├── DevSecOps.png ├── assets ├── dod.png ├── devsecops-dark.png ├── LarryMaccherone.jpg └── devsecops-light.png ├── justfile ├── .github └── workflows │ ├── contributors.yml │ └── deadlink.yml ├── LICENSE ├── CONTRIBUTING.md ├── DevSecOps.xml ├── tools └── README.md ├── README.jp.md ├── README.ko.md └── README.md /DevSecOps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/DevSecOps/main/DevSecOps.png -------------------------------------------------------------------------------- /assets/dod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/DevSecOps/main/assets/dod.png -------------------------------------------------------------------------------- /justfile: -------------------------------------------------------------------------------- 1 | setup: 2 | brew install yamlfix 3 | 4 | fix: 5 | yamlfix .github/workflows/* 6 | -------------------------------------------------------------------------------- /assets/devsecops-dark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/DevSecOps/main/assets/devsecops-dark.png -------------------------------------------------------------------------------- /assets/LarryMaccherone.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/DevSecOps/main/assets/LarryMaccherone.jpg -------------------------------------------------------------------------------- /assets/devsecops-light.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/DevSecOps/main/assets/devsecops-light.png -------------------------------------------------------------------------------- /.github/workflows/contributors.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Contributors 3 | on: 4 | push: 5 | branches: [main] 6 | workflow_dispatch: 7 | inputs: 8 | logLevel: 9 | description: manual run 10 | required: false 11 | default: '' 12 | jobs: 13 | contributors: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: wow-actions/contributors-list@v1 17 | with: 18 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 19 | round: false 20 | includeBots: false 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 HAHWUL 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /.github/workflows/deadlink.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: DeadLink 3 | # Controls when the workflow will run 4 | on: 5 | # Allows you to run this workflow manually from the Actions tab 6 | workflow_dispatch: 7 | # A workflow run is made up of one or more jobs that can run sequentially or in parallel 8 | jobs: 9 | # This workflow contains a single job called "build" 10 | build: 11 | # The type of runner that the job will run on 12 | runs-on: ubuntu-latest 13 | 14 | # Steps represent a sequence of tasks that will be executed as part of the job 15 | steps: 16 | - name: Find Broken Link 17 | uses: hahwul/deadfinder@1.7.1 18 | id: broken-link 19 | with: 20 | command: url 21 | target: https://github.com/hahwul/DevSecOps 22 | - name: Create Markdown Table from JSON 23 | id: create-markdown-table 24 | run: | 25 | echo "## DeadLink Report" > deadlink_report.md 26 | echo "" >> deadlink_report.md 27 | echo "| Target URL | Deadlink |" >> deadlink_report.md 28 | echo "|------------|------------|" >> deadlink_report.md 29 | echo '${{ steps.broken-link.outputs.output }}' | jq -r 'to_entries[] | .key as $k | .value[] | "| \($k) | \(.) |"' >> deadlink_report.md 30 | - name: Read Markdown Table from File 31 | id: read-markdown-table 32 | run: | 33 | table_content=$(cat deadlink_report.md) 34 | echo "TABLE_CONTENT<> $GITHUB_ENV 35 | echo "$table_content" >> $GITHUB_ENV 36 | echo "EOF" >> $GITHUB_ENV 37 | - name: Create an issue 38 | uses: dacbd/create-issue-action@main 39 | with: 40 | token: ${{ secrets.GITHUB_TOKEN }} 41 | title: DeadLink Issue 42 | body: ${{ env.TABLE_CONTENT }} 43 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to DevSecOps 2 | 3 | Thank you for your interest in contributing to our DevSecOps project! This document provides guidelines for different types of contributions. 4 | 5 | ## Table of Contents 6 | - [Updating the DevSecOps Diagram](#updating-the-devsecops-diagram) 7 | - [Contributing to the Documentation](#contributing-to-the-documentation) 8 | - [Adding Tools to the Repository](#adding-tools-to-the-repository) 9 | - [Creating a Pull Request](#creating-a-pull-request) 10 | 11 | ## Updating the DevSecOps Diagram 12 | 13 | 1. Fork this repository to your GitHub account. 14 | 2. Open the diagram file using [draw.io](https://draw.io): 15 | - Select **File > Open from > Device** 16 | - Choose the `DevSecOps.xml` file from your forked repository 17 | 3. Make your desired edits to the diagram. 18 | 4. Save both the XML source and export a PNG image: 19 | - Save the XML: **File > Save** or **File > Save As** 20 | - Export as PNG: **File > Export as > PNG** 21 | 5. Commit both the updated `DevSecOps.xml` and `DevSecOps.png` files to your forked repository. 22 | 6. Create a Pull Request (see [Creating a Pull Request](#creating-a-pull-request) section). 23 | 24 | ## Contributing to the Documentation 25 | 26 | 1. Fork this repository to your GitHub account. 27 | 2. Make your changes to the README.md or other documentation files. 28 | 3. Create a Pull Request with your improvements. 29 | 30 | ## Adding Tools to the Repository 31 | 32 | 1. Fork this repository to your GitHub account. 33 | 2. Clone your forked repository: 34 | ```bash 35 | git clone https://github.com/YOUR-USERNAME/DevSecOps 36 | cd DevSecOps/tools 37 | ``` 38 | 3. Update the tools directory and corresponding `README.md` file. 39 | 4. Commit and push your changes: 40 | ```bash 41 | git add . 42 | git commit -m "Add/update tools: BRIEF DESCRIPTION" -s 43 | git push 44 | ``` 45 | 5. Create a Pull Request (see next section). 