├── .gitignore ├── .travis.yml ├── Gemfile ├── LICENSE ├── README.md ├── Rakefile ├── img ├── 2015-audit-defense.JPG ├── 2015-owasp-appsec.png ├── 2016-bird-1.JPG ├── 2016-bird-2.JPG ├── 2017-devsecops-cycle-maccherone.JPG ├── 2017-devsecops-teachera-devsecops-studio.png ├── 2017-devsecops-teachera.JPG ├── 2017-garciga-1.JPG ├── 2017-garciga-2.JPG ├── 2020-gitlab-cicd.PNG └── 2020-gitlab-process.PNG └── renovate.json /.gitignore: -------------------------------------------------------------------------------- 1 | .bundle/ 2 | Gemfile.lock 3 | out/ 4 | vendor/ 5 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: ruby 2 | 3 | script: 4 | - bundle exec rake 5 | 6 | cache: 7 | directories: 8 | - $TRAVIS_BUILD_DIR/tmp/.htmlproofer #https://github.com/gjtorikian/html-proofer/issues/381 9 | 10 | env: 11 | global: 12 | - NOKOGIRI_USE_SYSTEM_LIBRARIES=true # speeds up installation of html-proofer 13 | 14 | addons: 15 | apt: 16 | packages: 17 | - libcurl4-openssl-dev # required to avoid SSL errors 18 | 19 | sudo: false # route your build to the container-based infrastructure for a faster build 20 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | Encoding.default_external = Encoding::UTF_8 2 | Encoding.default_internal = Encoding::UTF_8 3 | source 'https://rubygems.org' 4 | ruby RUBY_VERSION 5 | 6 | gem "html-proofer" 7 | gem 'html-pipeline' 8 | gem 'github-markdown' 9 | gem 'commonmarker' 10 | gem 'escape_utils' 11 | gem 'rake' 12 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Lars Lühr 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DevSecOps Reference Architectures 2 | [![Build Status](https://travis-ci.org/ayeks/devsecops-reference-architectures.svg?branch=master)](https://travis-ci.org/ayeks/devsecops-reference-architectures) 3 | 4 | This is a collection of DevSecOps reference architectures. I was tired of crawling through low resolution slideshares and email-grabbing web forms, therefore I started this repo to share reference architectures - for free - for everyone - for contributing. 5 | 6 | ### Contributing 7 | 8 | Feel free to contribute via pull requests or issues. If you find slides in a higher quality, please let me know! 9 | 10 | Please provide the following data for new architectures: 11 | * Name of the source of the architecture 12 | * Image of the reference architecture 13 | * Year when the architecture was designed 14 | * Optional: Link to the source for more information 15 | * Optional: Summary of the architecture. What makes it special? Where does it differentiate? What is the problem it solves? 16 | * Optional: Software stack. That makes it easier to search for architectures that use a specific tool. 17 | 18 | ### Acknowledgements 19 | 20 | Thanks to [Sonatype](https://sonatype.com) and their [reference architecture slideset](https://de.sonatype.com/devsecops-reference-architectures) ([mirror](https://waterplacid.files.wordpress.com/2018/04/devsecops-reference-architectures-2018.pdf)). 21 | 22 | Most of the referenced tools can be found in the more structured [Awesome DevSecOps list](https://github.com/devsecops/awesome-devsecops). 23 | 24 | # Architectures 25 | 26 | ## OWASP AppSec Rugged DevOps Pipeline Project - 2015 27 | 28 | * [OWASP AppSec Pipeline](https://www.owasp.org/index.php/OWASP_AppSec_Pipeline), 29 | * [OWASP AppSec Pipeline Talks](https://www.owasp.org/index.php/OWASP_AppSec_Pipeline#tab=Presentations), 30 | * [GitHub Repository incl. Docker containers](https://github.com/appsecpipeline/AppSecPipeline-Specification) 31 | 32 | The OWASP AppSec Rugged DevOps Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the sample implementation, documentation and references of this project will allow you to setup your own AppSec Pipeline. 33 | 34 | Software Stack: [Bandit](https://github.com/PyCQA/bandit), [OWASP Dependency-Check](https://www.owasp.org/index.php/OWASP_Dependency_Check), [Checkmarx](https://www.checkmarx.com/), [SSLLabs](https://www.ssllabs.com/), [Arachni](http://www.arachni-scanner.com/), [wappalyzer](https://www.wappalyzer.com/), [Synk](https://snyk.io/), [WPScan](https://wpscan.org/), [brakeman](https://brakemanscanner.org/), [OWASP ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project), [Retire.js](http://retirejs.github.io/retire.js/) 35 | 36 | ![2015-owasp-appsec](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2015-owasp-appsec.png) 37 | 38 | ## DevOpsSec - Jim Bird - 2016 39 | 40 | * [DevOpsSec - Jim Bird - O'Reilly Media](https://www.oreilly.com/library/view/devopssec/9781491971413/) 41 | 42 | How do you build security and compliance into your DevOps platforms and pipelines? With this O’Reilly report, security analysts, security engineers, and pen testers will learn how to leverage the same processes and tools—such as version control, containers, and Continuous Delivery—that DevOps practitioners use to automate software delivery and infrastructure changes. In other words, you’ll understand how to use DevOps to secure DevOps. 