+1 (415) 800 4768 [email protected]

DevSecOps University

 

The comprehensive collection of DevSecOps Learning Resources like Books, Tutorials, Infographics, Tools and much more.

Enjoy!

 

Secure SDLC using DevSecOps. 

Most organizations now realize pentest is not a holy grail and are investing resources in doing security early on using Practical DevOps practices likes CI/CD systems, Infrastructure as Code, Security as Code, and Compliance as code.

Please use the following resources to shift security left.

Introduction

Before we embark on our DevSecOps journey, we as a security professional, need to equip ourselves with some critical tools.

Namely

  1. Git (Version Control System)
  2. CI/CD ( Continuous Integration and Delivery)
  3. Artifact management
  4. Infrastructure as Code(Configuration management tools)
  5. Cloud Platforms (AWS or GCP or Azure)

Feeling overwhelmed? you do not need to be an expert in the above tools. You just have to understand the basics to work with them. Most know how to drive a car without understanding the underlying concepts such as internal combustion engine, thermodynamics.

Similarly, we will just enough to do work. Let’s dig in.

1. Git (Version Control System)

DevSecOps heavily relies on Everything as Code (EaC). A version control system(VCS) becomes the most important tool in our arsenal. Git is the most famous of VCS at the moment.

2. CI/CD ( Continuous Integration and Delivery)

No matter, you are an Agile shop, DevOps shop or a Cloud-Native shop, continuous integration, continuous delivery and deployment are the cornerstones of modern software development. If you like to attack or defend such a system, you need to understand the basics of it.

Tutorials and blogs

What is CICD — Concepts in Continuous Integration and Deployment by Sanjay Nair

An absolute beginners guide to Continuous Delivery by Erin Snyder

An Introduction to Continuous Integration, Delivery, and Deployment by Justin Ellingwood

Getting Started in CI/CD for Beginners by Samsha

What to Consider Before Applying CI/CD | A Beginner’s Cheat Sheet by Katalon

An Introduction to CI/CD Best Practices By Justin Ellingwood

​GitOps – Operations by Pull Request by Weave Works

GitOps 101: What Is GitOps, and Why Would You Use It? by Chris Riley

CI/CD on Google Cloud by Google

A Modern ci/cd pipeline on pure continuous integration/continuous delivery (ci/cd) on pure storage by PureStorage

List of Continuous Integration services by Awesome CI

Continuous Integration, Continuous Delivery & Deployment (CI/CD) by Docker

DevOps – Are we there yet? by MindTree

Gitlab CI/CD Crash Course by Avicenna Wisesa

Automate your work with Gitlab CI/CD tool! by Marcin Nowacki

Beginner-Friendly Introduction to GitLab CI/CD by Zuri Hunter

GitLab CI/CD Examples

How To Set Up Continuous Integration Pipelines with GitLab CI on Ubuntu 16.04 by Justin Ellingwood

Adopting Modern CI/CD Practices for Adobe Experience Platform Pipeline Jaemi Bremner

How We Build Code at Netflix by Netflix

A beginner’s guide to building DevOps pipelines with open source tools Bryant Son

Rapid release at massive scale by Chuck Rossi

How To Build a CI/CD Pipeline in AWS in 5 Minutes and 58 Seconds by Allen Helton

Common security challenges in CI/CD workflow by Meera Rao

Hands-on (Practice)

3. Artifact management

Organizations deploy software to production but giving access to production deployable artifacts is not a good idea. All deployable software is maintained in a tightly controlled, audible and automatic repo management software also known as artifact management. Think it like a war, jar, zip, tar.gz storage platform.

Tools

Apache Archiva – Apache Archiva™ is an extensible repository management software that helps taking care of your own personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as Maven, Continuum, and ANT.

Maven Repositories – A repository in Maven holds build artifacts and dependencies of varying types

Cloud Smith – Cloudsmith is the preferred software platform for securely storing and sharing packages and containers.

Jfrog – Artifactory is a product by JFrog that serves as a binary repository manager

Nexus repository oss – The free artifact repository with universal format support.

4. Infrastructure as Code(Configuration management tools)

Speed is a competitive advantage and to achieve speed, agility, and performance, organizations are creating infrastructure like its software/code instead of bare metal hardware servers.

Recent advances in virtualisation and cloud computing enables us to accomplish Infrastructure as Code.

