Collection and Roadmap for everyone who wants DevSecOps. Hope your DevOps are more safe.

Roadmap for everyone who wants DevSecOps.

---

Roadmap

Tools

---

Spending a lot of time on applying DevSecOps is searching, comparing, and making decisions about tools. These tool lists are a good way to help you reduce unnecessary time and apply them quickly

https://github.com/hahwul/DevSecOps/blob/main/tools/README.md

Resources

---

0. DevSecOps Overview

• Overview
  1. DevSecOps in Wikipedia
  2. Zero to DevSecOps (OWASP Meetup)
  3. DevSecOps What Why And How (BlackHat USA-19)
  4. DevSecOps – Security and Test Automation (Mitre)

1. Design

• Development Lifecycle
  1. SDL(Secure Development Lifecycle) by Microsoft
  2. OWASP’s Software Assurance Maturity Model
  3. Building Security In Maturity Model (BSIMM)
  4. NIST’s Secure Software Developerment Framework
  5. DevSecOps basics: 9 tips for shifting left (Gitlab)
  6. 6 Ways to bring security to the speed of DevOps (Gitlab)
• Threat Model
  1. What is Threat Modeling / Wikipedia
  2. Threat Modeling by OWASP
  3. Application Threat Modeling by OWASP
  4. Agile Threat Modeling Toolkit
  5. OWASP Threat Dragon

2. Develop

• Secure Coding
  1. Secure coding guide by Apple
  2. Secure Coding Guidelines for Java SE
  3. Go-SCP / Go programming language secure coding practices guide
  4. Android App security best practices by Google
  5. Securing Rails Applications

3. Build

• SAST(Static Application Security Testing)
  1. Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1
  2. Announcing third-party code scanning tools: static analysis & developer security training

4. Test

• DAST(Dynamic Application Security Testing)
  1. Dynamic Application Security Testing with ZAP and GitHub Actions
  2. Dynamic Application Security Testing (DAST) in Gitlab
  3. DAST using pdiscoveryio Nuclei (github action)
  4. ZAPCon 2021-Democratizing ZAP with test automation and domain specific languages
• Penetration testing
  1. Penetration Testing at DevSecOps Speed

5. Deploy

• Security Hardening & Config
  1. CIS Benchmarks
• Security Scanning
  1. Best practices for scanning images (docker)

6. Operate and Monitor

• RASP(Run-time Application Security Protection)
  1. Runtime Application Self-Protection by rapid7
  2. Jumpstarting your devsecops – Pipeline with IAST and RASP
• Security Patch
• Security Audit
• Security Monitor
• Security Analysis

Awesome resources

https://github.com/TaptuIT/awesome-devsecops

The DevSecOps Roadmap is a github repository by HAHWUL

---

Emma White March 16, 2022