---

Curating the best DevSecOps resources and tooling.

DevSecOps is an extension of the DevOps movement that aims to bring security practices into the development lifecycle through developer-centric security tooling and processes.

Contributions welcome. Add links through pull requests or create an issue to start a discussion.

Contents

• Resources
  • Articles
  • Communities
  • Conferences
  • Podcasts
  • Secure Development Guidelines
  • Secure Development Lifecycle Framework
  • Toolchains
  • Training
• Tools
  • Dependency Management
  • Dynamic Analysis
  • Infrastructure as Code Analysis
  • Intentionally Vulnerable Applications
  • Monitoring
  • Secrets Management
  • Static Analysis
  • Threat Modelling
• Related Lists

Resources

Articles

• Our Approach to Employee Security Training - Pager Duty - Guidelines to running security training within an organisation.

Communities

• MyDevSecOps - Snyk - A community that runs conferences, a blog, a podcast and a Slack workspace dedicated to DevSecOps.

Conferences

• AppSec Day - OWASP - An Australian application security conference run by OWASP.
• DevSecCon - Snyk - A network of DevSecOps conferences run by Snyk.

Podcasts

• Absolute AppSec - Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.
• Application Security Podcast - Security Journey - Interviews with industry experts about specific application security concepts.
• BeerSecOps - Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.
• DevSecOps Podcast Series - OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.
• The Secure Developer - Snyk - Discussion about security tools and best practices for software developers.

Secure Development Guidelines

• Application Security Verification Standard - OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.
• Coding Standards - CERT - A collection of secure development standards for C, C++, Java and Android development.
• Proactive Controls - OWASP - OWASP's list of top ten controls that should be implemented in every software development project.
• Secure Coding Guidelines - Mozilla - A guideline containing specific secure development standards for secure web application development.
• Secure Coding Practices Quick Reference Guide - OWASP - A checklist to verify that secure development standards have been followed.

Secure Development Lifecycle Framework

• Secure Development Lifecycle - Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.
• Secure Software Development Framework - NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.
• Software Assurance Maturity Model - OWASP - A framework to measure and improve the maturity of the secure development lifecycle.

Toolchains

• Periodic Table of DevOps Tools - XebiaLabs - A collection of DevSDevOps and security ecOps tooling categorised by tool functionality.
• Secure DevOps Toolchain - SANS - A list of security specific practices and tooling categorised into pipeline phases and tool functionality.

Training

• Cybrary - Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.
• PentesterLab - PentesterLab - Hands on labs to understand and exploit simple and advanced web vulnerabilities.
• Security Training for Engineers - Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.
• Security Training for Everyone - Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.
• Web Security Academy - PortSwigger - A set of materials and labs to learn and exploit common web vulnerabilities.

Tools

Dependency Management

Open source software packages can speed up the development process by allowing developers to implement functionality without having to write all of the code. However, with the open source code comes open source vulnerabilities. Dependency management tools help manage vulnerabilities in open source packages by identifying and updating packages with known vulnerabilities.

• Dependabot - GitHub - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
• Dependency-Check - OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.
• Dependency-Track - OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.
• JFrog XRay - JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.
• NPM Audit - NPM - Vulnerable package auditing for node packages built into the npm CLI.
• Renovate - WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.
• Requires.io - Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.
• Snyk Open Source - Snyk - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.

Dynamic Analysis

Dynamic Analysis Security Testing (DAST) is a form of black-box security testing where a security scanner interacts with a running instance of an application, emulating malicious activity to find common vulnerabilities. DAST tools are commonly used in the initial phases of a penetration test, and can find vulnerabilities such as cross-site scripting, SQL injection, cross-site request forgery and information disclosure.

• Automatic API Attack Tool - Imperva - Perform automated security scanning against an API based on an API specification.
• BurpSuite Enterprise Edition - PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.
• Gauntlt - Gauntlt - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.
• SSL Labs Scan - SSL Labs - Automated scanning for SSL / TLS configuration issues.
• Zed Attack Proxy (ZAP) - OWASP - An open-source web application vulnerability scanner, including an API for CI/CD integration.

Infrastructure as Code Analysis

Infrastructure as Code allows applications to be deployed reliably to a consistent environment. This not only ensures that infrastructure is consistently hardened, but also provides an opportunity to statically and dynamically analyse infrastructure definitions for vulnerable dependencies, hard-coded secrets, insecure configuration and unintentional changes in security configuration. The following tools facilitate this analysis.

Cloud Formation

• Cfn Nag - Stelligent - Scan AWS CloudFormation templates for insecure configuration.
• Checkov - Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.

Containers

• Clair - Quay - Scan App Container and Docker containers for publicly disclosed vulnerabilities.
• Dagda - Elías Grande - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.
• Snyk Container - Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.

Terraform

• Checkov - Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.
• Terrascan - Cesar Rodriguez - Scan Terraform templates for best practice security configuration.
• Tfsec - Liam Galvin - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.

Kubernetes

• Checkov - Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.
• Kube-Score - Gustav Westling - Scan Kubernetes object definitions for security and performance misconfiguration.
• Kubectrl Kubesec - ControlPlane - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.