Blogs and Tutorials

Configuration Management in DevOps by Bmc Blog

Top 10 Configuration Management Tools You Need to Know About by UpGuard

Modern Configuration Management: Configuration as Code by Chef

Configuration Management 101: Writing Ansible Playbooks By Erika Heidi

Configuration Management and Continuous Deployment by Anilkumar Patel

Using Ansible for configuration management  by Eric Goebelbecker

Change and Configuration Management — The DevOps Way by Isaac Ndung’u

A Newbie’s Guide to Configuration Management Tools and How to Get Started by Ofer Velich

Automating Configuration Management for DevOps Test Environments by Capgemini

A Beginner’s Guide to Chef by Linode

Automation, Provisioning & Configuration Management (CHEF) by Sudhi

All About a Configuration Management Tool Called Chef By Mitesh Soni Configuration Management 101: Writing Chef Recipes By Erika Heidi

Chef vs. Puppet by Asaf Yigal

Chef vs Puppet — A Detailed Comparison Of The Configuration Management Tools by Spec India

Approaches to Configuration Management: Chef, Ansible, and Kubernetes by Kublr Team

Configuration Management 101: Writing Puppet Manifests By Erika Heidi

Puppet Tutorial for Beginners: Resources, Classes, Manifest, Modules by Guru99

A Beginner’s Guide to Salt by Linode

Getting Started with Salt Stack-the Other Configuration Management System Built with Python by Ben Hosmer

Use Salt for Basic Configuration Management By Bejoy Abraham Mathews

An Introduction to SaltStack Terminology and Concepts By Justin Ellingwood

Configuration management on Gcloud by Google

Holistic Configuration Management at Facebook by Chunqiang Tang, Thawan Kooburat, Pradeep Venkatachalam, Akshay Chander, Zhe Wen, Aravind Narayanan, Patrick Dowell, and Robert Karl

Tools and Hands-on labs

Ansible – Ansible is an open-source IT Configuration Management, Deployment & Orchestration tool

Chef – Chef is an automation tool that provides a way to define infrastructure as code.

Vagrant – Vagrant is a tool for building and managing virtual machine environments in a single workflow

Puppet – Puppet is a powerful enterprise-grade configuration management tool

SaltStack Saltstack is Python-based, open-source software for event-driven IT automation, remote task execution, and configuration management.

Archaius – Archaius is a configuration management library with a focus on Dynamic Properties sourced from multiple configuration stores.

Hands-on labs

HPC configuration management using Puppet 5 by cwmoller

Ansible Scenerio by Katacoda

Ansible From Zero to Best Practices by Will Thames

SaltStack Scenerio by Katacoda

Puppet Learning-VM by Puppet

5. Cloud Service Provider-Platform

Modern software development needs an on-demand, elastic, automated and measurable platform to build software on. Knowing on-prem or a public cloud-based solution is a must these days.

Tools and labs

Tools

Scout Suite – Scout Suite is an open-source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

Cs Suite – Cloud Security Suite – One-stop tool for auditing the security posture of AWS/GCP/Azure infrastructure.

AWS-security-benchmark– Open source demos, concept, and guidance related to the AWS CIS Foundation framework.

AWS WAF Security Automations – A solution that contains all AWS WAF samples developed so far – waf-reactive-blacklist, waf-bad-bot-blocking, waf-block-bad-behaving, and waf-reputation-lists.

AWS-security-automation – Collection of scripts and resources for DevSecOps and Automated Incident Response Security

Hands-on

flaws by Scott Piper

Flaws2 by Scott Piper

Cloud Goat by RhinoSecurity

AWS Security Workshops by AWS

Serverless Security Workshop by AWS

AWS Security Workshop by Sppum

Learn DevSecOps from the Experts

Practical DevSecOps offers vendor-neutral, practical, and hands-on DevSecOps training and certification programs for IT Professionals. Our online training and certifications are focused on modern areas of information security, including DevOps Security, Cloud-Native Security, Cloud Security & Container security. 

DevSecOps Resources

Now that basics are taken care of, we can explore the meat of the DevSecOps resources. 

  1. Threat modelling and Security Review
  2. Static Analysis (SAST)
  3. Dynamic Analysis (DAST)
  4. Security as Code
  5. Compliance as Code

Feeling overwhelmed? you might want to check out our DevSecOps courses to learn more with easy step by step instructions.

6. Threat Modeling

Threat modeling helps individuals and organisations in quantifying the security efforts.

