Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program and anything you need, all learning paths.
We intend for it to be an awesome list that grows and changes as the community learns and improves how DevSecOps is implemented and adopted. To be included in this list, the information, tools, vendors or initiative must provide for Free or Open Source capabilities that help with the DevSecOps mission. Links that lead to a commercial aspect are noted with a (P).
Table of Contents
- Keeping Informed
- Wardley Maps for Security
- Vulnerable Test Targets
- Threat Intelligence
- Attack Modeling
- Secret Management
- Red Team
We’ve been working across the industry to learn more about the different types of DevOps + Security initiatives. This collection has been pulled together and includes: Podcasts, Videos, Presentations, and other Media to help you learn more about DevSecOps, SecDevOps, DevOpsSec, and/or DevOps + Security.
While we’re not into the paper-way of doing things, sharing sound advice and good recommendations can make software stronger. We aim to make these guidelines better through code.
- Introduction to DevSecOps - DZone Refcard
- Security Champions Playbook
- Security Guide for Web Developers
- A practical guide to build DAST with OWASP Zap
- Introduction to security testing and tools
- DevSecOps Hub
Many talks are now targeting the change of adding Security into the DevOps environment. We’ve added some of the most notable ones here.
- DevSecOps: Taking a DevOps Approach to Security
- Mozilla’s Test Driven Security in Continuous Integration
- Security DevOps - staying secure in agile projects
- Veracode’s Defending the Cloud from a Full Stack Hack
- Put Your Robots to Work: Security Automation at Twitter
- The Three Faces of DevSecOps
There are a variety of initiatives underway to migrate security and compliance into DevOps. We’ve included links for active projects here:
We’ve discovered a treasure trove of mailing lists and newsletters where DevSecOps like us are sharing their skills and insights.
One way for people to continue to evolve their capabilities and share common understanding is through the development of Wardley Maps. We’re collecting this information and providing some good examples here.
- Check out Figure 6 for Comparisons
- DevSecOps Repo for Security Maps
- Introduction to Wardley Maps
- Security Industry Example
- SOC Value Chain & Delivery Models
DevSecOps requires an appetite for learning and agility to quickly acquire new skills. We’ve collected these links to help you learn how to do DevSecOps with us.
Labs are hands-on learning opportunities to grow your skills in Dev, Sec, and Ops. All skills are useful and need to be grown so that you can have the empathy, knowledge and trade to operate DevSecOps style.
It’s important to build up knowledge by learning how to break applications left vulnerable by security mistakes. This section contains a list of vulnerable apps that can be deployed to learn what not to do. These same apps can be made safe by remediating the intentional vulnerabilities to learn how to prevent attackers from gaining access to underlying infrastructure or data.
- Damn Vulnerable Web Application (PHP/MySQL)
- LambHack (Lambda)
- Metasploitable (Linux)
- Mutillidae (PHP)
- NodeGoat (Node)
- OWASP Damn Vulnerable Serverless Application (DVSA) (AWS Serverless)
- OWASP Juice Shop (NodeJS/Angular)
- RailsGoat (Rails)
- WebGoat (Web App)
- WebGoat.Net (.NET)
- WebGoatPHP (PHP)
A body of knowledge for combining DevOps and Security has been delivered via conferences and meetups. This is a short list of the venues that have dedicated a portion of their agenda to it.
- AWS re:Inforce
- AWS re:Invent
- DevOps Connect
- DevOps Days
- Goto Conference
- IP Expo
- ISACA Ireland
- RSA Conference
- All Day DevOps
A small collection of DevOps and Security podcasts.
- Arrested DevOps
- Brakeing Down Security Podcast
- Darknet Diaries
- Defensive Security Podcast
- DevOps Cafe
- Down The Security Rabbithole
- Food Fight Show
- OWASP 24/7
- Risky Business
- Social Engineering Podcast
- Software Engineering Radio
- Take 1 Security Podcast
- Tenable Security Podcast
- The Secure Developer
- Trusted Sec Podcast
Books focussed around DevSecOps, bringing the security focus up front.
- Docker Securitiy - Quick Reference
- Holistic Info-Sec for Web Developers
- Securing DevOps
- The DevOps Handbook (Section VI)
This collection of tools are useful in establishing a DevSecOps platform. We have divided the tools into several categories that help with the different divisions of DevSecOps.
Visualization is an important element of identifying, sharing and evolving the security information that passes from the beginning of the creative process through to operations.
Automation platforms have an advantage of providing for scripted remediation when security defects are surfaced.
This list of tools provide the capabilities necessary for finding security anomalies and identifying rules that should be automated and extended to support scale demands.
Testing is an essential element of a DevSecOps program because it helps to prepare teams for Rugged operations and to determine security defects before they can be exploited.
- Chef Inspec
- Contrast Security
- Deepfence ThreatMapper
- Node Security Platform
- OSS Fuzz
- OWASP OWTF
- OWASP ZAP
- OWASP ZAP Node API
- PureSec (Serverless Security)
- ShiftLeft Scan
Once you discover something important, response time is critical and essential to the Incident Response required to remediate a security defect. These links include some of the projects that provide for Alerting and Notifications.
