DevSecOps

Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies

📜 Table of Contents

• Resources
  • 0. DevSecOps Overview
  • 1. Design
  • 2. Develop
  • 3. Build
  • 4. Test
  • 5. Deploy
  • 6. Operate and Monitor
• Jenkins stage
• Tools
  • 0. Precommit
  • 1. Secrets management
  • 2. SCA
  • 3. SAST
  • 4. DAST
  • 5. Containers
  • 6. Kubernetes
• Awesome resources

📦 Resources

0. DevSecOps Overview

• Overview
  1. DevSecOps What Why And How (BlackHat USA-19)
  2. DevSecOps – Security and Test Automation (Mitre)

1. Design

• Development Lifecycle
  1. OWASP's Software Assurance Maturity Model
• Threat Model
  1. Threat Modeling by OWASP
  2. OWASP Threat Dragon

2. Develop

• Secure Coding
  1. Go-SCP / Go programming language secure coding practices guide

3. Build

• SAST(Static Application Security Testing)

4. Test

• DAST(Dynamic Application Security Testing)
• Penetration testing

5. Deploy

• Security Hardening & Config
  1. CIS Benchmarks
• Security Scanning

6. Operate and Monitor

• RASP(Run-time Application Security Protection)
• Security Patch
• Security Audit
• Security Monitor
• Security Analysis

Jenkins stage

1. sonarQube(SAST)
2. unit Test (Junit & Jacoco)
3. mutation Test (PIT)
4. Vulnerability scan -Docker
   • dependency check
   • Trivy
   • OPA conftest
5. kubernetes deployment
   • kubesec scan
   • OPA scan
   • trivy
6. integration test
7. owasp zap (DAST)
8. CIS benchmark (kube-bench)
9. monitoring

Tips :

• integration test check valid request and response api request
• we install openapi plugin in spring or other framework then get api-docs for pentesting woth zap proxy
• we use slack hook for send notification from jenkin, after any error or warm in report
• prometheus is a good notification manager and make graph with graphana
• use kiali for monitoring GUI kubernetis
• use mTls with istio for secure comunication betwean pods
• falco is opensource cloud native runtime security project
• helm id package manager for kubernetis like yum

🔩 Tools

Pre-commit

Name	URL	Description
git-secrets	https://github.com/awslabs/git-secrets	AWS labs tool preventing you from committing secrets to a git repository
Talisman	https://github.com/thoughtworks/talisman	A tool to detect and prevent secrets from getting checked in

Secrets management

Name	URL	Description
GitLeaks	https://github.com/zricethezav/gitleaks	Gitleaks is a scanning tool for detecting hardcoded secrets

SCA

Name	URL	Description
Snyk	https://github.com/snyk/snyk	Snyk scans and monitors your projects for security vulnerabilities
npm-check	https://www.npmjs.com/package/npm-check	Check for outdated, incorrect, and unused dependencies.

SAST

Name	URL	Description
Bandit	https://github.com/PyCQA/bandit	Python specific SAST tool
nodejsscan	https://github.com/ajinabraham/nodejsscan	NodeJs SAST scanner with GUI
SonarQube community	https://github.com/SonarSource/sonarqube	Detect security issues in code review with Static Application Security Testing (SAST)

DAST

Name	URL	Description
Zap proxy	https://owasp.org/www-project-zap/	Zap proxy providing various docker containers for CI/CD pipeline
Nuclei	https://github.com/projectdiscovery/nuclei	Template based security scanning tool

Containers

Name	URL	Description
Docker bench	https://github.com/docker/docker-bench-security	Docker benchmarking against CIS
Trivy	https://github.com/aquasecurity/trivy	Comprehensive scanner for vulnerabilities in container images

Kubernetes

Name	URL	Description
kube-bench	https://github.com/aquasecurity/kube-bench	Kubernetes benchmarking tool
kube-hunter	https://github.com/aquasecurity/kube-hunter	Active scanner for k8s (purple)

Awesome resources

• https://github.com/sottlmarek/DevSecOps
• https://github.com/devsecops/awesome-devsecops
• https://github.com/TaptuIT/awesome-devsecops
• https://github.com/hahwul/DevSecOps