46 | 47 | ## Creating a Pull Request 48 | 49 | 1. Navigate to your forked repository on GitHub. 50 | 2. Click on "Pull Request" and then "New Pull Request". 51 | 3. Ensure the base repository is the original DevSecOps repository and the head repository is your fork. 52 | 4. Provide a clear title and description for your Pull Request, explaining the changes you've made. 53 | 5. Submit the Pull Request. 54 | 55 | Thank you for contributing to make this project better! 56 | -------------------------------------------------------------------------------- /DevSecOps.xml: -------------------------------------------------------------------------------- 1 | 7V1bk9o6Ev41U7X7AIVtfOGRgUyye5I6UyG1OXkUtsDeGIu1xVzOr1+1ZPkmhjEMFzHjVCWxW/Ktv69b3S3Z3FiT1dPnFK3DbyTA8Y05CJ5urOmNaRqGY7D/QPKcSwaGKSTLNAqEbFAKZtHfWHbMpZsowFkuEyJKSEyjdV3okyTBPq3JUJqSx3q3BYmDmmCNlrh2GyCY+SjGSrefUUDD4sFGZcMXHC3D/NKe6YqGOfJ/L1OySfLrJSTBomWF5GnyS2YhCshjRWR9urEmKSFUbK2eJjgGvdY1dvdCa3HLKU5omwP++DL+45v77d//if/+StDC/pISp2fkz5HRZ6kLHDDV5LskpSFZkgTFn0rpLX9eDKcdsL2yz1dC1kxoMOF/MaXPOc5oQwkThXQV5634KaJ/VbZ/wan6dr43fcrPzHee5U5C0+e/qjuVo2C3PIzvyeMWJKF3aBXFIJiQVeSzx52hJGP/fZuxDhlNye8CdgsOieJ4QmKScoVYAcLewi96Vloc38PzBWtRscjhycgm9fEuAHK2o3SJ6Y5+uT0BOJUL5Eh/xmSF2UOzDimOEY0e6rxGuXksi34lT9hGTpU9aOMODqCNv0kfOGuMY3Ko5M2vKm1e4VBJm1/yfDs4VJiuaArG4HLgOR9QLCR3EShQdK7xyWhDwQbhsBHY2N1GuJHjWsjhLSil8ja408lllRs5PSltTy9WGtfOSscY7sNLvneP04jpD6cdWXeTdaQVWfPzMlA2+ZWmOIuWiULhkpMAz2MYUTxbI66SRxaO1fm3fTD7KUMXYFeI/HCT4s9w6NQrBeNkyS85tHcNgb8x9cPaxbaNh6+TiHXIjcgY7YL/AacUP+3ES7YO8kNkECpjtMdKRCeDsbASzDmDU0HsdcHVRYMrs6VrsLTyDDLpuN5hrAuujkBK6ZY0YaXndKzczcrtVNqfr5Wh0djJXx1Y6tl6sfSQIbdj6btnqasVS80tsf8DjhnBuuD/sODf8oaaBf/D6yyR6ReNHe4drLbhv16VgaGtDXMOyiGLQatdDvkS4/wYZVnk10j3gpfbk3QnzTnbku7ocRM/lCkPPVc6rEmU0Kxy5nsQlH5zJN2U9Ju2W+Xvq/2HQ7fBd3EHJfuLRzncIOzrdKXvJyE+vTUM9XLBMproGKdJGnF6Bnp6FQFHnc/7cAzUywdaSpJ6u4nioEtRa2pvn6I6rqlbinrI4p8T+Zg9Eo13ljDYLd2DXiUsW58ktT4+GTu589L4VI5I1xKTn7aw2paU9lAvVuo6SdWx8qysNPRipUbj7B6s7Nj1Qj9TL3YpcfoPnNEuTK9pfZ8wvVHhNC4epms0p71HmN7NB1TD9tezf62cinOd4f1HG7LaksvRKyDyzKtk1xnD9He1Sqe1C9SLpa4SWE3xOibPXWh1YGjVXKSjQWilUb3gkNCq2PmQoZXX0q8c3a0ctNSiZ3l19g93L7Vo9m8szTjNUgtHI4Po4r43M9/RqzzrXGchrCvPHpmVei21cDSqrxzCyiPVVz48K/Uq67q6LkHTxleeIEceXSxHbstSVy/f6Sk58p9rnCKKbyCPuwMdkySiTJld0nxY0tx8rf3ySbOpzjjdmE7MLnu7YQc7S8qfXEjiSEp+hJgbwoI+Mn3AjSUB+3e+yaIEZ6DCIP8AwiALyQZWmsH3nrIowClYhjgcMxcXUdAPjvGKqTXry0vN0+bF2eOV168Iq7fZoCVDhSocyK29yp5cVOHoNgoDzJGP4nEMD2ZNKXjeW8LEi5j7kTAKApy0oRbKTxHjBT0Os+Saa5lfurZCLFN+x6tKLO9kxHIOItZ37JMVowJ4E/hu2A3/ABjoV7JmBqyBjQkJomTJNj7DB8fgGWjRKRCv4AGnOCXQEvc7IrUhkmXZujFJrd22YdLPECfcJUWx4MkEbo7FRSs2onFy4YwKAkWgT8T+LgkJ+O1gJNmH42gVJWIQrDgsGqYYdf7q8Jl509ONZmr404ZmY8EorjIxCK5QskFxgy4F1+Z4QVLhomD+QQjvU8G7jMd6hQfs2HUou6x6nFU4tYuxS97QvuwqhzTCY/EIkj45pAmfFtEt1JHuiwVdjHgbPjxugkiQ8G4l4nhBPsHaNWJBMxNcE+fmhDLj04d2cjFZwTpPZZ2zhXWyPHB81pkHsW66yakhgynwVHkstQ5RhmuDKaMk0HPBPR7drNmdMtYtIjgBZil2ChqHpLFwiD2ez3KSomyNfZhpuWrnpxsRrUY6YMk3fS/n/0YKE2fj2Q8FJ3aqaJ3hfasIZrOKYG6rIrxUDQK5rMUFhLGxUURojaDPIINvN+4oalWrCuaRRju3jnbPshS03S1FBetUbmeogv2vDuwjgW2M+k4db3N0WbhtNbaZcriFY87WKKnh7vxvA9/JvvWFxsbg95dz9A92zwMxsmzd+idsgg4HoNbeIscIDmfxDMk4e2pdMq566DBYP5XXLQcJu/kddJs9Nkj5l7yLPakGmyuCSaawDTdmw4PbUBt9pa9R9JXwH3QaszyN0HbRIrypbBTKLhqloTFB1dSgnRsbyLm5gcTgu1WTA6nJpRWzK4UV0wOhV/QUJiHvQpqgbJ0V98jNkF9UGGJ5FxVjBGFujrY0SJubJHQURgl9crMsn6FxF7lxQntFmcL+2sBVNBVIlUZqg5kWPT1YIiVP81wB0SrFj4WCucwtySBtt2izKmdDWSlfVi7fpBHfLbhUFdYZnvdTTKEIrYQRvxBcvXs/fgS/7VluzWnbthqSnddrq7nBPWhiy+smHb6v4+ua9fWQtqMmf+fFd9gFYccC12kar2FcGFy1WFnMi8ymXycfD+UThNqNco6jztWeF3M1q/rBZyFAW2LM7kB/M+hmY4p+Sw3vrKjLmf9tli5nQDvY3w77qJ5TDy+MuppSf0FpgJMPifcR8G1WRO3hhWtkch6ggvD38ey+A/cAcHtO3XbtS/ts9XNbY5h868A9BNxGXmVdOPR21LzqpWWRHbwtUquGX5Z+8VLwuqrt3iNelOzAPSCYbhivfeGpCk+NphVg4SdA1+0fvvghUzSXZxjsVIo1qi99Mh012GTn7jveqPwzVJUkdXl8E1DXBE/xA8s6/lxnirbyiXWF76/PsStUbM6qr6IgiF8ysPoLEfss5ra2fwF0N1/aU76GraMgO9xCd7ni+/hIqmWikFL4Hd4xX9B/t4xouJn3fbJiOyEKH2EJxd17Qpt/KuH4aMvqgOrPzguwWhNSMMtCtIbNaMV/OLlQ/Fc0x/E9ySK+gqeyiCWGhtvix5ArY8OC/9kCnlj9JxbzsN1F9ARg3fJLjqV0ICVsu07DTYbTHm/K+oKSIIG1awywnJ2GZRpMky7bZO5wwIL8Qc+03OFiMGAbI3PRMww8742sodczveHCHPo+8jy/v2Yp8wkN3jCt/sCquGrV5kdeX36D5ywO3FOrB5N8RVYXxOz/aoVTrwjaWxZTnTeIUUPU2WT88bA9QRnQa/wkhn3hOqCnhmITwl92GW9oyJ6TOWGxALMD/+01Qq9eR+qpZSTDOCv66psv3/EaRmzC73vs++JlO+bdmaK6CaDjuPtGRUL19oY863lYsGXpLPZTzOf9UMKCJrE0u8P+zdi7zZW0297PNUZHAf8mX4NVtlVWX1mf/g8= -------------------------------------------------------------------------------- /tools/README.md: -------------------------------------------------------------------------------- 1 | ## TOC 2 | - [Why collect the tools?](#why-collect-the-tools-) 3 | - [List of Tool](#list-of-tool) 4 | - [How to Contribute this](#how-to-contribute-this) 5 | 6 | ## Why collect the tools? 7 | Spending a lot of time on applying DevSecOps is searching, comparing, and making decisions about tools. These tool lists are a good way to help you reduce unnecessary time and apply them quickly 😎 8 | 9 | ## List of Tool 10 | | Type | Name | Description | Popularity | Language | 11 | | ---------- | :---------- | :----------: | :----------: | :----------: | 12 | | Build/SAST | [Gitleaks](https://github.com/gitleaks/gitleaks) | Gitleaks is a SAST tool for detecting hardcoded secrets like API keys, tokens, and passwords in Git repositories, providing a CLI, GitHub Action, and pre-commit hooks for secret detection. | ![](https://img.shields.io/github/stars/gitleaks/gitleaks) | ![](https://img.shields.io/github/languages/top/gitleaks/gitleaks) | 13 | | Build/SAST | [SonarQube](https://www.sonarqube.org/) | SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.