There are many sources for Threat Intelligence in the world. Some of these come from IP Intelligence and others from Malware repositories. This category contains tools that are useful in capturing threat intelligence and collating it.
- Alien Vault OTX
- Critical Stack
- IBM X-Force
- IntelMQ Feeds
- Passive Total
- STIX, TAXII
- Threat Connect
DevSecOps requires a common attack modeling capability that can be done at speed and scale. Thankfully there are efforts underway to create these useful taxonomies that help us operationalize attack modeling and defenses.
- Larry Osterman’s Threat Modeling
- SDL Threat Modeling Tool
- Threat Risk Modeling
To support security as code, sensitive credentials and secrets need to be managed, security, maintained and rotated using automation. The projects below provide DevOps teams with some good options for securing sensitive details used in building and deploying full stack software deployments.
These are tools that we find helpful during Red Team and War Game exercises. The projects in this section help with reconnaissance, exploit development, and other activities common within the Kill Chain.
Making DevSecOps discoveries is already hard enough with all the APIs and Command Line tools. This list provides tools to visualize your work either via flowcharts, graphs or maps.
A collection of tools to help with sharing knowledge and telling the story.
One of the greatest changes you can make in your organization is boundaryless communications. Setting up ChatOps can enable everyone to come together and solve problems.
- Conformance to process:
- Code reviews
- Coding Standards
- Verifiable builds
- Test coverage
- Static Analysis
- Vulnerability Scanning
- Verifiable deployments
- Audit Traceability
- Inmutable infrastructure
- Image OS
- Standard Tooling ??? - Controversial
- Enforce compliance in the pipeline
Source code version control
Optimum branching strategy
80% Code coverage
Open source scan
Artifact version control
Build, deploy, testing automated for every commit
Automated Change Order
Zero downtime release
- Vulnerability management (Automating, dashboard)
- Continuous scanning - AppSec Pipeline
- Asset inventory
- os-primeiros-passos-para-uma-carreira-devops by Gomex
- Delivery Pipelines as enabler for a DevOps culture
- Controlled Chaos: The Inevitable Marriage of DevOps & Security - Blackhat USA 2019
- Designing a Secure Software Development Lifecycle with DevOps - Mike Long
- The Current State of DevSecOps Metrics by Bill Nichols - 2021 - Slides
- Gibler - How to 10X Your Security - 2020
- devsecops blogs by Carnegie Mellon University
- Sysadmin landscape
- DevSecOps Ref Architecture
- Open source security tools
- Periodic Table of DevOps Tools - XebiaLabs - A collection of DevSecOps tooling categorised by tool functionality.
- Cloud Security and DevSecOps Best Practices by Sans.org.
- secure-coding-practices-quick-reference-guide by OWASP
- Application Security Verification Standard - OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.
- Coding Standards - CERT - A collection of secure development standards for C, C++, Java and Android development.
- Proactive Controls - OWASP - OWASP’s list of top ten controls that should be implemented in every software development project.
- Secure Coding Guidelines - Mozilla - A guideline containing specific secure development standards for secure web application development.
- Secure Coding Practices Quick Reference Guide - OWASP - A checklist to verify that secure development standards have been followed.
- Secure Software Development Life Cycle Processes by Carnegie Mellon University Frameworks and standards such as the Capability Maturity Model Integration2 (CMMI) framework, Team Software Process (TSP),3 the FAA-iCMM, the Trusted CMM/Trusted Software Methodology (T-CMM/TSM), and the Systems Security Engineering Capability Maturity Model (SSE-CMM). In addition, Two approaches, Software Assurance Maturity Model (SAMM) and Software Security Framework (SSF), which were just released, have been added to give the reader as much current information as possible.
- Building Security In Maturity Model (BSIMM) - _Synopsys) - A framework for software security created by observing and analysing data from leading software security initiatives.
- Secure Development Lifecycle - Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.
- Secure Software Development Framework - NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.
- Software Assurance Maturity Model - OWASP - A framework to measure and improve the maturity of the secure development lifecycle.
- C/C++ - Clang Static Analyzer, Phasar, Cppcheck
- C#/.NET - Puma Scan, Security Code Scan
- Golang - gosec, glasgo
- Java - SpotBugs, Frameworks: Soot, WALA
- Python - bandit, dlint, pyre-check (data-flow analysis to find
- web app bugs)
- Ruby - Brakeman
Massive list: mre/awesome-static-analysis
let you practice your skills at exploiting them.
- Bad SSL - The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
- Cfngoat - Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
- Damn Vulnerable Web App - Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
- Juice Shop - OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.
- NodeGoat - OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
- Terragoat - Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.
- Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.
A paid/free IT learning site (cybrary.it)
- DevSecOps Fundamentals – Helps students learn to incorporate security features in every step of the development process and navigate distinct security challenges in custom software and web applications. 4.5 hours *
- Certified Cloud Security Professional (CCSP)
- Certified Secure Software Lifecycle Professional (CSSLP)
- NIST 800-53: Introduction to Security and Privacy Controls
Part of the Linux Foundation, bringing together the world’s top developers, end users and vendors.
