Skip to content

Latest commit

 

History

History
118 lines (99 loc) · 7.86 KB

awesome-devsecops-learning-resources.md

File metadata and controls

118 lines (99 loc) · 7.86 KB
Raw

Awesome DevSecOps Learning Resources

DevSecOps learning resources

ToC

  1. Books
  2. Videos
  3. Free/Paid Courses
  4. Free/Paid Labs
  5. DevSecOps Tools
  6. DevSecOps Certifications
  7. Blogs/Articles

Books

Here are some DevSecOps learning resources to help you become a skilled DevSecOps engineer. They will boost your confidence in this domain, and you will be ready to explore further.

  1. The Phoenix Project by Gene Kim — A novel that illustrates how DevOps principles can transform IT operations and business performance. I would highly recommend this book to every IT professional specially Developers, QA, Infra engineers, DevOps, and security folks.
  2. Learning DevSecOps — A practical guide to integrating security into DevOps pipelines to deliver secure software faster. Quite a new release (published in May 2024)
  3. Securing DevOps: Securing in the cloud - It explores modern DevOps security techniques and tools to secure cloud environments. It is one of the books that I have read in the past.
  4. Security in DevOps by PackT — Comprehensive strategies for embedding security into DevOps workflows.
  5. Agile Application Security — A guide to building secure applications with agile methodologies. Being a DevSecOps engineer, you should have a fair idea of AppSec.

Videos

Free/Paid Courses

  1. DevSecOps Fundamentals on Udemy - A beginner’s course on understanding and implementing DevSecOps practices in software development.
  2. DevSecOps for Absolute Beginners - An introductory course for those new to DevSecOps, covering key concepts and tools.
  3. DevSecOps by KodeCloud - A practical course on mastering DevSecOps tools and methodologies with hands-on labs. You should try it.

Free/Paid DevSecOps Labs

  1. DevSecOps Integra project
  2. DevSec Hardening project
  3. DevSecOps projects
  4. DevSecOps Playbook
  5. DevSecOps Bootcamp

DevSecOps Certifications

  1. CDP by Practical DevSecOps — Certified DevSecOps Professional, a hands-on certification focused on applying security in DevOps practices. I had given my feedback after this examination in 2020
  2. DevSecOps Essentials by EC-Council — A foundational certification covering essential skills and knowledge for implementing security in DevOps.
  3. E|CDE by EC-Council — EC-Council Certified DevSecOps Engineer, designed for professionals aiming to integrate security into DevOps environments.

Blogs/Articles

Blog, articles, and other relevant learning resources

  1. DevSecOps University by Practical devSecOps
  2. OWASP DevSecOps Maturity Model
  3. What Security Engineer should learn from DevSecOps
  4. Introduction to DevSecOps
  5. Security in DevOps: Staying secure in agile development

DevSecOps Tools

DevSecOps tools can be categorised into several groups based on their functionality.

These categories include:

Static Application Security Testing (SAST) Tools

  1. Sonarqube: Static code analysis tool supporting multiple programming languages.
  2. Bandit: A security linter for Python
  3. Brakeman: Security scanner for Ruby on Rails applications.
  4. SpotBugs: Static analysis tool to find security vulnerabilities in Java code
  5. Semgrep: Lightweight static analysis tool supporting multiple languages and frameworks
  6. Coverity: Comprehensive static code analysis to detect software defects and vulnerabilities.

Secrets Scanning Tools

  1. git-secrets: Detects secrets and sensitive information within git commits and prevents them from being included.
  2. Trufflehog
  3. Talisman
  4. Whispers
  5. gitleaks

Secrets Management Tools

  1. HashiCorp Vault
  2. CyberArk Conjur
  3. AWS Secrets Manager
  4. Azure Key Vault

Dynamic Application Security Testing (DAST) Tools

  1. OWASP ZAP: Open-source tool used to find vulnerabilities in web applications.
  2. Nikto: Web server scanner that detects outdated versions and security issues.
  3. Arachni: Web application security scanner for identifying vulnerabilities. 4.Burp Suite: Integrated platform for performing security testing of web applications.
  4. Akto and Levo (API Security): Tools designed to scan and secure APIs.

Software Composition Analysis (SCA) Tools

  1. Snyk: Security platform that scans open-source dependencies for known vulnerabilities.
  2. OWASP Dependency-Check: Open-source tool to identify publicly disclosed vulnerabilities in dependencies.
  3. Dependabot: Automatically checks dependencies for vulnerabilities and sends pull requests to update them.
  4. Retire.js: Scanner that helps identify known vulnerabilities in JavaScript libraries.
  5. npm audit: Security audit tool for Node.js applications, focusing on package vulnerabilities.

Container Security Tools

  1. Clair: Open-source tool for the static analysis of vulnerabilities in containers.
  2. Trivy: Comprehensive vulnerability scanner for containers, Kubernetes, and IaC.
  3. Checkov: Infrastructure is a code static analysis tool for Terraform, Kubernetes, and more.
  4. Kube-bench: Checks whether Kubernetes clusters are deployed according to security best practices.
  5. Kubesec: Tool to secure Kubernetes resources by scanning YAML files.
  6. Hadolint: Dockerfile linter will check for best practices and potential vulnerabilities.
  7. Twistlock

Infrastructure as Code (IaC) Security Tools

  1. Terraform-grunt: Tool to test the security of Terraform configurations.
  2. ScoutSuite: Multi-cloud security auditing tool for cloud infrastructure.
  3. Kics by Checkmarx: Open-source IaC scanning tool for identifying vulnerabilities.
  4. TFLint: Linter to detect errors and security issues in Terraform templates.
  5. Prowler: Security tool to perform AWS security best practices checks.
  6. Terrascan: A static code analyzer for IaC that detects vulnerabilities.

Compliance and Governance Tools

Think of policy as code and compliance as code from a DevOps and DevSecOps perspective.

  1. Chef Inspec: Framework for defining and testing security and compliance policies as code.
  2. Open Policy Agent (OPA): General-purpose policy engine for enforcing policies across the stack.
  3. HashiCorp Sentinel: Policy-as-code framework integrated with HashiCorp products.
  4. AWS Config: Monitors and audits the configuration of AWS resources to maintain compliance.
  5. OpenSCAP: Suite of open-source tools for auditing compliance with security standards.

Security Dashboard and Analytics Tools

  1. DefectDojo: Open-source application vulnerability management tool.
  2. ELK: Elasticsearch, Logstash, and Kibana stack for centralized logging and analytics.
  3. OWASP dependency Track: Continuous monitoring of vulnerabilities in third-party dependencies.
  4. JFrog XRay: Universal component analysis tool to detect vulnerabilities and license compliance issues.