|![](https://img.shields.io/static/v1?label=&message=it's%20not%20github&color=gray)|![](https://img.shields.io/static/v1?label=&message=it's%20not%20github&color=gray) 14 | | Build/SAST | [codeql](https://github.com/github/codeql) | CodeQL is a semantic code analysis engine that helps you find security vulnerabilities in your code. | ![](https://img.shields.io/github/stars/github/codeql) | ![](https://img.shields.io/github/languages/top/github/codeql) | 15 | | Build/SAST | [checkov](https://github.com/bridgecrewio/checkov) | Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, CloudFormation, Kubernetes, ARM Templates and Serverless framework templates for misconfigurations. | ![](https://img.shields.io/github/stars/bridgecrewio/checkov) | ![](https://img.shields.io/github/languages/top/bridgecrewio/checkov) | 16 | | Build/SAST | [ggshield](https://github.com/GitGuardian/ggshield) | An open source CLI from GitGuardian to detect 350+ types of hardcoded secrets and 70+ IaC misconfigurations | ![](https://img.shields.io/github/stars/GitGuardian/ggshield) | ![](https://img.shields.io/github/languages/top/GitGuardian/ggshield) | 17 | | Build/SAST | [semgrep](https://github.com/returntocorp/semgrep) | Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. | ![](https://img.shields.io/github/stars/returntocorp/semgrep) | ![](https://img.shields.io/github/languages/top/returntocorp/semgrep) | 18 | | Build/SAST | [sonarcloud-github-action](https://github.com/SonarSource/sonarcloud-github-action) | Integrate SonarCloud code analysis to GitHub Actions | ![](https://img.shields.io/github/stars/SonarSource/sonarcloud-github-action) | ![](https://img.shields.io/github/languages/top/SonarSource/sonarcloud-github-action) | 19 | | Build/SECRET-MANAGE | [kamus](https://github.com/Soluto/kamus) | An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications | ![](https://img.shields.io/github/stars/Soluto/kamus) | ![](https://img.shields.io/github/languages/top/Soluto/kamus) | 20 | | Build/SECRET-MANAGE | [secrets-sync-action](https://github.com/google/secrets-sync-action) | A Github Action that can sync secrets from one repository to many others. | ![](https://img.shields.io/github/stars/google/secrets-sync-action) | ![](https://img.shields.io/github/languages/top/google/secrets-sync-action) | 21 | | Build/SECRET-MANAGE | [vault-action](https://github.com/hashicorp/vault-action) | A GitHub Action that simplifies using HashiCorp Vault ™ secrets as build variables. | ![](https://img.shields.io/github/stars/hashicorp/vault-action) | ![](https://img.shields.io/github/languages/top/hashicorp/vault-action) | 22 | | Design/THREAT | [owasp-threat-dragon-desktop](https://github.com/mike-goodwin/owasp-threat-dragon-desktop) | An installable desktop variant of OWASP Threat Dragon | ![](https://img.shields.io/github/stars/mike-goodwin/owasp-threat-dragon-desktop) | ![](https://img.shields.io/github/languages/top/mike-goodwin/owasp-threat-dragon-desktop) | 23 | | Design/THREAT | [pytm](https://github.com/izar/pytm) | A Pythonic framework for threat modeling | ![](https://img.shields.io/github/stars/izar/pytm) | ![](https://img.shields.io/github/languages/top/izar/pytm) | 24 | | Design/THREAT | [seasponge](https://github.com/mozilla/seasponge) | SeaSponge is an accessible threat modelling tool from Mozilla | ![](https://img.shields.io/github/stars/mozilla/seasponge) | ![](https://img.shields.io/github/languages/top/mozilla/seasponge) | 25 | | Design/THREAT | [threagile](https://github.com/Threagile/threagile) | Agile Threat Modeling Toolkit | ![](https://img.shields.io/github/stars/Threagile/threagile) | ![](https://img.shields.io/github/languages/top/Threagile/threagile) | 26 | | Operate and Monitor/COMPONENT-ANALYSIS | [dependency-track](https://github.com/DependencyTrack/dependency-track) | Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. | ![](https://img.shields.io/github/stars/DependencyTrack/dependency-track) | ![](https://img.shields.io/github/languages/top/DependencyTrack/dependency-track) | 27 | | Operate and Monitor/K8S | [kube-hunter](https://github.com/aquasecurity/kube-hunter) | Hunt for security weaknesses in Kubernetes clusters | ![](https://img.shields.io/github/stars/aquasecurity/kube-hunter) | ![](https://img.shields.io/github/languages/top/aquasecurity/kube-hunter) | 28 | | Operate and Monitor/SECURITY-AUDIT | [Prowler](https://github.com/prowler-cloud/prowler) | Prowler is a security tool for AWS, providing over 100 checks for compliance with standards like CIS, GDPR, and HIPAA, and auditing AWS account configurations. | ![](https://img.shields.io/github/stars/prowler-cloud/prowler) | ![](https://img.shields.io/github/languages/top/prowler-cloud/prowler) | 29 | | Operate and Monitor/SECURITY-SCAN | [Trivy](https://github.com/aquasecurity/trivy) | Trivy is an open-source, all-in-one security scanner for container images, file systems, and Git repositories, detecting vulnerabilities and misconfigurations. | ![](https://img.shields.io/github/stars/aquasecurity/trivy) | ![](https://img.shields.io/github/languages/top/aquasecurity/trivy) | 30 | | Test/DAST | [action-baseline](https://github.com/zaproxy/action-baseline) | A GitHub Action for running the OWASP ZAP Baseline scan | ![](https://img.shields.io/github/stars/zaproxy/action-baseline) | ![](https://img.shields.io/github/languages/top/zaproxy/action-baseline) | 31 | | Test/DAST | [action-dalfox](https://github.com/hahwul/action-dalfox) | XSS scanning with Dalfox on Github-action | ![](https://img.shields.io/github/stars/hahwul/action-dalfox) | ![](https://img.shields.io/github/languages/top/hahwul/action-dalfox) | 32 | | Test/DAST | [action-full-scan](https://github.com/zaproxy/action-full-scan) | A GitHub Action for running the OWASP ZAP Full scan | ![](https://img.shields.io/github/stars/zaproxy/action-full-scan) | ![](https://img.shields.io/github/languages/top/zaproxy/action-full-scan) | 33 | | Test/DAST | [zaproxy](https://github.com/zaproxy/zaproxy) | The OWASP ZAP core project | ![](https://img.shields.io/github/stars/zaproxy/zaproxy) | ![](https://img.shields.io/github/languages/top/zaproxy/zaproxy) | 34 | | Test/PENTEST | [faraday](https://github.com/infobyte/faraday) | Collaborative Penetration Test and Vulnerability Management Platform | ![](https://img.shields.io/github/stars/infobyte/faraday) | ![](https://img.shields.io/github/languages/top/infobyte/faraday) | 35 | | Test/PENTEST | [metasploit-framework](https://github.com/rapid7/metasploit-framework) | Metasploit Framework | ![](https://img.shields.io/github/stars/rapid7/metasploit-framework) | ![](https://img.shields.io/github/languages/top/rapid7/metasploit-framework) | 36 | | Test/PENTEST | [monkey](https://github.com/guardicore/monkey) | Infection Monkey - An automated pentest tool | ![](https://img.shields.io/github/stars/guardicore/monkey) | ![](https://img.shields.io/github/languages/top/guardicore/monkey) | 37 | | Test/PENTEST | [nuclei](https://github.com/projectdiscovery/nuclei) | Fast and customizable vulnerability scanner based on simple YAML based DSL. | ![](https://img.shields.io/github/stars/projectdiscovery/nuclei) | ![](https://img.shields.io/github/languages/top/projectdiscovery/nuclei) | 38 | | Test/PENTEST | [ptf](https://github.com/trustedsec/ptf) | The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools. | ![](https://img.shields.io/github/stars/trustedsec/ptf) | ![](https://img.shields.io/github/languages/top/trustedsec/ptf) | 39 | 40 | ## How to Contribute this 41 | Please read [Contributing](https://github.com/hahwul/DevSecOps/blob/main/CONTRIBUTING.md) document! 42 | -------------------------------------------------------------------------------- /README.jp.md: -------------------------------------------------------------------------------- 1 |
2 | 3 | 4 | 5 | DevSecOps Logo 6 | 7 |

DevSecOpsを始めたいすべての人のためのロードマップ。

8 |
9 | 10 |

11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |

20 | 21 | ## DevSecOpsとは何か、なぜ重要なのか? 22 | DevSecOpsは、ソフトウェア開発ライフサイクル(SDLC)の各フェーズにセキュリティを統合することを目指す文化であり実践です。 23 | 開発チーム、セキュリティチーム、運用チーム間のコラボレーションを重視します。 24 | 目標は、脆弱性を減らし、より迅速で安全なデプロイメントを保証するために、最初から安全なソフトウェアを構築することです。 25 | このロードマップは、個人や組織がDevSecOpsの実践を導入するのに役立つリソースとツールの厳選されたリストを提供します。 26 | 27 | ## 📜 目次 28 | - [ロードマップ](#-ロードマップ) 29 | - [ツール](#-ツール) 30 | - [リソース](#リソース) 31 | * [0. DevSecOps概要](#0-devsecops概要) 32 | * [1. 設計](#1-設計) 33 | * [2. 開発](#2-開発) 34 | * [3. ビルド](#3-ビルド) 35 | * [4. テスト](#4-テスト) 36 | * [5. デプロイ](#5-デプロイ) 37 | * [6. 運用と監視](#6-運用と監視) 38 | - [CICDのセキュリティ](#cicdのセキュリティ) 39 | - [素晴らしいリソース](#素晴らしいリソース) 40 | - [その他のロードマップ](#-その他のロードマップ) 41 | - [まとめ](#-まとめ) 42 | - [貢献者](#貢献者) 43 | - [貢献する](https://github.com/hahwul/DevSecOps/blob/main/CONTRIBUTING.md) 44 | 45 | ## 📖 このロードマップの使い方 46 | このロードマップは、DevSecOpsの実践を採用または改善しようとしている個人や組織のための包括的なガイドとして設計されています。最大限に活用する方法は次のとおりです。 47 | 48 | 1. **基本を理解する:** DevSecOpsが初めての場合は、「DevSecOpsとは何か、なぜ重要なのか?」セクションから始めて、基礎的な理解を深めてください。 49 | 2. **全体像を見る:** メインの**ロードマップ**画像は、DevSecOps内のさまざまな段階と領域の視覚的な概要を示しています。これを使用して自分自身を方向付けてください。 50 | 3. **ツールを探る:** **ツール**セクションでは、さまざまなDevSecOps機能を実装するのに役立つソフトウェアとサービスの厳選されたリストを提供しています。 51 | 4. **リソースを深く掘り下げる:** **リソース**セクションは、DevSecOpsライフサイクル(設計、開発、ビルド、テスト、デプロイ、運用と監視)によって分類されています。各カテゴリには、記事、ガイド、および公式ドキュメントへのリンクが含まれています。特定のニーズや関心のある分野に基づいてこれらを調べることができます。 52 | 5. **CI/CDセキュリティに焦点を当てる:** パイプラインの保護に焦点を当てている場合は、**CICDのセキュリティ**セクションで対象となるリソースを提供しています。 53 | 6. **貢献する:** これはコミュニティ主導の取り組みです。提案がある場合、リンク切れを見つけた場合、または新しいリソースを追加したい場合は、[CONTRIBUTING.md](CONTRIBUTING.md)ガイドをご覧ください。 54 | 55 | 直線的に進む必要はありません。現在の課題や学習目標に最も関連性の高いセクションに自由にジャンプしてください。 56 | 57 | ## 💭 ロードマップ 58 | ![Roadmap](./DevSecOps.png) 59 | 60 | ## 🔩 ツール 61 | このプロジェクトには、DevSecOpsの実践を実装するのに役立つツールの厳選されたリストが含まれています。これらのツールは、静的アプリケーションセキュリティテスト(SAST)、動的アプリケーションセキュリティテスト(DAST)、シークレット管理、脅威モデリング、コンポーネント分析など、SDLCのさまざまな段階をカバーしています。 62 | 63 | ➡️ [**DevSecOpsツールリストを探る**](./tools/README.md) 64 | 65 | このリストは、ツールをすばやく見つけて比較し、検索と意思決定にかかる時間を短縮できるように設計されています。 66 | 67 | ## 📦 リソース 68 | ### 0. DevSecOps概要 69 | - 概要 70 | 1. [Wikipedia](https://en.wikipedia.org/wiki/DevOps#DevSecOps,_shifting_security_left)と[Grokipedia](https://grokipedia.com/page/DevOps#devsecops-and-security-integration)のDevSecOps 71 | 2. [Zero to DevSecOps (OWASP Meetup)](https://owasp.org/www-chapter-belgium/assets/2019/2019-02-20/Zero-to-DevSecOps-OWASP-Meetup-02-19-19.pdf) 72 | 3. [DevSecOps What Why And How (BlackHat USA-19)](https://i.blackhat.com/USA-19/Thursday/us-19-Shrivastava-DevSecOps-What-Why-And-How.pdf) 73 | 4. [DevSecOps – Security and Test Automation (Mitre)](https://www.mitre.org/sites/default/files/publications/pr-19-0769-devsecops_security_test_automation-briefing.pdf) 74 | 5. [DevSecOps: Making Security Central To Your DevOps Pipeline](https://spacelift.io/blog/what-is-devsecops) 75 | 6. [Strengthen and Scale security using DevSecOps](https://owasp.org/www-pdf-archive/Devsecops-owasp-indonesia.pdf) 76 | 7. [DSOVS (OWASP DevSecOps Verification Standard)](https://owasp.org/www-project-devsecops-verification-standard/) 77 | 8. [What is DevSecOps? (Github)](https://github.com/resources/articles/devops/devsecops) 78 | ### 1. 