Roadmap for everyone who wants DevSecOps.

📜 Table of Contents

• Roadmap
• Tools
• Resources
  • 0. DevSecOps Overview
  • 1. Design
  • 2. Develop
  • 3. Build
  • 4. Test
  • 5. Deploy
  • 6. Operate and Monitor
• Security of CICD
• Awesome resources
• Other roadmaps
• Wrap Up
• Contributors
• Contribute

💭 Roadmap

🔩 Tools

Spending a lot of time on applying DevSecOps is searching, comparing, and making decisions about tools. These tool lists are a good way to help you reduce unnecessary time and apply them quickly 😎

Open https://github.com/hahwul/DevSecOps/blob/main/tools/README.md

📦 Resources

0. DevSecOps Overview

• Overview
  1. DevSecOps in Wikipedia
  2. Zero to DevSecOps (OWASP Meetup)
  3. DevSecOps What Why And How (BlackHat USA-19)
  4. DevSecOps – Security and Test Automation (Mitre)
  5. DevSecOps: Making Security Central To Your DevOps Pipeline
  6. Strengthen and Scale security using DevSecOps
  7. DSOVS (OWASP DevSecOps Verification Standard)
  8. What is DevSecOps? (Github)

1. Design

• Development Lifecycle
  1. SDL(Secure Development Lifecycle) by Microsoft
  2. OWASP's Software Assurance Maturity Model
  3. Building Security In Maturity Model (BSIMM)
  4. NIST's Secure Software Developerment Framework
  5. DevSecOps basics: 9 tips for shifting left (Gitlab)
  6. 6 Ways to bring security to the speed of DevOps (Gitlab)
• Threat Model
  1. What is Threat Modeling / Wikipedia
  2. Threat Modeling by OWASP
  3. Application Threat Modeling by OWASP
  4. Agile Threat Modeling Toolkit
  5. OWASP Threat Dragon

2. Develop

• Secure Coding
  1. Secure coding guide by Apple
  2. Secure Coding Guidelines for Java SE
  3. Go-SCP / Go programming language secure coding practices guide
  4. Android App security best practices by Google
  5. Securing Rails Applications

3. Build

• SAST(Static Application Security Testing)
  1. Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1
  2. Announcing third-party code scanning tools: static analysis & developer security training
  3. SAST levels defined by OWASP

4. Test

• DAST(Dynamic Application Security Testing)
  1. Dynamic Application Security Testing with ZAP and GitHub Actions
  2. Dynamic Application Security Testing (DAST) in Gitlab
  3. DAST using pdiscoveryio Nuclei (github action)
  4. ZAPCon 2021-Democratizing ZAP with test automation and domain specific languages
  5. DAST levels defined by OWASP
• Penetration testing
  1. Penetration Testing at DevSecOps Speed

5. Deploy

• Security Hardening & Config
  1. CIS Benchmarks
  2. DevSecOps in Kubernetes
• Security Scanning
  1. Best practices for scanning images (docker)

6. Operate and Monitor

• RASP(Run-time Application Security Protection)
  1. Runtime Application Self-Protection by rapid7
  2. Jumpstarting your devsecops - Pipeline with IAST and RASP
• Security Patch
  1. RASP(Runtime Application Self-Protection)
• Security Audit
• Security Monitor
  1. IAST(Interactive Application Security Testing)
     • IAST levels defined by OWASP
  2. Metrics, Monitoring, Alerting
• Security Analysis
  1. Attack Surface Analysis Cheat Sheet by OWASP

Security of CICD

• Github Actions
  1. Security hardening for GitHub Actions
  2. Github Actions Security Best Practices
  3. GitHub Actions Security Best Practices [cheat sheet included]
• Jenkins
  1. Securing Jenkins
  2. Securing Jenkins CI Systems by SANS
  3. DEPRECATED/chef-jenkins-hardening

Awesome resources

• https://github.com/TaptuIT/awesome-devsecops

🚀 Other roadmaps

U.S. Department of Defense	Larry Maccherone
The DevSecOps Security Checklist	Gitlab security devops diagram

🙏🏼 Wrap Up

If you think the roadmap can be improved, please do open a PR with any updates and submit any issues. Also, I will continue to improve this, so you might want to star this repository to revisit.

Idea from : Go Developer Roadmap

Contributors