43 | 44 | Software Stack: [Upguard](https://www.upguard.com/), [Gauntlt](http://gauntlt.org/), [OWASP Dependency-Check](https://www.owasp.org/index.php/OWASP_Dependency_Check), [Bundler Audit](https://github.com/rubysec/bundler-audit), [Retire.js](http://retirejs.github.io/retire.js/), [OWASP SafeNuGet](https://www.owasp.org/index.php/OWASP_SafeNuGet), [Gerrit](https://www.gerritcodereview.com/), [Phabricator](https://www.phacility.com/), [Atlassian Crucible](https://www.atlassian.com/software/crucible), [Sonarqube](https://www.sonarqube.org/), [OWASP ZAP](https://www.owasp.org/index.php/ZAP), [Mittn](https://github.com/F-Secure/mittn), [Chef Vault](https://github.com/chef/chef-vault), [Keywhiz](https://github.com/square/keywhiz), [HashiCorp Vault](https://www.vaultproject.io/), [Netflix SimianArmy](https://github.com/Netflix/SimianArmy), [Signal Sciences](https://www.signalsciences.com/products/), [Alert Logic](https://www.alertlogic.com/), [CloudPassage Halo](https://www.cloudpassage.com/cloud-computing-security/), [Dome9 SecOps](https://dome9.com/), [Evident](https://www.paloaltonetworks.com/products/secure-the-cloud/evident.html), [Illumio](https://www.illumio.com/), [Threat Stack](https://www.threatstack.com/), [Waratek](https://www.waratek.com/), [Prevoty](https://www.prevoty.com/), [Contrast Security](https://www.contrastsecurity.com/runtime-application-self-protection-rasp), [tCell](https://www.tcell.io/), [Twistlock](https://www.twistlock.com/), [DevOps Audit Defense Toolkit](https://itrevolution.com/devops-audit-defense-toolkit/), 45 | 46 | ![2016-bird-1](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2016-bird-1.JPG) 47 | 48 | ![2016-bird-2](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2016-bird-2.JPG) 49 | 50 | ## US Defense Threat Reduction Agency - Joint Improvised Thread Defeat Organisation - Leo Garciga - 2017 51 | 52 | * [All Day DevOps 2017 - Youtube](https://www.youtube.com/watch?v=LNL5J6gIkv0) 53 | 54 | The talk goes into detail why they went DevOps, how DevOps can be secure according to NIST SP 800, how automation prevents human error and reduces human delay. 55 | 56 | Software Stack: [Docker](https://www.docker.com/), [Jira](https://de.atlassian.com/software/jira), [Jenkins](https://jenkins.io/), [Selenium](https://www.seleniumhq.org/), [Twistlock](https://www.twistlock.com/), [Sonarqube](https://www.sonarqube.org/), [Sonatype](https://www.sonatype.com/), Apache Maven 57 | 58 | ![2017-garciga-1](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2017-garciga-1.JPG) 59 | 60 | ![2017-garciga-2](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2017-garciga-2.JPG) 61 | 62 | ## DevOps Audit Defense Toolkit - IT Revolution - 2015 63 | 64 | * [DevOps Audit Defense Toolkit - IT Revolution](https://itrevolution.com/devops-audit-defense-toolkit/) 65 | 66 | The Toolkit summarizes the techniques they use to mitigate risk, and also provides a section answering the most common questions about value creation, compliance, and DevOps. The information in this document should help organizations wanting to pursue DevOps and continuous delivery explain their approach and improve communication between IT and audit. 67 | 68 | ![2015-audit-defense](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2015-audit-defense.JPG) 69 | 70 | ## DevSecOps Cycle - Larry Maccherone - 2017 71 | 72 | * [Twitter Post](https://twitter.com/LMaccherone/status/843644744538427392) 73 | 74 | Fully annotated DevSecOps cycle with threat modeling, code review, abuse case tests, pentest, compliance validation, config validation, logging, monitoring, intrusion detection. 75 | 76 | ![2017-devsecops-cycle-maccherone](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2017-devsecops-cycle-maccherone.JPG) 77 | 78 | ## Practical DevSecOps / DevSecOps Studio Project - TeachEra - 2017 79 | 80 | * Teachera - DevSecOps Course (Teachera is not longer active) 81 | * [Practical DevSecOps Course - Part 1 - Slideshare](https://www.slideshare.net/secfigo/practical-devsecops-course-part-1-82334619), 82 | * [DevSecOps Studio Project - GitHub](https://github.com/teacheraio/DevSecOps-Studio/) 83 | 84 | DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started, mostly automatic and battle tested during our Free Practical DevSecOps Course. DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices. 85 | 86 | Software Stack: [OWASP ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project), [Gauntlt](http://gauntlt.org/), [Bandit](https://github.com/PyCQA/bandit), [brakeman](https://brakemanscanner.org/), [Metasploit](https://www.metasploit.com/), [Nmap](https://nmap.org/), [Findbugs](http://findbugs.sourceforge.net/), [DevSec Ansible OS Hardening](https://github.com/dev-sec/ansible-os-hardening), [Inspec](https://www.inspec.io/), [Docker](https://www.docker.com/), [GitLab](https://about.gitlab.com/), [Jenkins](https://jenkins.io/), [Ansible](https://www.ansible.com/), [Elastic](https://www.elastic.co/) 87 | 88 | ![2017-devsecops-teachera](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2017-devsecops-teachera.JPG) 89 | 90 | ![2017-devsecops-teachera-devsecops-studio](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2017-devsecops-teachera-devsecops-studio.png) 91 | 92 | ## GitLab DevOps Platfrom 93 | 94 | * [About GitLab](https://about.gitlab.com/) 95 | * [Gitlab Feature Maturity](https://about.gitlab.com/direction/maturity/) 96 | * [DevOps Stages Lifecycle](https://about.gitlab.com/stages-devops-lifecycle/) 97 | * [DevSecOps with GitLab](https://about.gitlab.com/solutions/dev-sec-ops/) 98 | 99 | With GitLab, you get a complete CI/CD toolchain in a single application. With GitLab, DevSecOps architecture is built into the CI/CD process. Every merge request is scanned through its pipeline for security issues and vulnerabilities in your code and its dependencies using automated tests. Unlike traditional application security tools primarily intended for use by security pros, GitLab secure code capabilities are built into the CI/CD workflows where the developers live. We empower developers to identify vulnerabilities and remove them early in the development cycles. 100 | 101 | Software Stack: [Gitlab Free / Core to Gold / Ultimate](https://about.gitlab.com/pricing/) 102 | 103 | ![2020-gitlab-process](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2020-gitlab-process.PNG) 104 | 105 | ![2020-gitlab-cicd](https://github.com/ayeks/devsecops-reference-architectures/blob/master/img/2020-gitlab-cicd.PNG) 106 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | #encoding: utf-8 2 | 3 | require 'html-proofer' 4 | require 'html/pipeline' 5 | require 'find' 6 | 7 | desc "Run Mardown validation for the repository" 8 | task :validate_markdown do 9 | # make an out dir 10 | Dir.mkdir("out") unless File.exist?("out") 11 | 12 | pipeline = HTML::Pipeline.new [ 13 | HTML::Pipeline::MarkdownFilter, 14 | HTML::Pipeline::TableOfContentsFilter 15 | ], :gfm => true 16 | 17 | # iterate over files, and generate HTML from Markdown 18 | Find.find("README.md") do |path| 19 | if File.extname(path) == ".md" 20 | contents = File.read(path) 21 | result = pipeline.call(contents) 22 | 23 | File.open("out/#{path.split("/").pop.sub('.md', '.html')}", 'w') { |file| file.write(result[:output].to_s) } 24 | end 25 | end 26 | # test your out dir! 27 | options = { 28 | :url_ignore => [ 29 | "https://www.tcell.io/", 30 | "https://www.twistlock.com/", 31 | "https://www.cloudpassage.com/cloud-computing-security/", 32 | "https://twitter.com/LMaccherone/status/843644744538427392", 33 | ], 34 | :http_status_ignore => [429] 35 | } 36 | HTMLProofer.check_directory("./out", options).run 37 | end 38 | 39 | task default: :validate_markdown 40 | -------------------------------------------------------------------------------- /img/2015-audit-defense.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2015-audit-defense.JPG -------------------------------------------------------------------------------- /img/2015-owasp-appsec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2015-owasp-appsec.png -------------------------------------------------------------------------------- /img/2016-bird-1.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2016-bird-1.JPG -------------------------------------------------------------------------------- /img/2016-bird-2.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2016-bird-2.JPG -------------------------------------------------------------------------------- /img/2017-devsecops-cycle-maccherone.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2017-devsecops-cycle-maccherone.JPG -------------------------------------------------------------------------------- /img/2017-devsecops-teachera-devsecops-studio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2017-devsecops-teachera-devsecops-studio.png -------------------------------------------------------------------------------- /img/2017-devsecops-teachera.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2017-devsecops-teachera.JPG -------------------------------------------------------------------------------- /img/2017-garciga-1.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2017-garciga-1.JPG -------------------------------------------------------------------------------- /img/2017-garciga-2.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2017-garciga-2.JPG -------------------------------------------------------------------------------- /img/2020-gitlab-cicd.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2020-gitlab-cicd.PNG -------------------------------------------------------------------------------- /img/2020-gitlab-process.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ayeks/devsecops-reference-architectures/981aa1a579d3ac020a605616e7b5bcfbcee38a3c/img/2020-gitlab-process.PNG -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base" 4 | ] 5 | } 6 | --------------------------------------------------------------------------------