GithubHelp home page GithubHelp logo

isabella232 / devsecopsguideline Goto Github PK

View Code? Open in Web Editor NEW

This project forked from owasp/devsecopsguideline

0.0 0.0 0.0 754 KB

The OWASP DevSecOps Guideline can help us to embedding security as a part of the development pipeline.

Home Page: https://owasp.org/www-project-devsecops-guideline/

devsecopsguideline's Introduction

OWASP DevSecOps Guideline

The OWASP DevSecOps Guideline focuses on explaining how we can implement a secure pipeline and using best practices and introduce tools that we can use in this matter. Also, the project trying to help us for promoting the shift-left security culture in our development process.
This project helps any companies in each size that have development pipeline or in other words have DevOps pipeline. During this project, we try to draw a perspective of a secure DevOps pipeline and then improve it based on our customized requirements.

Initial steps

DevSecOps is all about putting security into DevOps. But to keep up with the pace of CI/CD security has to be injected early, into software writing and testing.

DevSecOps cycle

OWASP Proactive Controls lists the top 10 security controls every developer has to implement while coding any application. Consider this set as the starting point when you have to design, write or test code in the DevSecOps cycle.

You can also follow the OWASP Software Assurance Maturity Model (SAMM) to establish what to consider for security requirements (and more) according to your maturity level.

What to add in a pipeline

DevSecOps pipeline At first, we consider to implement the following steps in a basic pipeline:

  • Take care secrets and credentials in git repositories
  • SAST (Static Application Security Test)
  • SCA (Software Composition Analysis)
  • IAST (Interactive Application Security Testing)
  • DAST (Dynamic Application Security Test)
  • Infrastructure scanning
  • Compliance check

We can customize the steps of our pipeline according to our Software Development Life Cycle (SDLC) or software architecture and add automation progressively if we are just starting out. For instance we can switch from SAST/DAST to a regular test suite with built-in security controls or add an audit script checking for known vulnerable dependencies.

CI/CD is an advantage for SecOps, being a privileged entry point for security measures and controls. However, when using CI/CD tools to provide automation keep in mind that the tools themselves often expand your attack surface, so put security controls on building, deployment and automation software too.

The project page in OWASP website is here

devsecopsguideline's People

Contributors

ali-yazdani avatar cirku17 avatar coadaflorin avatar ioggstream avatar kursatoguzhanakinci avatar miladbr avatar oppedijk avatar paras-malhotra avatar resxar avatar sude29537 avatar sumitvgithub avatar vijulp avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.