Books

Books on threat modeling

Blogs and Tutorials

Tutorials and blogs which explain threat modeling

What Is Security Threat Modeling? by Lawrence C. Miller, Peter H. Gregory

Threat-modeling CheatSheet By Owasp by OWASP

Threat Modeling in the Enterprise, Part 1: Understanding the Basics by Stiliyana Simeonova

Threat Modeling: What, Why, and How? By Adam Shostack

Threat Modeling for Dummies by Adam Englander

DevSecOps, Threat Modeling and You: Get started using the STRIDE method by Bruno Amaro Almeida

Threat Modeling: The Why, How, When and Which Tools by Debarghya Pandit

Threat-modeling datasheet by Synopsys

Threat Modeling blog by Security Innovation

Threat Modeling: 6 Mistakes You’re Probably Making by Jeff Petters

How to Create a Threat Model for Cloud Infrastructure Security by Pat Cable

Why You Should Care About Threat Modelling by Suresh Marisetty

Benefits of Threat Modeling by Sangita Prajapati

Threat Modeling: a Summary of Available Methods Whitepaper by Nataliya Shevchenko, Timothy A. Chick, Paige O’Riordan, Thomas Patrick Scanlon, PhD, & Carol Woody, PhD

Threat Modelling Toolkit by ThoughtWorks

How to get started with Threat Modeling, before you get hacked by Hackernoon

Thread Modeling tutorial by Geeks For Geeks

How to analyze the security of your application with threat modeling by Goran Aviani

Tactical Threat Modeling by SafeCode

The Power of a Tailored Threat Model Whitepaper by Looking Glass

7 Easy Steps For Building a Scalable Threat Modeling Process by Threatmodeler

Where is my Threat Model? by Abhishek Datta

Tools (Free and Paid)

Tools which helps in threat modeling

Free tools

OWASP Threat Dragon – An online threat modeling web application including system diagramming and a rule engine to auto-generate threats/mitigations.

Microsoft Threat Modeling Tool – Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.

Owasp-threat-dragon-gitlab – This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of Github. You can use it with the Gitlab.com or your own instance of Gitlab.

raindance – Project intended to make Attack Maps part of software development by reducing the time it takes to complete them

threatspec – Threatspec is an open-source project that aims to close the gap between development and security by bringing the threat modeling process further into the development process.

Paid tools

Irius risk – Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system that guides the user through straight forward questions about the technical architecture, the planned features and the security context of the application.

SD elements – Automate Threat Modeling with SD Elements

Foreseeti – SecuriCAD Vanguard is an attack simulation and automated threat modeling SaaS service that enables you to automatically simulate attacks on a virtual model of your AWS environment.

7. Static Analysis Security Testing (SAST)

Static Security Analysis Testing, is a technique to analyse source code, binary and byte code for security vulnerabilities without running the code/binary/byte code.

Since the code is not run but statically examined, its called static analysis. SAST tools are great at finding vulnerabilities which are common to a language, well known security issues and grep’able patterns.

8. Dynamic Analysis Security Testing (DAST)

Dynamic Analysis Security Testing is a technique to analyze the running application for security vulnerabilities. Since an application is running and examined dynamically its called dynamic analysis.

The dynamic analysis doesn’t need someone to have lots of knowledge in intricacies of a programming language.

Tools
Free

OWASP Zed Attack Proxy Project – The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.

W3af – w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

Wapti – Wapiti allows you to audit the security of your websites or web applications.

Vega – Vega is a free and open-source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information and other vulnerabilities. It is written in Java, GUI based and runs on Linux, OS X, and Windows.

Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.

Paid

Burp Suite – Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Detectify – Automated security and asset monitoring for all teams.Scan your web apps for 1500+ vulnerabilities

NetSparker – Netsparker is a scalable, multi-user web application security solution with built-in workflow and reporting tools ideal for security teams. It’s available as a hosted and self-hosted solution and can be fully integrated into any development or testing environment.

9. Security as Code

Speed is a competitive advantage and to achieve speed, agility, and performance, organizations are creating infrastructure like its software/code instead of bare metal hardware servers.

Recent advances in virtualisation and cloud computing enables us to accomplish Infrastructure as Code.

Videos
Tools and Hands-on labs

Tools

Gauntlt – Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.

Checkov – Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.

Terrascan – A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.

tfsec – tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support.

CFripper – Library designed to be used as part of a Lambda function to “rip apart” a CloudFormation template and check it for security compliance.

Cfn nag – The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure.

terraform-aws-secure-baseline – A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.2.0.

10. Compliance as Code

If hardening can be done using Infrastructure as Code tools, why can’t compliance be automated as code ?

Tools and Hands-on labs

Inspec -Chef InSpec is a free and open-source framework for testing and auditing your applications and infrastructure.

Compliance Masonry – Compliance Masonry is a command-line interface (CLI) that allows users to construct certification documentation using the OpenControl Schema.

Contributors

 

This project wouldn’t be possible without sponsorship from Practical DevSecOps and efforts from 

1. Atul Singh

2. Joshua Jebaraj

 

Ready to learn DevSecOps?

Get in touch, or Register now!