Skip to content

Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies

License

Notifications You must be signed in to change notification settings

kh4sh3i/DevSecOps

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 

Repository files navigation



DevSecOps

Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies

📜 Table of Contents

📦 Resources

0. DevSecOps Overview

1. Design

2. Develop

3. Build

  • SAST(Static Application Security Testing)

4. Test

  • DAST(Dynamic Application Security Testing)
  • Penetration testing

5. Deploy

6. Operate and Monitor

  • RASP(Run-time Application Security Protection)
  • Security Patch
  • Security Audit
  • Security Monitor
  • Security Analysis

Jenkins stage

  1. sonarQube(SAST)
  2. unit Test (Junit & Jacoco)
  3. mutation Test (PIT)
  4. Vulnerability scan -Docker
    • dependency check
    • Trivy
    • OPA conftest
  5. kubernetes deployment
    • kubesec scan
    • OPA scan
    • trivy
  6. integration test
  7. owasp zap (DAST)
  8. CIS benchmark (kube-bench)
  9. monitoring

Tips :

  • integration test check valid request and response api request
  • we install openapi plugin in spring or other framework then get api-docs for pentesting woth zap proxy
  • we use slack hook for send notification from jenkin, after any error or warm in report
  • prometheus is a good notification manager and make graph with graphana
  • use kiali for monitoring GUI kubernetis
  • use mTls with istio for secure comunication betwean pods
  • falco is opensource cloud native runtime security project
  • helm id package manager for kubernetis like yum

🔩 Tools

Pre-commit

Name URL Description
git-secrets https://github.com/awslabs/git-secrets AWS labs tool preventing you from committing secrets to a git repository
Talisman https://github.com/thoughtworks/talisman A tool to detect and prevent secrets from getting checked in

Secrets management

Name URL Description
GitLeaks https://github.com/zricethezav/gitleaks Gitleaks is a scanning tool for detecting hardcoded secrets

SCA

Name URL Description
Snyk https://github.com/snyk/snyk Snyk scans and monitors your projects for security vulnerabilities
npm-check https://www.npmjs.com/package/npm-check Check for outdated, incorrect, and unused dependencies.

SAST

Name URL Description
Bandit https://github.com/PyCQA/bandit Python specific SAST tool
nodejsscan https://github.com/ajinabraham/nodejsscan NodeJs SAST scanner with GUI
SonarQube community https://github.com/SonarSource/sonarqube Detect security issues in code review with Static Application Security Testing (SAST)

DAST

Name URL Description
Zap proxy https://owasp.org/www-project-zap/ Zap proxy providing various docker containers for CI/CD pipeline
Nuclei https://github.com/projectdiscovery/nuclei Template based security scanning tool

Containers

Name URL Description
Docker bench https://github.com/docker/docker-bench-security Docker benchmarking against CIS
Trivy https://github.com/aquasecurity/trivy Comprehensive scanner for vulnerabilities in container images

Kubernetes

Name URL Description
kube-bench https://github.com/aquasecurity/kube-bench Kubernetes benchmarking tool
kube-hunter https://github.com/aquasecurity/kube-hunter Active scanner for k8s (purple)

Awesome resources