kh4sh3i / DevSecOps

Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool



DevSecOps

Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies

πŸ“œ Table of Contents

πŸ“¦ Resources

0. DevSecOps Overview

1. Design

2. Develop

3. Build

  • SAST(Static Application Security Testing)

4. Test

  • DAST(Dynamic Application Security Testing)
  • Penetration testing

5. Deploy

6. Operate and Monitor

  • RASP(Run-time Application Security Protection)
  • Security Patch
  • Security Audit
  • Security Monitor
  • Security Analysis

Jenkins stage

  1. sonarQube(SAST)
  2. unit Test (Junit & Jacoco)
  3. mutation Test (PIT)
  4. Vulnerability scan -Docker
    • dependency check
    • Trivy
    • OPA conftest
  5. kubernetes deployment
    • kubesec scan
    • OPA scan
    • trivy
  6. integration test
  7. owasp zap (DAST)
  8. CIS benchmark (kube-bench)
  9. monitoring

Tips :

  • integration test check valid request and response api request
  • we install openapi plugin in spring or other framework then get api-docs for pentesting woth zap proxy
  • we use slack hook for send notification from jenkin, after any error or warm in report
  • prometheus is a good notification manager and make graph with graphana
  • use kiali for monitoring GUI kubernetis
  • use mTls with istio for secure comunication betwean pods
  • falco is opensource cloud native runtime security project
  • helm id package manager for kubernetis like yum

πŸ”© Tools

Pre-commit

Name URL Description
git-secrets https://github.com/awslabs/git-secrets AWS labs tool preventing you from committing secrets to a git repository
Talisman https://github.com/thoughtworks/talisman A tool to detect and prevent secrets from getting checked in

Secrets management

Name URL Description
GitLeaks https://github.com/zricethezav/gitleaks Gitleaks is a scanning tool for detecting hardcoded secrets

SCA

Name URL Description
Snyk https://github.com/snyk/snyk Snyk scans and monitors your projects for security vulnerabilities
npm-check https://www.npmjs.com/package/npm-check Check for outdated, incorrect, and unused dependencies.

SAST

Name URL Description
Bandit https://github.com/PyCQA/bandit Python specific SAST tool
nodejsscan https://github.com/ajinabraham/nodejsscan NodeJs SAST scanner with GUI
SonarQube community https://github.com/SonarSource/sonarqube Detect security issues in code review with Static Application Security Testing (SAST)

DAST

Name URL Description
Zap proxy https://owasp.org/www-project-zap/ Zap proxy providing various docker containers for CI/CD pipeline
Nuclei https://github.com/projectdiscovery/nuclei Template based security scanning tool

Containers

Name URL Description
Docker bench https://github.com/docker/docker-bench-security Docker benchmarking against CIS
Trivy https://github.com/aquasecurity/trivy Comprehensive scanner for vulnerabilities in container images

Kubernetes

Name URL Description
kube-bench https://github.com/aquasecurity/kube-bench Kubernetes benchmarking tool
kube-hunter https://github.com/aquasecurity/kube-hunter Active scanner for k8s (purple)

Awesome resources

About

Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies

License:Creative Commons Zero v1.0 Universal