Learning platfrom that had video courses with built-in web-based CLI/hands-on learning activities for Kubernetes, Terraform, Git and more.
- Terraform for Beginners – Learn with hands-on labs
- The Linux Basics Course – Get your Linux Basics Cleared 5 hours long**
- DevOps Pre-Requisite Course – The course you should go through before any DevOps or Cloud Courses
- GIT for Beginners – Learn Git with simple visualizations, animations and by solving lab challenges **
- Kubernetes for Absolute Beginners – Hands on – Learn Kubernetes with simple, easy lectures and hands-on labs **
- Certified Kubernetes Administrator with (CKA) with practice tests 17 hours long**
- JSON/YAML Basics**
- Game of Pods**
Online learning site featuring a massive library of course selections.
- Ultimate AWS Certified Solutions Architect Associate 2021**
- HashiCorp Certified: Terraform Associate 2020 - All in one course for learning Terraform and gaining the official certification **
- HashiCorp Certified: Terraform Associate Practice Exam**
- More than Certified in Terraform**
- GitLab CI: Pipelines, CI/CD and DevOps for Beginners**
- Getting Started with HashiCorp Vault**
- HashiCorp Certified: Vault Associate 2021**
- HashiCorp Vault: The Advanced Course**
- AZ-900: Microsoft Azure Fundamentals Exam Prep - A good Azure basics course for all audiences. **
- AZ-303 Azure Architecture Technologies Exam Prep 2021 - This course goes into much more of the technical, engineering, and solutions architecture details of Azure.
- Azure Courses Taught by Scott Duffy - He’s good at explaining complicated matters in plan language and is a thorough teacher **
Leading Cloud-learning platform provider, includes built-in labs and playgrounds
- AWS Certified Cloud Practitioner**
- AWS Certified SysOps Administrator**
- AWS Certified Solutions Architect – Professional
- AWS Security Learning Path – up to 358 lessons, 51 hours of video**
- Kubernetes Deep Dive**
- Linux Essentials**
- AWS Advanced Networking**
- AWS GovCloud: Beyond the Buzzwords**
- Certified Kubernetes Administrator**
- Kubernetes the Hard Way**
- Implementing a Full CI/CD Pipeline**
- Beginners Guide to Containers and Orchestration**
- Helm Deep Dive V2**
- Service Mesh with Istio**
- Kubernetes Security**
- Kubernetes Security(Advanced Concepts) **
- AWS Well Architected Labs - Security
- AWS Cloud Audit Academy
- AWS EKS Best Practices Guide for Security
- AWS training courses for many of the AWS certifications - still growing
- AWS training course for the Machine Learning specialty
- DoD Cyber Exchange DevSecOps
- Container Platform SRG
- DevSecOps Enterprise Container Hardening Guide 1.1
- DoD Enterprise DevSecOps Reference Design v1.0
- DoD DevSecOps Fundamentals
- DoD DevSecOps Strategy Guide
- DoD DevSecOps 2.0 Tools and Activities Guidebook
- DoD DevSecOps 2.0 Playbook
- DoD DevSecops Reference Design 2.0 - CNCF Kubernetes
- DoD Zero Trust Reference Architecture
- Kubernetes Draft STIG - Ver1, Rel 0.1
- Introduction to building and manage containers on a Red Hat OpenShift cluster (DO180 - 4 day course)
- Configure, manage, and troubleshoot OpenShift clusters and containerized applications (DO280 - 4 day course)
- Plan, implement, and manage OpenShift clusters on an Enterprise scale (DO380 - 5 day course)
- Design, build, and deploy containerized software applications to an OpenShift cluster (DO288 - 5 day course)
- Develop microservice-based applications in Java EE with MicroProfile and OpenShift (DO283 - 4 day course)
- Control, manage, trace, monitor, and test your microservices with Red Hat OpenShift Service Mesh (DO328 - 4 day course)
- DevOps Culture and Practice Enablement (DO500 - 5 day course)
- Automating Linux system administration tasks with Ansible (RH294 - 5 day course)
- Managing automation at scale with Ansible Tower (DO447 - 5 day course)
- Mitigating and managing threats to OpenShift container-based infrastructure (DO4255 - 5 day course)
- Git - the simple guide: just a simple guide for getting started with git. no deep shit
- Terraform course featuring AWS, docker, and more - will prepare you for the Hashicorp Terraform certification and for using Terraform on the job
- Scott Piper/SummitRoute AWS Security Maturity Roadmap
- A Curating list of the best DevSecOps resources and tooling
- A curated collection of tools and building security with a developer first mindset
- Awesome Dynamic Analysis - Matthias Endler - A collection of dynamic analysis tools and code quality checkers.
- Awesome Static Analysis - Matthias Endler - A collection of static analysis tools and code quality checkers.
- Awesome Threat Modelling - Practical DevSecOps - A curated list of threat modeling resources.
- Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.
Feedback and appreciate the share, Don’t be cheap at least!