設計 79 | - 開発ライフサイクル 80 | 1. [SDL(Secure Development Lifecycle) by Microsoft](https://www.microsoft.com/en-us/securityengineering/sdl/practices) 81 | 2. [OWASP's Software Assurance Maturity Model](https://github.com/OWASP/samm) 82 | 3. [Building Security In Maturity Model (BSIMM)](https://www.bsimm.com/framework.html) 83 | 4. [NIST's Secure Software Development Framework](https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf) 84 | 5. [DevSecOps basics: 9 tips for shifting left (Gitlab)](https://about.gitlab.com/blog/2020/06/23/efficient-devsecops-nine-tips-shift-left/) 85 | 6. [6 Ways to bring security to the speed of DevOps (Gitlab)](https://about.gitlab.com/blog/2019/10/31/speed-security-devops/) 86 | - 脅威モデル 87 | 1. [What is Threat Modeling / Wikipedia](https://en.wikipedia.org/wiki/Threat_model) 88 | 2. [Threat Modeling by OWASP](https://owasp.org/www-community/Threat_Modeling) 89 | 3. [Application Threat Modeling by OWASP](https://owasp.org/www-community/Application_Threat_Modeling) 90 | 4. [Agile Threat Modeling Toolkit](https://threagile.io) 91 | 5. [OWASP Threat Dragon](https://threatdragon.github.io) 92 | ### 2. 開発 93 | - セキュアコーディング 94 | 1. [Secure coding guide by Apple](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) 95 | 2. [Secure Coding Guidelines for Java SE](https://www.oracle.com/java/technologies/javase/seccodeguide.html) 96 | 3. [Go-SCP / Go programming language secure coding practices guide](https://github.com/OWASP/Go-SCP) 97 | 4. [Android App security best practices by Google](https://developer.android.com/topic/security/best-practices) 98 | 5. [Securing Rails Applications](https://guides.rubyonrails.org/security.html) 99 | ### 3. ビルド 100 | - SAST(Static Application Security Testing) 101 | 1. [Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1](https://medium.com/nycdev/scan-your-source-code-for-vulnerabilities-using-static-application-security-testing-sast-with-5f8ee1fdf9aa) 102 | 2. [Announcing third-party code-scanning tools: static analysis & developer security training](https://github.blog/2020-10-05-announcing-third-party-code-scanning-tools-static-analysis-and-developer-security-training/) 103 | 3. [SAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-004-Static-Application-Security-Testing-SAST.md) 104 | ### 4. テスト 105 | - DAST(Dynamic Application Security Testing) 106 | 1. [Dynamic Application Security Testing with ZAP and GitHub Actions](https://www.zaproxy.org/blog/2020-05-15-dynamic-application-security-testing-with-zap-and-github-actions/) 107 | 2. [Dynamic Application Security Testing (DAST) in Gitlab](https://docs.gitlab.com/ee/user/application_security/dast/) 108 | 3. [DAST using projectdiscovery Nuclei (github action)](https://github.com/secopslab/nuclei-action) 109 | 4. [ZAPCon 2021-Democratizing ZAP with test automation and domain specific languages](https://youtu.be/jimW-R6_F4U) 110 | 5. [DAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-002-Dynamic-Application-Security-Testing-DAST.md) 111 | - ペネトレーションテスト 112 | 1. [Penetration Testing at DevSecOps Speed](https://securityboulevard.com/2019/04/penetration-testing-at-devsecops-speed/) 113 | ### 5. デプロイ 114 | - セキュリティ強化と設定 115 | 1. [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) 116 | 2. [DevSecOps in Kubernetes](https://cloudblogs.microsoft.com/opensource/2019/07/22/devsecops-in-kubernetes/) 117 | - セキュリティスキャン 118 | 1. [Best practices for scanning images (docker)](https://docs.docker.com/develop/scan-images/) 119 | ### 6. 運用と監視 120 | - RASP(Run-time Application Security Protection) 121 | 1. [Runtime Application Self-Protection by rapid7](https://www.rapid7.com/fundamentals/runtime-application-self-protection/) 122 | 2. [Jumpstarting your devsecops - Pipeline with IAST and RASP](https://2018.appsec.eu/presos/DevOps_Jumpstarting-Your-DevSecOps_Jeff-Williams_AppSecEU2018.pdf) 123 | - セキュリティ監査 124 | - セキュリティ監視 125 | 1. IAST(Interactive Application Security Testing) 126 | - [IAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-003-Interactive-Application-Security-Testing-IAST.md) 127 | 2. メトリクス、監視、アラート 128 | - セキュリティ分析 129 | 1. [Attack Surface Analysis Cheat Sheet by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html) 130 | 131 | ## CICDのセキュリティ 132 | - Github Actions 133 | 1. [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) 134 | 2. [Github Actions Security Best Practices](https://engineering.salesforce.com/github-actions-security-best-practices-b8f9df5c75f5) 135 | 3. [GitHub Actions Security Best Practices [cheat sheet included]](https://blog.gitguardian.com/github-actions-security-cheat-sheet/) 136 | - Jenkins 137 | 1. [Securing Jenkins](https://www.jenkins.io/doc/book/security/) 138 | 2. [Securing Jenkins CI Systems by SANS](https://www.sans.org/white-papers/36872/) 139 | 3. [DEPRECATED/chef-jenkins-hardening](https://github.com/dev-sec/chef-jenkins-hardening) 140 | 141 | ### 素晴らしいリソース 142 | * https://github.com/TaptuIT/awesome-devsecops 143 | 144 | ## 🚀 その他のロードマップ 145 | | ![](assets/dod.png "DoD logo") | ![](assets/LarryMaccherone.jpg "Larry Maccherone portrait") | 146 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 147 | | U.S. Department of Defense | Larry Maccherone | 148 | | [![DevSecOps Security Checklist](https://i.imgur.com/pQXVOzS.png)](https://assets.sqreen.com/whitepapers/devsecops-security-checklist.pdf) | [![GitLab Security DevOps Diagram](https://about.gitlab.com/images/secure/security-diagram.svg)](https://about.gitlab.com/solutions/dev-sec-ops/) | 149 | | The DevSecOps Security Checklist | Gitlab security devops diagram | 150 | 151 | ## 🙏🏼 まとめ 152 | ロードマップを改善できると思われる場合は、PRを開いて更新を送信し、問題を送信してください。また、今後も改善を続けていきますので、このリポジトリにスターを付けて再訪することをお勧めします。 153 | 154 | アイデア元: [Go Developer Roadmap](https://github.com/Alikhll/golang-developer-roadmap) 155 | 156 | ## 貢献者 157 | ![](CONTRIBUTORS.svg "Contributors List") 158 | -------------------------------------------------------------------------------- /README.ko.md: -------------------------------------------------------------------------------- 1 |
2 | 3 | 4 | 5 | DevSecOps Logo 6 | 7 |

DevSecOps를 원하는 모든 사람을 위한 로드맵입니다.

