nxenon/DevSecOps

DevSecOps Taken Notes from articles in addition to (resources|courses|tools) for DevSecOps.

Some links are resources and some links are notes which have been manually taken. Names which have + at the beginning, are taken notes.

Design / Plan Phase Actions:

• Threat Models & Security Requirements should be designed and defined
• Risks & Plans for preventing threats from happening should be identified

• + SDL (Security Development Lifecycle) by Microsoft
• + How to Ensure Security at the Speed of DevSecOps by Gitlab

• + Threat Modeling by OWASP
• + Structured Threat Modeling Process by OWASP

Develop Phase Actions:

• Secure Coding
• Static Analysis Security Testing (SAST): Can be integrated into developers environment (Find security issues in code)
  • when developer is actively coding (e.g. a SAST IDE Plugin)

• + OWASP Secure Coding Practices

• SonarLint
  • Using SonarLint with SonarQube in Intellij IDE
  • Real-time Code Quality Scan with SonarLint in Visual Studio Code
• Semgrep
  • Semgrep on Visual Studio Code
  • Semgrep Plugin Page on Jetbrains
• Snyk
  • Snyk Plugin in Visual Studio Code
    • Snyk VS Code Plugin Configuration
  • Snyk Plugin in Jetbrains
    • Snyk Jetbrains Plugin Configuration

Build Phase Actions:

• Static Application Security Testing (SAST): Find security issues in code
• Software Composition Analysis (SCA) & Software Bill of Material (SBOM): Find components and compare them against a database like National Vulnerability Database
• Secret Management: Find Secrets
• Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time

• + What Is SAST on Synopsys
• Beginners Guide to SAST Using SonarQube by Packt.com
• SAST Using Snyk and SonarQube by OpenSourceforu.com

• + What is Software Composition Analysis (SCA) on Synopsys
• + Guide to Software Composition Analysis by Snyk
• Software Bill of Materials: How to generate an SBOM from container images using Syft
• Grype Open Source Vulnerability Scanner Demo

• Secret Management: Tools & Best Practice by Snyk
• Secret Management Cheat Sheet by OWASP

• Interactive Application Security Testing (IAST) by Snyk
• Interactive Application Security Testing by OWASP
• Jumpstarting your DevSecOps - Pipeline with IAST & RASP

Test Phase Actions:

• Interactive Application Security Testing (IAST): Test in an automated way and find vulnerabilities faster in run-time
  • See IAST Section
• Dynamic Application Security Testing (DAST): Evaluate application from outside automatically
• Penetration Testing: Evaluate application black box by ethical hackers

• Integrating Dastardly with your CI/CD platform (generic instructions) by PortSwigger
  • Dastardly, from Burp Suite by PortSwigger
• Dynamic Application Security Testing with ZAP and Actions
• Dynamic Application Security Testing by Gitlab

• Penetration Testing at DevSecOps Speed

Deploy Phase Actions:

• Hardening & Secure Configuration
• Security Scanning

• OWASP Docker Security Cheat Sheet
• Docker Security
• Docker Security Best Practices by Aquasec
• Docker Security Scanning by Snyk
• Automate Container Security Scanning
• Making your NGINX Server more secure to host your web apps

Operate & Monitor Phase Actions:

• Run-time Application Self-Protection (RASP)
• Security Audit
• Monitor: Metrics, Monitoring and alerting
• Security

• Runtime Application Self-Protection (RASP) by Rapid7
• Top 7 RASP Software
• Jumpstarting your DevSecOps - Pipeline with IAST & RASP

• DevSecOps Compliance - Make your Auditors Job Easier

• Monitoring - DevSecOps Guides
• Metrics DevSecOps Need to Monitor - Insights for Professionals

This part contains DevSecOps integration resources separated by different CI/CD tools like Gitlab, Azure DevOps and...

• Integrating and Running SonarQube into Azure Pipelines by Cumhur Akkaya

• GitLab Integration | Mapping your organization into SonarQube

• DevSecOps with Azure DevOps: Secure CI/CD with Azure DevOps by Raghu at
• DevSecOps with GitLab: Secure CI/CD with GitLab (2023) by Raghu at

• Open Source Security Report by Snyk

Useful tools in DevSecOps + Notes

• Dependency Track README
• + Dependency Track SSL Setup
• + Dependency Track Report Chart Creation Per Product Dependency Track Reporting Chart Creator
• + Dependency Track & DefectDojo Integration Defect Dojo and Dependency Track integration automation script

• + DefectDojo Installation & Setup Notes
• + DefectDojo SSL (HTTPS)

• DevSecOps Roadmap