开源软件名称(OpenSource Name):sottlmarek/DevSecOps开源软件地址(OpenSource Url):https://github.com/sottlmarek/DevSecOps开源编程语言(OpenSource Language):开源软件介绍(OpenSource Introduction):Ultimate DevSecOps libraryContribution rulesIf you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:
Note: Currently this is an early version of the library. I recommend PR after first official release. DevSecOps library info: This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope. Table of Contents
What is DevSecOpsDevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience. DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor. Various definitions:
ToolingPre-commit time toolsIn this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process. Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.
Secrets managementSecrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.
OSS and Dependency managementDependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.
Supply chain specific toolsSupply chain is often the target of attacks. Which libraries you use can have a massive impact on security of the final product (artifacts). CI (continuous integration) must be monitored inside the tasks and jobs in pipeline steps. Integrity checks must be stored out of the system and in ideal case several validation runs with comparison of integrity hashes / or attestation must be performed.
SASTStatic code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.
全部评论
专题导读
上一篇:ethereum/aleth: Aleth – Ethereum C++ client, tools and libraries发布时间:2022-08-15下一篇:segmentio/nightmare: A high-level browser automation library.发布时间:2022-08-15热门推荐
热门话题
阅读排行榜
|
请发表评论