Curating the best DevSecOps resources and tooling.
DevSecOps is
an extension of the
DevOps movement that aims
to bring security practices into the development lifecycle through
developer-centric security tooling and processes.
Contributions welcome. Add links through pull requests or create an issue
to start a discussion.
Alice and Bob Learn Application Security
- Tanya Janca - An accessible and thorough resource for anyone
seeking to incorporate, from the beginning of the System Development
Life Cycle, best security practices in software development.
Communities
MyDevSecOps - Snyk -
A community that runs conferences, a blog, a podcast and a Slack
workspace dedicated to DevSecOps.
Conferences
AppSec Day - OWASP - An
Australian application security conference run by OWASP.
DevSecCon - Snyk - A
network of DevSecOps conferences run by Snyk.
Podcasts
Absolute AppSec -
Seth Law & Ken Johnson - Discussions about current events
and specific topics related to application security.
Application Security Podcast
- Security Journey - Interviews with industry experts about
specific application security concepts.
BeerSecOps -
Aqua Security - Breaking down the silos of Dev, Sec and Ops,
discussing topics that span these subject areas.
DevSecOps Podcast Series
- OWASP - Discussions with thought leaders and practitioners to
integrate security into the development lifecycle.
The Secure Developer
- Snyk - Discussion about security tools and best practices for
software developers.
Building Security In Maturity Model (BSIMM)
- _Synopsys) - A framework for software security created by observing
and analysing data from leading software security initiatives.
Secure Development Lifecycle
- Microsoft - A collection of tools and practices that serve as
a framework for the secure development lifecycle.
Secure Software Development Framework
- NIST - A framework consisting of practices, tasks and
implementation examples for a secure development lifecycle.
Secure DevOps Toolchain
- SANS - A list of security specific practices and tooling
categorised into pipeline phases and tool functionality.
Training
Application Security Education
- Duo Security - Training materials created by the Duo
application security team, including introductory and advanced training
presentations and hands-on labs.
Cybrary - Cybrary -
Subscription based online courses with dedicated categories for
cybersecurity and DevSecOps.
PentesterLab -
PentesterLab - Hands on labs to understand and exploit simple
and advanced web vulnerabilities.
Practical DevSecOps -
Practical DevSecOps - Learn DevSecOps concepts, tools, and
techniques from industry experts with practical DevSecOps using state of
the art browser-based labs.
SafeStack -
SafeStack - Security training for software development teams,
designed to be accessible to individuals and small teams as well as
larger organisations.
Secure Code Warrior -
Secure Code Warrior - Gamified and hands-on secure development
training with support for courses, assessments and tournaments.
SecureFlag -
OWASP - Hands-on secure coding training for Developers and
Build/Release Engineers.
Security Training for Engineers
- Pager Duty - A presentation created and open-sourced by
PagerDuty to provide security training to software engineers.
Security Training for Everyone
- Pager Duty - A presentation created and open-sourced by
PagerDuty to provide security training employees.
Web Security Academy
- PortSwigger - A set of materials and labs to learn and
exploit common web vulnerabilities.
WeHackPuple -
WeHackPurple - Online courses that teach application security
theory and hands-on technical lessons.
Wikis
DevSecOps Hub - Snyk -
Introduction to key DevSecOps concepts, processes and technologies.
Tools
Dependency Management
Open source software packages can speed up the development process by
allowing developers to implement functionality without having to write all
of the code. However, with the open source code comes open source
vulnerabilities. Dependency management tools help manage vulnerabilities
in open source packages by identifying and updating packages with known
vulnerabilities.
Dependabot - GitHub -
Automatically scan GitHub repositories for vulnerabilities and create
pull requests to merge in patched dependencies.
Dependency-Check
- OWASP - Scans dependencies for publicly disclosed
vulnerabilities using CLI or build server plugins.
Dependency-Track -
OWASP - Monitor the volume and severity of vulnerable
dependencies across multiple projects over time.
JFrog XRay - JFrog -
Security and compliance analysis for artifacts stored in JFrog
Artifactory.
NPM Audit -
NPM - Vulnerable package auditing for node packages built into
the npm CLI.
Renovate -
WhiteSource - Automatically monitor and update software
dependencies for multiple frameworks and languages using a CLI or git
repository apps.
Requires.io -
Olivier Mansion & Alexis Tabary - Automated vulnerable
dependency monitoring and upgrades for Python projects.
Snyk Open Source - Snyk -
Automated vulnerable dependency monitoring and upgrades using Snyk’s
dedicated vulnerability database.
Dynamic Analysis
Dynamic Analysis Security Testing (DAST) is a form of black-box security
testing where a security scanner interacts with a running instance of an
application, emulating malicious activity to find common vulnerabilities.
DAST tools are commonly used in the initial phases of a penetration test,
and can find vulnerabilities such as cross-site scripting, SQL injection,
cross-site request forgery and information disclosure.
