User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome DevSecOps

Curating the best DevSecOps resources and tooling.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 4, 2020, 3:06 p.m.

Thank you TaptuIT & contributors
View Topic on GitHub:
TaptuIT/awesome-devsecops

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Articles

Pager Duty - Guidelines to running security training within an organisation.

Communities

Snyk - A community that runs conferences, a blog, a podcast and a Slack workspace dedicated to DevSecOps.

Conferences

OWASP - An Australian application security conference run by OWASP.

Snyk - A network of DevSecOps conferences run by Snyk.

Podcasts

Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.

Security Journey - Interviews with industry experts about specific application security concepts.

Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.

OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.

Snyk - Discussion about security tools and best practices for software developers.

Secure Development Guidelines

OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.

CERT - A collection of secure development standards for C, C++, Java and Android development.

OWASP - OWASP's list of top ten controls that should be implemented in every software development project.

Mozilla - A guideline containing specific secure development standards for secure web application development.

OWASP - A checklist to verify that secure development standards have been followed.

Secure Development Lifecycle Framework

274
102
93d
n/a

Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.

NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.

Toolchains

XebiaLabs - A collection of DevSDevOps and security ecOps tooling categorised by tool functionality.

SANS - A list of security specific practices and tooling categorised into pipeline phases and tool functionality.

Training

Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.

Variety of VM and online challenges (paid).

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.

Wikis

Dependency Management

Dependabot is a dependency update service. It monitors and updates your dependencies by sending a pull-request. The service is free for public repos and personal account repos.

OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.

OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.

JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.

NPM - Vulnerable package auditing for node packages built into the npm CLI.

WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.

Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.

copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

Dynamic Analysis

Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.

233
51
11m
MIT

a ruggedization framework that embodies the principle "be mean to your code"

857
170
1y 6m
MIT

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

1.46K
218
5m
Apache-2.0

The OWASP ZAP core project

7.99K
1.55K
3d
Apache-2.0

PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.

Cloud Formation

Linting tool for CloudFormation templates

758
147
9d
MIT

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

1.67K
168
2d
Apache-2.0

Containers

Vulnerability Static Analysis for Containers

7.2K
901
2d
Apache-2.0

a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

784
119
9m
Apache-2.0

Dockerfile linter, validate inline bash, written in Haskell

4.35K
197
3d
GPL-3.0

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

5.51K
499
4d
Apache-2.0

Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.

Terraform

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

1.67K
168
2d
Apache-2.0

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

738
96
2d
Apache-2.0

🔒🌍 Security scanner for your Terraform code

1.97K
136
2d
MIT

Kubernetes

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

1.67K
168
2d
Apache-2.0

Kubernetes object analysis with recommendations for improved reliability and security

1.01K
59
17d
MIT

Security risk analysis for Kubernetes resources

254
18
7m
MIT

Intentionally Vulnerable Applications

Memorable site for testing clients against bad SSL configs.

1.95K
150
4m
Apache-2.0

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

6
2
93d
n/a

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

4.03K
2.71K
12d
MIT

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

1.33K
717
21d
Apache-2.0

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

296
57
93d
Apache-2.0

PHP/MySQL web application that is damn vulnerable.

OWASP - A collection of vulnerable web applications for learning purposes.

Monitoring

Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.

Secrets Management

Safely store secrets in Git/Mercurial/Subversion

5.54K
311
15d
MIT

Securely manage passwords, certs, and other secrets in Chef

411
152
21d
Apache-2.0

A little utility for managing credentials in the cloud

1.91K
200
7m
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

8.41K
702
6m
Apache-2.0

The slightly more awesome standard unix password manager for teams

3.59K
309
64d
MIT

Knox is a secret management service

879
76
17d
Apache-2.0

Simple and flexible tool for managing secrets

5.66K
361
81d
MPL-2.0

Ansible - Securely store secrets within Ansible pipelines.

A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Microsoft Azure - Securely store secrets within Azure.

CyberArk - Secrets management for applications including secret rotation and auditing.

Docker - Store and manage access to secrets within a Docker swarm.

Google Cloud Platform - Securely store secrets within GCP.

An encrypted datastore secure enough to hold environment and application secrets.

Multi-Language Support

DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.

532
65
23d
MIT

grep rough audit - source code auditing tool

630
131
94d
GPL-3.0

A project security/vulnerability/risk scanning tool

321
83
87d
n/a

copyright: - Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.

copyright: - A static source code analyser for vulnerabilities in PHP scripts.

SonarSource - Scan code for security and quality issues with support for a wide variety of languages.

C / C++

a static analysis tool for finding vulnerabilities in C/C++ source code

101
16
9m
GPL-2.0

C

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

360
71
4m
MPL-2.0

Configuration Files

Write tests against structured configuration data using the Open Policy Agent Rego query language

1.48K
153
9d
n/a

Java

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

1.46K
343
95d
LGPL-3.0

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

2.1K
336
2d
LGPL-2.1

Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.

JavaScript

JS Foundation - Linting tool for JavaScript with multiple security linting rules available.

Go

Golang security checker

3.77K
287
3d
Apache-2.0

.NET

Vulnerability Patterns Detector for C# and VB.NET

499
87
55d
LGPL-3.0

PHP

Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

4.96K
330
5d
n/a

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

503
64
8m
GPL-3.0

A static analysis tool for security

206
43
8m
MIT

Python

Bandit is a tool designed to find common security issues in Python code.

2.81K
288
4d
Apache-2.0

Ruby

A static analysis security vulnerability scanner for Ruby on Rails applications

5.95K
619
16d
n/a

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

638
84
2y 5d
MIT

Threat Modelling

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

254
47
27d
CC0-1.0

Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.

27
18
4y 11d
Apache-2.0

Forseeti - Treat modelling and attack simulations for IT infrastructure.

IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.

Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.

OWASP - Threat model diagramming tool.

Microsoft - Threat model diagramming tool.

Threatspec - Define threat modelling as code.

Related Lists

Dynamic analysis tools for all programming languages, build tools, config files and more.

251
42
99d
n/a

A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.

7.99K
932
5d
n/a

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

254
47
27d
CC0-1.0

OWASP - A collection of vulnerable web applications for learning purposes.