DevSecOps

Pager Duty - Guidelines to running security training within an organisation.

Spacelift - An article explains what DevSecOps aims to achieve, why it’s advantageous, and how the DevSecOps lifecycle looks.

Tanya Janca - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development.

Snyk - A community that runs conferences, a blog, a podcast and a Discord dedicated to DevSecOps.

Cloud Native Computing Foundation - TAG Security facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.

OWASP - An Australian application security conference run by OWASP.

Snyk - A network of DevSecOps conferences run by Snyk.

Cossack Labs - A free biweekly newsletter for security-aware developers covering application security, secure architecture, DevSecOps, cryptography, incidents, etc. that can be useful for builders and (to a lesser extent) for breakers.

Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.

Security Journey - Interviews with industry experts about specific application security concepts.

Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.

OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.

Snyk - Discussion about security tools and best practices for software developers.

OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.

CERT - A collection of secure development standards for C, C++, Java and Android development.

SAFECode - Guidelines for implementing key secure development practices throughout the SDLC.

OWASP - OWASP's list of top ten controls that should be implemented in every software development project.

Mozilla - A guideline containing specific secure development standards for secure web application development.

OWASP - A checklist to verify that secure development standards have been followed.

Synopsys - A framework for software security created by observing and analysing data from leading software security initiatives.

Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.

NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.

OWASP - A framework to measure and improve the maturity of the secure development lifecycle.

SANS - A poster containing the Securing Web Application Technologies (SWAT) Checklist, SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes Threats, and Secure DevOps Toolchain.

XebiaLabs - A collection of DevSecOps tooling categorised by tool functionality.

Duo Security - Training materials created by the Duo application security team, including introductory and advanced training presentations and hands-on labs.

Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.

PentesterLab - Hands on labs to understand and exploit simple and advanced web vulnerabilities.

Practical DevSecOps - Learn DevSecOps concepts, tools, and techniques from industry experts with practical DevSecOps using state of the art browser-based labs.

SafeStack - Security training for software development teams, designed to be accessible to individuals and small teams as well as larger organisations.

Secure Code Warrior - Gamified and hands-on secure development training with support for courses, assessments and tournaments.

OWASP - Hands-on secure coding training for Developers and Build/Release Engineers.

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.

Semgrep - Free, on-demand courses covering topics including API security, secure coding and application security.

PortSwigger - A set of materials and labs to learn and exploit common web vulnerabilities.

WeHackPurple - Online courses that teach application security theory and hands-on technical lessons.

Snyk - Introduction to key DevSecOps concepts, processes and technologies.

OWASP - A repository of information about software vulnerabilities and how to prevent them.

Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.

GitHub - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.

OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.

OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.

JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.

NPM - Vulnerable package auditing for node packages built into the npm CLI.

WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.

Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.

Snyk - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.

Imperva - Perform automated security scanning against an API based on an API specification.

PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.

Gauntlt - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.

Spectral - Discover internet-wide misconfigurations, using zgrab2 and others.

Microsoft - A stateful RESTful API scanner based on peer-reviewed research papers.

SSL Labs - Automated scanning for SSL / TLS configuration issues.

OWASP - An open-source web application vulnerability scanner, including an API for CI/CD integration.

Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.

Checkmarx - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.

Spectral - Find misconfiguration both in infrastructure as well as apps as early as commit time.

Accurics - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Stelligent - Scan AWS CloudFormation templates for insecure configuration.

Red Hat - Scan App Container and Docker containers for publicly disclosed vulnerabilities.

Elías Grande - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.

Docker - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Anchore - An easy-to-integrate open source vulnerability scanning tool for container images and filesystems.

Hadolint - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.

Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.

Aqua Security - Simple and comprehensive vulnerability scanner for containers.

Fugue - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment.

terraform-compliance - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.

Liam Galvin - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.

Cloud Native Computing Foundation - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.

Gustav Westling - Scan Kubernetes object definitions for security and performance misconfiguration.

ControlPlane - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.

Ansible Community - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.

The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.

Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.

Cider Security - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.

Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.

OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.

Madhu Akula - Intentionally vulnerable cluster environment to learn and practice Kubernetes security.

OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.

Pentest-Tools.com - Pentest-Ground is a free playground with deliberately vulnerable web applications and network services.

Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.

OWASP - A collection of vulnerable web applications for learning purposes.

OWASP - Vulnerable app with examples showing how to not use secrets

Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.

Streamdal - Embed privacy controls in your application code to detect and monitor PII as it enters and leaves your systems, preventing it from reaching unintended databases, data streams, or pipelines.

Ansible - Securely store secrets within Ansible pipelines.

Amazon AWS - Create and manage cryptographic keys in AWS.

Amazon AWS - Securely store retrievable application secrets in AWS.

Microsoft Azure - Securely store secrets within Azure.

StackExchange - Encrypt credentials within your code repository.

Chef - Securely store secrets within Chef.

Fugue - Securely store secrets within AWS using KMS and DynamoDB.

CyberArk - Secrets management for applications including secret rotation and auditing.

Docker - Store and manage access to secrets within a Docker swarm.

Amazon AWS - Scan git repositories for secrets committed within code or commit messages.

Gopass - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories.

Google Cloud Platform - Securely store secrets within GCP.

HashiCorp - Securely store secrets via UI, CLI or HTTP API.

Spectral - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust.

Pinterest - Securely store, rotate and audit secrets.

Mozilla - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.

Spectral - A secrets management tool for developers - never leave your command line for secrets.

Microsoft - A credential scanning tool that can be run as a task in Azure DevOps pipelines.

Yelp - An aptly named module for (surprise, surprise) detecting secrets within a code base.

GitGuardian - A web-based solution that scans and monitors public and private git repositories for secrets.

Zachary Rice - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.

AWS Labs - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns.

Nightfall - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories.

Auth0 - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda.

Spectral - Automated code security, secrets, tokens and sensitive data scanning.

Truffle Security - Searches through git repositories for secrets, digging deep into commit history and branches.

Microsoft - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages.

Eldar Marcussen - Grep source code for potential security flaws with custom or pre-configured regex signatures.

Hawkeyesec - Modularised CLI tool for project security, vulnerability and general risk highlighting.

Semmle - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries.

RIPS Technologies - Automated static analysis for PHP, Java and Node.js projects.

r2c - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time.

SonarSource - An IDE plugin that highlights potential security security issues, code quality issues and bugs.

SonarSource - Scan code for security and quality issues with support for a wide variety of languages.

David Wheeler - Scan C / C++ code for potential security weaknesses.

Puma Security - A Visual Studio plugin to scan .NET projects for potential security flaws.

Instrumenta - Create custom tests to scan any configuration file for security flaws.

Selefra - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.

Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.

OWASP - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.

SpotBugs - Static code analysis for Java applications.

JS Foundation - Linting tool for JavaScript with multiple security linting rules available.

securego - CLI tool to scan Go code for potential security flaws.

Security Code Scan - Static code analysis for C# and VB.NET applications.

Phan - Broad static analysis for PHP applications with some support for security scanning features.

Floe - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.

Design Security - Static analysis for PHP source code.

Python Code Quality Authority - Find common security vulnerabilities in Python code.

Justin Collins - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.

Paolo Perego - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.

StepSecurity - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build.

SCAR - a browser extension helping developers evaluate open source packages before picking them.

Spectral - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent Codecov hack.

sigstore is a set of free to use and open source tools, including fulcio, cosign and rekor, handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.

Anchore - A CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems.

Practical DevSecOps - A curated list of threat modelling resources.

Forseeti - Treat modelling and attack simulations for IT infrastructure.

IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.

DevSecOps - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.

Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.

OWASP - Threat model diagramming tool.

Microsoft - Threat model diagramming tool.

Threatspec - Define threat modelling as code.

Matthias Endler - A collection of dynamic analysis tools and code quality checkers.

A curated list of solutions, tools and resources for Platform Engineering

Matthias Endler - A collection of static analysis tools and code quality checkers.

Practical DevSecOps - A curated list of threat modeling resources.

OWASP - A collection of vulnerable web applications for learning purposes.