Automatic API Attack Tool
- Imperva - Perform automated security scanning against an API
based on an API specification.
BurpSuite Enterprise Edition
- PortSwigger - BurpSuite’s web application vulnerability
scanner used widely by penetration testers, modified with CI/CD
integration and continuous monitoring over multiple web applications.
Gauntlt -
Gauntlt - A Behaviour Driven Development framework to run
security scans using common security tools and test output, defined
using Gherkin syntax.
Netz -
Spectral - Discover internet-wide misconfigurations, using
zgrab2 and others.
Zed Attack Proxy (ZAP)
- OWASP - An open-source web application vulnerability scanner,
including an API for CI/CD integration.
Infrastructure as Code Analysis
Infrastructure as Code allows applications to be deployed reliably to a
consistent environment. This not only ensures that infrastructure is
consistently hardened, but also provides an opportunity to statically and
dynamically analyse infrastructure definitions for vulnerable
dependencies, hard-coded secrets, insecure configuration and unintentional
changes in security configuration. The following tools facilitate this
analysis.
Multi-Platform
Checkov -
Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes
templates for insecure configuration.
KICS -
Checkmarx - Find security vulnerabilities, compliance issues,
and infrastructure misconfigurations early in the development cycle.
Cloud Formation
Cfn Nag -
Stelligent - Scan AWS CloudFormation templates for insecure
configuration.
Containers
Anchore Engine -
Anchore, Inc - Deep inspection of Docker images for CVEs and
checking against custom policies. Engine behind their enterprise
products that integrate against registries, orchestrators and CI/CD
products.
Clair - Quay - Scan
App Container and Docker containers for publicly disclosed
vulnerabilities.
Dagda -
Elías Grande - Compares OS and software dependency versions
installed in Docker containers with public vulnerability databases, and
also performs virus scanning.
Docker-Bench-Security
- Docker - The Docker Bench for Security is a script that
checks for dozens of common best-practices around deploying Docker
containers in production.
Hadolint -
Hadolint - Checks a Dockerfile against known rules and
validates inline bash code in RUN statements.
Snyk Container
- Snyk - Scan Docker and Kubernetes applications for security
vulnerabilities during CI/CD or via continuous monitoring.
Trivy -
Aqua Security - Simple and comprehensive vulnerability scanner
for containers.
Terraform
Regula - Fugue -
Evaluate Terraform infrastructure-as-code for potential security
misconfigurations and compliance violations prior to deployment.
Terraform Compliance -
terraform-compliance - A lightweight, security and compliance
focused test framework against terraform to enable negative testing
capability for your infrastructure-as-code.
Terrascan -
Cesar Rodriguez - Scan Terraform templates for best practice
security configuration.
Tfsec -
Liam Galvin - Scan Terraform templates for security
misconfiguration and noncompliance with AWS, Azure and GCP security best
practice.
Kubernetes
Kube-Score -
Gustav Westling - Scan Kubernetes object definitions for
security and performance misconfiguration.
Kubectrl Kubesec
- ControlPlane - Plugin for kubesec.io to perform security risk
analysis for Kubernetes resources.
Ansible
Ansible-Lint
- Ansible Community - Checks playbooks for practices and
behaviour that could potentially be improved. As a community backed
project ansible-lint supports only the last two major versions of
Ansible.
Intentionally Vulnerable Applications
Intentionally vulnerable applications are often useful when developing
security tests and tooling to provide a place you can run tests and make
sure they fail correctly. These applications can also be useful for
understanding how common vulnerabilities are introduced into applications
and let you practice your skills at exploiting them.
Bad SSL -
The Chromium Project - A container running a number of
webservers with poor SSL / TLS configuration. Useful for testing
tooling.
Cfngoat -
Bridgecrew - Cloud Formation templates for creating stacks of
intentionally insecure services in AWS. Ideal for testing the Cloud
Formation Infrastructure as Code Analysis tools above.
Damn Vulnerable Web App -
Ryan Dewhurst - A web application that provides a safe
environment to understand and exploit common web vulnerabilities.
Juice Shop -
OWASP - A web application containing the OWASP Top 10 security
vulnerabilities and more.
NodeGoat -
OWASP - A Node.js web application that demonstrates and
provides ways to address common security vulnerabilities.
Terragoat -
Bridgecrew - Terraform templates for creating stacks of
intentionally insecure services in AWS, Azure and GCP. Ideal for testing
the Terraform Infrastructure as Code Analysis tools above.
It’s not enough to test and harden our software in the lead up to a
release. We must also monitor our production software for usage,
performance and errors to capture malicious behavior and potential
security flaws that we may need to respond to or address. A wide variety
of tools are available to monitor different aspects of production software
and infrastructure.
Csper - Csper - A set
of Content Security Policy tools that can test policies, monitor CSP
reports and provide metrics and alerts.
