Your first time on this page? Allow me to give some explanations.
Awesome DevSecOps
Curating the best DevSecOps resources and tooling.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you TaptuIT & contributors
View Topic on GitHub:
TaptuIT/awesome-devsecops
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Articles
Pager Duty - Guidelines to running security training within an organisation.
Communities
Snyk - A community that runs conferences, a blog, a podcast and a Slack workspace dedicated to DevSecOps.
Conferences
OWASP - An Australian application security conference run by OWASP.
Podcasts
Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.
Security Journey - Interviews with industry experts about specific application security concepts.
Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.
OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.
Snyk - Discussion about security tools and best practices for software developers.
Secure Development Guidelines
OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.
CERT - A collection of secure development standards for C, C++, Java and Android development.
OWASP - OWASP's list of top ten controls that should be implemented in every software development project.
Mozilla - A guideline containing specific secure development standards for secure web application development.
OWASP - A checklist to verify that secure development standards have been followed.
Secure Development Lifecycle Framework
Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.
NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.
Toolchains
XebiaLabs - A collection of DevSDevOps and security ecOps tooling categorised by tool functionality.
SANS - A list of security specific practices and tooling categorised into pipeline phases and tool functionality.
Training
Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.
Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.
Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.
Free trainings and labs - Written by PortSwigger.
Wikis
Dependency Management
Dependabot is a dependency update service. It monitors and updates your dependencies by sending a pull-request. The service is free for public repos and personal account repos.
OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.
OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.
JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.
NPM - Vulnerable package auditing for node packages built into the npm CLI.
WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.
Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.
copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).
Dynamic Analysis
Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
a ruggedization framework that embodies the principle "be mean to your code"
A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
The OWASP ZAP core project
PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.
Cloud Formation
Linting tool for CloudFormation templates
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Containers
Vulnerability Static Analysis for Containers
a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
Dockerfile linter, validate inline bash, written in Haskell
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.
Terraform
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Regula checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
🔒🌍 Security scanner for your Terraform code
Kubernetes
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Kubernetes object analysis with recommendations for improved reliability and security
Security risk analysis for Kubernetes resources
Intentionally Vulnerable Applications
Memorable site for testing clients against bad SSL configs.
Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
PHP/MySQL web application that is damn vulnerable.
OWASP - A collection of vulnerable web applications for learning purposes.
Monitoring
Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.
Secrets Management
Safely store secrets in Git/Mercurial/Subversion
Securely manage passwords, certs, and other secrets in Chef
A little utility for managing credentials in the cloud
Prevents you from committing secrets and credentials into git repositories
The slightly more awesome standard unix password manager for teams
Knox is a secret management service
Simple and flexible tool for managing secrets
Ansible - Securely store secrets within Ansible pipelines.
A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
Microsoft Azure - Securely store secrets within Azure.
CyberArk - Secrets management for applications including secret rotation and auditing.
Docker - Store and manage access to secrets within a Docker swarm.
Google Cloud Platform - Securely store secrets within GCP.
An encrypted datastore secure enough to hold environment and application secrets.
Multi-Language Support
DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.
grep rough audit - source code auditing tool
A project security/vulnerability/risk scanning tool
copyright: - Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.
copyright: - A static source code analyser for vulnerabilities in PHP scripts.
SonarSource - Scan code for security and quality issues with support for a wide variety of languages.
C / C++
a static analysis tool for finding vulnerabilities in C/C++ source code
C
Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
Configuration Files
Write tests against structured configuration data using the Open Policy Agent Rego query language
Java
The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.
JavaScript
JS Foundation - Linting tool for JavaScript with multiple security linting rules available.
Go
Golang security checker
.NET
Vulnerability Patterns Detector for C# and VB.NET
PHP
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code
A static analysis tool for security
Python
Bandit is a tool designed to find common security issues in Python code.
Ruby
A static analysis security vulnerability scanner for Ruby on Rails applications
Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
Threat Modelling
A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.
Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.
Forseeti - Treat modelling and attack simulations for IT infrastructure.
IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.
Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.
Microsoft - Threat model diagramming tool.
Related Lists
Dynamic analysis tools for all programming languages, build tools, config files and more.
A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.
OWASP - A collection of vulnerable web applications for learning purposes.