8 |
9 | 10 |

11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |

20 | 21 | ## DevSecOps란 무엇이며 왜 중요할까요? 22 | DevSecOps는 소프트웨어 개발 수명 주기(SDLC)의 모든 단계에 보안을 통합하는 것을 목표로 하는 문화이자 관행입니다. 23 | 개발, 보안 및 운영 팀 간의 협업을 강조합니다. 24 | 목표는 처음부터 안전한 소프트웨어를 구축하고, 취약점을 줄이며, 더 빠르고 안전한 배포를 보장하는 것입니다. 25 | 이 로드맵은 개인과 조직이 DevSecOps 관행을 구현하는 데 도움이 되는 엄선된 리소스와 도구 목록을 제공합니다. 26 | 27 | ## 📜 목차 28 | - [로드맵](#-로드맵) 29 | - [도구](#-도구) 30 | - [리소스](#리소스) 31 | * [0. DevSecOps 개요](#0-devsecops-개요) 32 | * [1. 설계](#1-설계) 33 | * [2. 개발](#2-개발) 34 | * [3. 빌드](#3-빌드) 35 | * [4. 테스트](#4-테스트) 36 | * [5. 배포](#5-배포) 37 | * [6. 운영 및 모니터링](#6-운영-및-모니터링) 38 | - [CICD 보안](#cicd-보안) 39 | - [Awesome resources](#awesome-resources) 40 | - [다른 로드맵](#-다른-로드맵) 41 | - [마무리](#-마무리) 42 | - [기여자](#기여자) 43 | - [기여하기](https://github.com/hahwul/DevSecOps/blob/main/CONTRIBUTING.md) 44 | 45 | ## 📖 이 로드맵 사용 방법 46 | 이 로드맵은 DevSecOps 관행을 채택하거나 개선하려는 개인 및 조직을 위한 포괄적인 가이드로 설계되었습니다. 최대한 활용하는 방법은 다음과 같습니다. 47 | 48 | 1. **기본 사항 이해:** DevSecOps를 처음 사용하는 경우 "DevSecOps란 무엇이며 왜 중요한가요?" 섹션부터 시작하여 기본 사항을 이해하십시오. 49 | 2. **큰 그림 보기:** 기본 **로드맵** 이미지는 DevSecOps 내의 다양한 단계와 영역에 대한 시각적 개요를 제공합니다. 이를 사용하여 방향을 잡으십시오. 50 | 3. **도구 탐색:** **도구** 섹션에서는 다양한 DevSecOps 기능을 구현하는 데 도움이 되는 엄선된 소프트웨어 및 서비스 목록을 제공합니다. 51 | 4. **리소스 살펴보기:** **리소스** 섹션은 DevSecOps 수명 주기(설계, 개발, 빌드, 테스트, 배포, 운영 및 모니터링)별로 분류되어 있습니다. 각 범주에는 기사, 가이드 및 공식 문서에 대한 링크가 포함되어 있습니다. 특정 요구 사항이나 관심 분야에 따라 이러한 항목을 탐색할 수 있습니다. 52 | 5. **CI/CD 보안에 집중:** 파이프라인 보안에 중점을 둔다면 **CICD 보안** 섹션에서 대상 리소스를 제공합니다. 53 | 6. **기여:** 이것은 커뮤니티 중심의 노력입니다. 제안 사항이 있거나, 깨진 링크를 발견하거나, 새로운 리소스를 추가하려면 [CONTRIBUTING.md](CONTRIBUTING.md) 가이드를 참조하십시오. 54 | 55 | 선형적으로 진행할 필요는 없습니다. 현재 과제나 학습 목표와 가장 관련성이 높은 섹션으로 자유롭게 이동하십시오. 56 | 57 | ## 💭 로드맵 58 | ![Roadmap](./DevSecOps.png) 59 | 60 | ## 🔩 도구 61 | 이 프로젝트에는 DevSecOps 관행을 구현하는 데 도움이 되는 엄선된 도구 목록이 포함되어 있습니다. 이러한 도구는 SAST(Static Application Security Testing), DAST(Dynamic Application Security Testing), 비밀 관리, 위협 모델링, 구성 요소 분석 등 SDLC의 다양한 단계를 다룹니다. 62 | 63 | ➡️ [**DevSecOps 도구 목록 살펴보기**](./tools/README.md) 64 | 65 | 이 목록은 도구를 빠르게 찾고 비교하여 검색 및 의사 결정에 소요되는 시간을 줄이는 데 도움이 되도록 설계되었습니다. 66 | 67 | ## 📦 리소스 68 | ### 0. DevSecOps 개요 69 | - 개요 70 | 1. [Wikipedia](https://en.wikipedia.org/wiki/DevOps#DevSecOps,_shifting_security_left)와 [Grokipedia](https://grokipedia.com/page/DevOps#devsecops-and-security-integration)의 DevSecOps 71 | 2. [Zero to DevSecOps (OWASP Meetup)](https://owasp.org/www-chapter-belgium/assets/2019/2019-02-20/Zero-to-DevSecOps-OWASP-Meetup-02-19-19.pdf) 72 | 3. [DevSecOps What Why And How (BlackHat USA-19)](https://i.blackhat.com/USA-19/Thursday/us-19-Shrivastava-DevSecOps-What-Why-And-How.pdf) 73 | 4. [DevSecOps – Security and Test Automation (Mitre)](https://www.mitre.org/sites/default/files/publications/pr-19-0769-devsecops_security_test_automation-briefing.pdf) 74 | 5. [DevSecOps: Making Security Central To Your DevOps Pipeline](https://spacelift.io/blog/what-is-devsecops) 75 | 6. [Strengthen and Scale security using DevSecOps](https://owasp.org/www-pdf-archive/Devsecops-owasp-indonesia.pdf) 76 | 7. [DSOVS (OWASP DevSecOps Verification Standard)](https://owasp.org/www-project-devsecops-verification-standard/) 77 | 8. [What is DevSecOps? (Github)](https://github.com/resources/articles/devops/devsecops) 78 | ### 1. 설계 79 | - 개발 수명 주기 80 | 1. [SDL(Secure Development Lifecycle) by Microsoft](https://www.microsoft.com/en-us/securityengineering/sdl/practices) 81 | 2. [OWASP's Software Assurance Maturity Model](https://github.com/OWASP/samm) 82 | 3. [Building Security In Maturity Model (BSIMM)](https://www.bsimm.com/framework.html) 83 | 4. [NIST's Secure Software Development Framework](https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf) 84 | 5. [DevSecOps basics: 9 tips for shifting left (Gitlab)](https://about.gitlab.com/blog/2020/06/23/efficient-devsecops-nine-tips-shift-left/) 85 | 6. [6 Ways to bring security to the speed of DevOps (Gitlab)](https://about.gitlab.com/blog/2019/10/31/speed-security-devops/) 86 | - 위협 모델 87 | 1. [What is Threat Modeling / Wikipedia](https://en.wikipedia.org/wiki/Threat_model) 88 | 2. [Threat Modeling by OWASP](https://owasp.org/www-community/Threat_Modeling) 89 | 3. [Application Threat Modeling by OWASP](https://owasp.org/www-community/Application_Threat_Modeling) 90 | 4. [Agile Threat Modeling Toolkit](https://threagile.io) 91 | 5. [OWASP Threat Dragon](https://threatdragon.github.io) 92 | ### 2. 개발 93 | - 보안 코딩 94 | 1. [Secure coding guide by Apple](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) 95 | 2. [Secure Coding Guidelines for Java SE](https://www.oracle.com/java/technologies/javase/seccodeguide.html) 96 | 3. [Go-SCP / Go programming language secure coding practices guide](https://github.com/OWASP/Go-SCP) 97 | 4. [Android App security best practices by Google](https://developer.android.com/topic/security/best-practices) 98 | 5. [Securing Rails Applications](https://guides.rubyonrails.org/security.html) 99 | ### 3. 빌드 100 | - SAST(Static Application Security Testing) 101 | 1. [Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1](https://medium.com/nycdev/scan-your-source-code-for-vulnerabilities-using-static-application-security-testing-sast-with-5f8ee1fdf9aa) 102 | 2. [Announcing third-party code scanning tools: static analysis & developer security training](https://github.blog/2020-10-05-announcing-third-party-code-scanning-tools-static-analysis-and-developer-security-training/) 103 | 3. [SAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-004-Static-Application-Security-Testing-SAST.md) 104 | ### 4. 테스트 105 | - DAST(Dynamic Application Security Testing) 106 | 1. [Dynamic Application Security Testing with ZAP and GitHub Actions](https://www.zaproxy.org/blog/2020-05-15-dynamic-application-security-testing-with-zap-and-github-actions/) 107 | 2. [Dynamic Application Security Testing (DAST) in Gitlab](https://docs.gitlab.com/ee/user/application_security/dast/) 108 | 3. [DAST using projectdiscovery Nuclei (github action)](https://github.com/secopslab/nuclei-action) 109 | 4. [ZAPCon 2021-Democratizing ZAP with test automation and domain specific languages](https://youtu.be/jimW-R6_F4U) 110 | 5. [DAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-002-Dynamic-Application-Security-Testing-DAST.md) 111 | - 침투 테스트 112 | 1. [Penetration Testing at DevSecOps Speed](https://securityboulevard.com/2019/04/penetration-testing-at-devsecops-speed/) 113 | ### 5. 배포 114 | - 보안 강화 및 구성 115 | 1. [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) 116 | 2. [DevSecOps in Kubernetes](https://cloudblogs.microsoft.com/opensource/2019/07/22/devsecops-in-kubernetes/) 117 | - 보안 스캐닝 118 | 1. [Best practices for scanning images (docker)](https://docs.docker.com/develop/scan-images/) 119 | ### 6. 