Intentionally Vulnerable Applications

Intentionally vulnerable applications are often useful when developing security tests and tooling to provide a place you can run tests and make sure they fail correctly. These applications can also be useful for understanding how common vulnerabilities are introduced into applications and let you practice your skills at exploiting them.

• Bad SSL - The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
• Damn Vulnerable Web App - Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
• Juice Shop - OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.
• NodeGoat - OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
• Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.

Monitoring

It's not enough to test and harden our software in the lead up to a release. We must also monitor our production software for usage, performance and errors to capture malicious behavior and potential security flaws that we may need to respond to or address. A wide variety of tools are available to monitor different aspects of production software and infrastructure.

• Csper - Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.

Secrets Management

The software we write needs to use secrets (passwords, API keys, certificates, database connection strings) to access resources, yet we cannot store secrets within the codebase as this leaves them vulnerable to compromise. Secret management tools provide a means to securely store, access and manage secrets.

• Ansible Vault - Ansible - Securely store secrets within Ansible pipelines.
• AWS Key Management Service (KMS) - Amazon AWS - Securely store secrets within AWS.
• Azure Key Vault - Microsoft Azure - Securely store secrets within Azure.
• BlackBox - StackExchange - Encrypt credentials within your code repository.
• Chef Vault - Chef - Securely store secrets within Chef.
• CredStash - Fugue - Securely store secrets within AWS using KMS and DynamoDB.
• CyberArk Application Access Manager - CyberArk - Secrets management for applications including secret rotation and auditing.
• Docker Secrets - Docker - Store and manage access to secrets within a Docker swarm.
• Git Secrets - Amazon AWS - Scan git repositories for secrets committed within code or commit messages.
• Google Cloud Key Management Service (KMS) - Google Cloud Platform - Securely store secrets within GCP.
• HashiCorp Vault - HashiCorp - Securely store secrets via UI, CLI or HTTP API.
• Pinterest Knox - Pinterest - Securely store, rotate and audit secrets.
• Secrets Operations (SOPS) - Mozilla - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.

Static Analysis

Static Analysis Security Testing (SAST) tools scan software for vulnerabilities without executing the target software. Typically, static analysis will scan the source code for security flaws such as the use of unsafe functions, hard-coded secrets and configuration issues. SAST tools often come in the form of IDE plugins and CLIs that can be integrated into CI/CD pipelines.

Multi-Language Support

• DevSkim - Microsoft - An IDE plugin that provides inline security analysis for a number of programming languages.
• Graudit - Eldar Marcussen - Grep source code for potential security flaws with custom or pre-configured regex signatures.
• LGTM - Semmle - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries.
• RIPS - RIPS Technologies - Automated static analysis for PHP, Java and Node.js projects.
• SonarQube - SonarSource - Scan code for security and quality issues with support for a wide variety of languages.

C / C++

• FlawFinder - David Wheeler - Scan C / C++ code for potential security weaknesses.

C#

• Puma Scan - Puma Security - A Visual Studio plugin to scan .NET projects for potential security flaws.

Configuration Files

• Conftest - Instrumenta - Create custom tests to scan any configuration file for security flaws.

Java

• Deep Dive - Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.
• Find Security Bugs - OWASP - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.
• SpotBugs - SpotBugs - Static code analysis for Java applications.

JavaScript

• ESLint - JS Foundation - Linting tool for JavaScript with multiple security linting rules available.

Go

• Golang Security Checker - securego - CLI tool to scan Go code for potential security flaws.

.NET

• Security Code Scan - Security Code Scan - Static code analysis for C# and VB.NET applications.

PHP

• Phan - Phan - Broad static analysis for PHP applications with some support for security scanning features.
• PHPCS Security Audit - Floe - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.
• Progpilot - Design Security - Static analysis for PHP source code.

Python

• Bandit - Python Code Quality Authority - Find common security vulnerabilities in Python code.

Ruby

• Brakeman - Justin Collins - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
• DawnScanner - Paolo Perego - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.

Threat Modelling

Threat modelling is an engineering exercise that aims to identify threats, vulnerabilities and attack vectors that represent a risk to something of value. Based on this understanding of threats, we can design, implement and validate security controls to mitigate threats. The following list of tools assist the threat modelling process.

• Awesome Threat Modelling - Practical DevSecOps - A curated list of threat modelling resources.
• SecuriCAD - Forseeti - Treat modelling and attack simulations for IT infrastructure.
• IriusRisk - IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.
• Raindance Project - DevSecOps - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.
• SD Elements - Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.
• Threat Dragon - OWASP - Threat model diagramming tool.
• Threat Modelling Tool - Microsoft - Threat model diagramming tool.
• Threatspec - Threatspec - Define threat modelling as code.

Related Lists

• Awesome Dynamic Analysis - Matthias Endler - A collection of dynamic analysis tools and code quality checkers.
• Awesome Static Analysis - Matthias Endler - A collection of static analysis tools and code quality checkers.
• Awesome Threat Modelling - Practical DevSecOps - A curated list of threat modeling resources.
• Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.