Secrets Management
The software we write needs to use secrets (passwords, API keys,
certificates, database connection strings) to access resources, yet we
cannot store secrets within the codebase as this leaves them vulnerable to
compromise. Secret management tools provide a means to securely store,
access and manage secrets.
Ansible Vault
- Ansible - Securely store secrets within Ansible pipelines.
Secrets Operations (SOPS)
- Mozilla - Encrypt keys stored within YAML, JSON, ENV, INI and
BINARY files.
Teller -
Spectral - A secrets management tool for developers - never
leave your command line for secrets.
Secrets Scanning
Source control is not a secure place to store secrets such as credentials,
API keys or tokens, even if the repo is private. Secrets scanning tools
can scan and monitor git repositories and pull-requests for secrets, and
can be used to prevent secrets from being committed, or to find and remove
secrets that have already been committed to source control.
CredScan
- Microsoft - A credential scanning tool that can be run as a
task in Azure DevOps pipelines.
Detect Secrets -
Yelp - An aptly named module for (surprise, surprise) detecting
secrets within a code base.
GitGuardian -
GitGuardian - A web-based solution that scans and monitors
public and private git repositories for secrets.
Gitleaks -
Zachary Rice - Gitleaks is a SAST tool for detecting hardcoded
secrets like passwords, api keys, and tokens in git repositories.
git-secrets -
AWS Labs - Scans commits, commit messages and merges for
secrets. Native support for AWS secret patterns, but can be configured
to support other patterns.
Nightfall -
Nightfall - A web-based platform that monitors for sensitive
data disclosure across several SDLC tools, including GitHub
repositories.
Repo-supervisor -
Auth0 - Secrets scanning tool that can run as a CLI, as a
Docker container or in AWS Lambda.
SpectralOps - Spectral -
Automated code security, secrets, tokens and sensitive data scanning.
truffleHog -
Truffle Security - Searches through git repositories for
secrets, digging deep into commit history and branches.
Static Analysis
Static Analysis Security Testing (SAST) tools scan software for
vulnerabilities without executing the target software. Typically, static
analysis will scan the source code for security flaws such as the use of
unsafe functions, hard-coded secrets and configuration issues. SAST tools
often come in the form of IDE plugins and CLIs that can be integrated into
CI/CD pipelines.
Multi-Language Support
DevSkim -
Microsoft - A set of IDE plugins, CLIs and other tools that
provide security analysis for a number of programming languages.
Graudit -
Eldar Marcussen - Grep source code for potential security flaws
with custom or pre-configured regex signatures.
Hawkeye -
Hawkeyesec - Modularised CLI tool for project security,
vulnerability and general risk highlighting.
LGTM - Semmle - Scan and
monitor code for security vulnerabilities using custom or built-in
CodeQL queries.
RIPS -
RIPS Technologies - Automated static analysis for PHP, Java and
Node.js projects.
SemGrep - r2c - Semgrep is a
fast, open-source, static analysis tool that finds bugs and enforces
code standards at editor, commit, and CI time.
SonarLint -
SonarSource - An IDE plugin that highlights potential security
security issues, code quality issues and bugs.
SonarQube -
SonarSource - Scan code for security and quality issues with
support for a wide variety of languages.
C / C++
FlawFinder -
David Wheeler - Scan C / C++ code for potential security
weaknesses.
C
Puma Scan -
Puma Security - A Visual Studio plugin to scan .NET projects
for potential security flaws.
Configuration Files
Conftest -
Instrumenta - Create custom tests to scan any configuration
file for security flaws.
Java
Deep Dive -
Discotek.ca - Static analysis for JVM deployment units
including Ear, War, Jar and APK.
Find Security Bugs
- OWASP - SpotBugs plugin for security audits of Java web
applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.
SpotBugs -
SpotBugs - Static code analysis for Java applications.
JavaScript
ESLint - JS Foundation -
Linting tool for JavaScript with multiple security linting rules
available.
Bandit -
Python Code Quality Authority - Find common security
vulnerabilities in Python code.
Ruby
Brakeman -
Justin Collins - Static analysis tool which checks Ruby on
Rails applications for security vulnerabilities.
DawnScanner -
Paolo Perego - Security scanning for Ruby scripts and web
application. Supports Ruby on Rails, Sinatra and Padrino frameworks.
Supply Chain Security
Supply chain attacks come in different forms, targeting parts of the SDLC
that are inherently 3rd party: tools in CI, external code that’s been
executed, and more. Supply chain security tooling can defend against these
kinds of attacks.
Preflight -
Spectral - helps you verify scripts and executables to mitigate
supply chain attacks in your CI and other systems, such as in the recent
Codecov hack.
Threat Modelling
Threat modelling is an engineering exercise that aims to identify threats,
vulnerabilities and attack vectors that represent a risk to something of
value. Based on this understanding of threats, we can design, implement
and validate security controls to mitigate threats. The following list of
tools assist the threat modelling process.