운영 및 모니터링 120 | - RASP(Run-time Application Security Protection) 121 | 1. [Runtime Application Self-Protection by rapid7](https://www.rapid7.com/fundamentals/runtime-application-self-protection/) 122 | 2. [Jumpstarting your devsecops - Pipeline with IAST and RASP](https://2018.appsec.eu/presos/DevOps_Jumpstarting-Your-DevSecOps_Jeff-Williams_AppSecEU2018.pdf) 123 | - 보안 감사 124 | - 보안 모니터 125 | 1. IAST(Interactive Application Security Testing) 126 | - [IAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-003-Interactive-Application-Security-Testing-IAST.md) 127 | 2. 지표, 모니터링, 알림 128 | - 보안 분석 129 | 1. [Attack Surface Analysis Cheat Sheet by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html) 130 | 131 | ## CICD 보안 132 | - Github Actions 133 | 1. [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) 134 | 2. [Github Actions Security Best Practices](https://engineering.salesforce.com/github-actions-security-best-practices-b8f9df5c75f5) 135 | 3. [GitHub Actions Security Best Practices [cheat sheet included]](https://blog.gitguardian.com/github-actions-security-cheat-sheet/) 136 | - Jenkins 137 | 1. [Securing Jenkins](https://www.jenkins.io/doc/book/security/) 138 | 2. [Securing Jenkins CI Systems by SANS](https://www.sans.org/white-papers/36872/) 139 | 3. [DEPRECATED/chef-jenkins-hardening](https://github.com/dev-sec/chef-jenkins-hardening) 140 | 141 | ### Awesome Resources 142 | * https://github.com/TaptuIT/awesome-devsecops 143 | 144 | ## 🚀 다른 로드맵 145 | | ![](assets/dod.png "DoD logo") | ![](assets/LarryMaccherone.jpg "Larry Maccherone portrait") | 146 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 147 | | U.S. Department of Defense | Larry Maccherone | 148 | | [![DevSecOps Security Checklist](https://i.imgur.com/pQXVOzS.png)](https://assets.sqreen.com/whitepapers/devsecops-security-checklist.pdf) | [![GitLab Security DevOps Diagram](https://about.gitlab.com/images/secure/security-diagram.svg)](https://about.gitlab.com/solutions/dev-sec-ops/) | 149 | | The DevSecOps Security Checklist | Gitlab security devops diagram | 150 | 151 | ## 🙏🏼 마무리 152 | 로드맵을 개선할 수 있다고 생각되면 언제든지 PR을 열어 업데이트하고 문제를 제출하십시오. 또한 이 로드맵을 계속 개선할 것이므로 이 저장소를 즐겨찾기에 추가하여 다시 방문할 수 있습니다. 153 | 154 | 아이디어 출처: [Go Developer Roadmap](https://github.com/Alikhll/golang-developer-roadmap) 155 | 156 | ## 기여자 157 | ![](CONTRIBUTORS.svg "Contributors List") 158 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 | 3 | 4 | 5 | DevSecOps Logo 6 | 7 |

Roadmap for everyone who wants DevSecOps.

8 |
9 | 10 |

11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |

20 | 21 | ## What is DevSecOps and Why is it Important? 22 | DevSecOps is a culture and practice that aims to integrate security into every phase of the software development lifecycle (SDLC). 23 | It emphasizes collaboration between Development, Security, and Operations teams. 24 | The goal is to build secure software from the ground up, reduce vulnerabilities, and ensure faster, safer deployments. 25 | This roadmap provides a curated list of resources and tools to help individuals and organizations implement DevSecOps practices. 26 | 27 | ## 📜 Table of Contents 28 | - [Roadmap](#-roadmap) 29 | - [Tools](#-tools) 30 | - [Resources](#resources) 31 | * [0. DevSecOps Overview](#0-devsecops-overview) 32 | * [1. Design](#1-design) 33 | * [2. Develop](#2-develop) 34 | * [3. Build](#3-build) 35 | * [4. Test](#4-test) 36 | * [5. Deploy](#5-deploy) 37 | * [6. Operate and Monitor](#6-operate-and-monitor) 38 | - [Security of CICD](#security-of-cicd) 39 | - [Awesome resources](#awesome-resources) 40 | - [Other roadmaps](#-other-roadmaps) 41 | - [Wrap Up](#-wrap-up) 42 | - [Contributors](#contributors) 43 | - [Contribute](https://github.com/hahwul/DevSecOps/blob/main/CONTRIBUTING.md) 44 | 45 | ## 📖 How to Use This Roadmap 46 | This roadmap is designed to be a comprehensive guide for individuals and organizations looking to adopt or improve their DevSecOps practices. Here's how you can make the most of it: 47 | 48 | 1. **Understand the Basics:** If you're new to DevSecOps, start with the "What is DevSecOps and Why is it Important?" section to get a foundational understanding. 49 | 2. **View the Big Picture:** The main **Roadmap** image provides a visual overview of the different stages and areas within DevSecOps. Use this to orient yourself. 50 | 3. **Explore Tools:** The **Tools** section offers a curated list of software and services that can help you implement various DevSecOps capabilities. 51 | 4. **Dive into Resources:** The **Resources** section is categorized by the DevSecOps lifecycle (Design, Develop, Build, Test, Deploy, Operate and Monitor). Each category contains links to articles, guides, and official documentation. You can explore these based on your specific needs or areas of interest. 52 | 5. **Focus on CI/CD Security:** If your focus is on securing your pipelines, the **Security of CICD** section provides targeted resources. 53 | 6. **Contribute:** This is a community-driven effort. If you have suggestions, find broken links, or want to add new resources, please see our [CONTRIBUTING.md](CONTRIBUTING.md) guide. 54 | 55 | You don't have to go through it linearly. Feel free to jump to the sections that are most relevant to your current challenges or learning goals. 56 | 57 | ## 💭 Roadmap 58 | ![Roadmap](./DevSecOps.png) 59 | 60 | ## 🔩 Tools 61 | This project includes a curated list of tools to help you implement DevSecOps practices. These tools cover various stages of the SDLC, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), secret management, threat modeling, component analysis, and more. 62 | 63 | ➡️ [**Explore the DevSecOps Tools List**](./tools/README.md) 64 | 65 | This list is designed to help you quickly find and compare tools, reducing the time spent on searching and decision-making. 