact
Resources
Cheatsheets
Guidelines
Conferences
DevSecCon
SANS CloudSec & DevOps Cheatsheet
OWASP DevSecOps Maturity Model
Microsoft DevSecOps Controls
All Day DevOps
OWASP Cheat Sheet Series
OWASP DevSecOps Guidelines
List from EventyCo
GitGuardian Cheat Sheet
DoD DevSecOps Fundamentals Guidebooks
iSoulution DevOps Security Cheat Sheet
Contact
Keith Davis
DAVISKEITH41@GMAIL.COM
980-613-4118
Contact me today to help Shift-Everywhere within your company
JavaScript SAST Tools
Some commericial tools offer limited free services
Andriod/iOS SAST Tools
Some commericial tools offer limited free services
PHP SAST Tools
Some commericial tools offer limited free services
Click a tool to learn more
Contrast Security
Bright
graphql-cop
42 Crunch
Aptori
ImmuniWeb Neuron
Astra
Akto
BurpSuite
curl
Hoppscotch
Insomnia
Cequence Security - UAP
API-Clarity
Automatic API Attack Tool
httpie
Escape
jerry-curl
Beagle Security
APIsec
Cherrybomb
ffuf
http-tanker
+Others
Click a tool to learn more
Bytesafe
Green-keeper
DepShield
Retire.js
OSS Review Toolkit
DotNET Retire
Clearly-Defined
Patton
Libraries.io
Scantist SCA
Dependency-Check
NPM Audit
FOSSology
GitHub SCA
PHP Security Checker
Grafeas
Dependency-Track
Renovate
OSS Index
GO SAST Tools
Some commericial tools offer limited free services
C# SAST Tools
Some commericial tools offer limited free services
C/C++ SAST Tools
Some commericial tools offer limited free services
Click a tool to learn more
Open Source Lifecycle Management
FOSSA
Black Duck Hub
CxSCA
SOOS
Vigilant Ops InSight
Debricked
CAST Highlight
Ion Channel SA
Prisma Cloud
Veracode
Xray
Clarity
Merge-Base
DejaCode
VulnDB
Snyk
Dependabot
Code-Sentry
Software Health Indicator
Nexus IQ
Vigiles
Click a tool to learn more
Cequence Security - UAP
42Crunch
Salt Security API Protection Platform
Levo.ai
Traceable AI
Akto
API Secure
Noname API Security Platform
Wallarm
Pynt
API Security
Click a tool to learn more
Ride (REST JSON Payload fuzzer)
Deepfence Threat-Mapper
AppTrana
Grendel-Scan
OpenVAS by Greenbone
OSTE Meta Scanner
GoLismero
Arachni
Nikto
Sec-helpers
Astra Security Suite
Nuclei
Grabber
Secret-Scanner
Pentest-Tools.com Website Scanner
GraphQL Security
CI Fuzz CLI
OpenApi Security
purpleteam
+Others
Click a tool to learn more
Open Source Lifecycle Management
FOSSA
Black Duck Hub
CxSCA
SOOS
Vigilant Ops InSight
Debricked
CAST Highlight
Ion Channel SA
Prisma Cloud
Veracode
Xray
Clarity
Merge-Base
DejaCode
VulnDB
Snyk
Dependabot
Code-Sentry
Software Health Indicator
Nexus IQ
Vigiles
Python SAST Tools
Some commericial tools offer limited free services
Java SAST Tools
Some commericial tools offer limited free services
Click a tool to learn more
Traceable AI
42Crunch
Contrast Security
Levo.ai
Akto
Wallarm
API Secure
Noname API Security Platform
Salt Security API Protection Platform
API Security