66 | 67 | ## 📦 Resources 68 | ### 0. DevSecOps Overview 69 | - Overview 70 | 1. DevSecOps in [Wikipedia](https://en.wikipedia.org/wiki/DevOps#DevSecOps,_shifting_security_left) and [Grokipedia](https://grokipedia.com/page/DevOps#devsecops-and-security-integration) 71 | 2. [Zero to DevSecOps (OWASP Meetup)](https://owasp.org/www-chapter-belgium/assets/2019/2019-02-20/Zero-to-DevSecOps-OWASP-Meetup-02-19-19.pdf) 72 | 3. [DevSecOps What Why And How (BlackHat USA-19)](https://i.blackhat.com/USA-19/Thursday/us-19-Shrivastava-DevSecOps-What-Why-And-How.pdf) 73 | 4. [DevSecOps – Security and Test Automation (Mitre)](https://www.mitre.org/sites/default/files/publications/pr-19-0769-devsecops_security_test_automation-briefing.pdf) 74 | 5. [DevSecOps: Making Security Central To Your DevOps Pipeline](https://spacelift.io/blog/what-is-devsecops) 75 | 6. [Strengthen and Scale security using DevSecOps](https://owasp.org/www-pdf-archive/Devsecops-owasp-indonesia.pdf) 76 | 7. [DSOVS (OWASP DevSecOps Verification Standard)](https://owasp.org/www-project-devsecops-verification-standard/) 77 | 8. [What is DevSecOps? (Github)](https://github.com/resources/articles/devops/devsecops) 78 | ### 1. Design 79 | - Development Lifecycle 80 | 1. [SDL(Secure Development Lifecycle) by Microsoft](https://www.microsoft.com/en-us/securityengineering/sdl/practices) 81 | 2. [OWASP's Software Assurance Maturity Model](https://github.com/OWASP/samm) 82 | 3. [Building Security In Maturity Model (BSIMM)](https://www.bsimm.com/framework.html) 83 | 4. [NIST's Secure Software Development Framework](https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf) 84 | 5. [DevSecOps basics: 9 tips for shifting left (Gitlab)](https://about.gitlab.com/blog/2020/06/23/efficient-devsecops-nine-tips-shift-left/) 85 | 6. [6 Ways to bring security to the speed of DevOps (Gitlab)](https://about.gitlab.com/blog/2019/10/31/speed-security-devops/) 86 | - Threat Model 87 | 1. [What is Threat Modeling / Wikipedia](https://en.wikipedia.org/wiki/Threat_model) 88 | 2. [Threat Modeling by OWASP](https://owasp.org/www-community/Threat_Modeling) 89 | 3. [Application Threat Modeling by OWASP](https://owasp.org/www-community/Application_Threat_Modeling) 90 | 4. [Agile Threat Modeling Toolkit](https://threagile.io) 91 | 5. [OWASP Threat Dragon](https://threatdragon.github.io) 92 | ### 2. Develop 93 | - Secure Coding 94 | 1. [Secure coding guide by Apple](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) 95 | 2. [Secure Coding Guidelines for Java SE](https://www.oracle.com/java/technologies/javase/seccodeguide.html) 96 | 3. [Go-SCP / Go programming language secure coding practices guide](https://github.com/OWASP/Go-SCP) 97 | 4. [Android App security best practices by Google](https://developer.android.com/topic/security/best-practices) 98 | 5. [Securing Rails Applications](https://guides.rubyonrails.org/security.html) 99 | ### 3. Build 100 | - SAST(Static Application Security Testing) 101 | 1. [Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1](https://medium.com/nycdev/scan-your-source-code-for-vulnerabilities-using-static-application-security-testing-sast-with-5f8ee1fdf9aa) 102 | 2. [Announcing third-party code scanning tools: static analysis & developer security training](https://github.blog/2020-10-05-announcing-third-party-code-scanning-tools-static-analysis-and-developer-security-training/) 103 | 3. [SAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-004-Static-Application-Security-Testing-SAST.md) 104 | ### 4. Test 105 | - DAST(Dynamic Application Security Testing) 106 | 1. [Dynamic Application Security Testing with ZAP and GitHub Actions](https://www.zaproxy.org/blog/2020-05-15-dynamic-application-security-testing-with-zap-and-github-actions/) 107 | 2. [Dynamic Application Security Testing (DAST) in Gitlab](https://docs.gitlab.com/ee/user/application_security/dast/) 108 | 3. [DAST using projectdiscovery Nuclei (github action)](https://github.com/secopslab/nuclei-action) 109 | 4. [ZAPCon 2021-Democratizing ZAP with test automation and domain specific languages](https://youtu.be/jimW-R6_F4U) 110 | 5. [DAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-002-Dynamic-Application-Security-Testing-DAST.md) 111 | - Penetration testing 112 | 1. [Penetration Testing at DevSecOps Speed](https://securityboulevard.com/2019/04/penetration-testing-at-devsecops-speed/) 113 | ### 5. Deploy 114 | - Security Hardening & Config 115 | 1. [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) 116 | 2. [DevSecOps in Kubernetes](https://cloudblogs.microsoft.com/opensource/2019/07/22/devsecops-in-kubernetes/) 117 | - Security Scanning 118 | 1. [Best practices for scanning images (docker)](https://docs.docker.com/develop/scan-images/) 119 | ### 6. Operate and Monitor 120 | - RASP(Run-time Application Security Protection) 121 | 1. [Runtime Application Self-Protection by rapid7](https://www.rapid7.com/fundamentals/runtime-application-self-protection/) 122 | 2. [Jumpstarting your devsecops - Pipeline with IAST and RASP](https://2018.appsec.eu/presos/DevOps_Jumpstarting-Your-DevSecOps_Jeff-Williams_AppSecEU2018.pdf) 123 | - Security Audit 124 | - Security Monitor 125 | 1. IAST(Interactive Application Security Testing) 126 | - [IAST levels defined by OWASP](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-003-Interactive-Application-Security-Testing-IAST.md) 127 | 2. Metrics, Monitoring, Alerting 128 | - Security Analysis 129 | 1. [Attack Surface Analysis Cheat Sheet by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html) 130 | 131 | ## Security of CICD 132 | - Github Actions 133 | 1. [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) 134 | 2. [Github Actions Security Best Practices](https://engineering.salesforce.com/github-actions-security-best-practices-b8f9df5c75f5) 135 | 3. [GitHub Actions Security Best Practices [cheat sheet included]](https://blog.gitguardian.com/github-actions-security-cheat-sheet/) 136 | - Jenkins 137 | 1. [Securing Jenkins](https://www.jenkins.io/doc/book/security/) 138 | 2. [Securing Jenkins CI Systems by SANS](https://www.sans.org/white-papers/36872/) 139 | 3. [DEPRECATED/chef-jenkins-hardening](https://github.com/dev-sec/chef-jenkins-hardening) 140 | 141 | ### Awesome Resources 142 | * https://github.com/TaptuIT/awesome-devsecops 143 | 144 | ## 🚀 Other roadmaps 145 | | ![](assets/dod.png "DoD logo") | ![](assets/LarryMaccherone.jpg "Larry Maccherone portrait") | 146 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 147 | | U.S. Department of Defense | Larry Maccherone | 148 | | [![DevSecOps Security Checklist](https://i.imgur.com/pQXVOzS.png)](https://assets.sqreen.com/whitepapers/devsecops-security-checklist.pdf) | [![GitLab Security DevOps Diagram](https://about.gitlab.com/images/secure/security-diagram.svg)](https://about.gitlab.com/solutions/dev-sec-ops/) | 149 | | The DevSecOps Security Checklist | Gitlab security devops diagram | 150 | 151 | ## 🙏🏼 Wrap Up 152 | If you think the roadmap can be improved, please do open a PR with any updates and submit any issues. Also, I will continue to improve this, so you might want to star this repository to revisit. 153 | 154 | Idea from: [Go Developer Roadmap](https://github.com/Alikhll/golang-developer-roadmap) 155 | 156 | ## Contributors 157 | ![](CONTRIBUTORS.svg "Contributors List") 158 | --------------------------------------------------------------------------------