Skip to content

DevSecOps

Secret Management

Hashicorp Vault

Hashicorp provide usefull labs for all their products here.

Secrets Management Using Vault in K8S here

Container security

Container security checklist: From the image to the workload here

SLDC

Frameworks

Interesting: the National Institute of Standards and Technology (NIST) just published a framework for secure development here

SAMM provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. This maturity model is maintained by OWASP here

AppSec

How to build an AppSec program based on risk:

AppRisk program

DevSecOps

CI/CD threat matrix

Repo - Common Threat Matrix for CI/CD Pipeline here

List of the top 10 CI/CD security risks here

DevSecOps tools

This library contains list of tools and methodologies accompanied with resources. here and here

DevSecOps Roadmap

Collection and Roadmap for everyone who wants DevSecOps here

DevSecOps Gitlab dynamic template management

Dynamic pipeline with Gitlab here.

How to use include with gitlab here

DevSecOps Guideline

The OWASP DevSecOps Guideline focuses on explaining how we can implement a secure pipeline and using best practices and introduce tools that we can use in this matter here

Integrating Compliance Controls and Audit into CI/CD Processes here

DevOps culture

Optimizing CI/CD Credential Hygiene – A Comparison of CI/CD Solutions here

Article

Why DevSecOps is important and what are the benefits? here.

Embed Kubernetes security at each phase of the DevOps lifecycle: here

10 real-world stories of how we’ve compromised CI/CD pipelines here

Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues here

Interisting blog with several articles on DevSecOps from GitGuardian and secrets detection here

Infrastructure As Code (IaC)

Fantastic Infrastructure as Code security attacks and how to find them here

Terraform - 5 ways to create Infrastructure in Multiple Environments here

Hide malicious Terraform code with ANSI escape sequences here

A Guide to Improving Security Through Infrastructure-as-Code here

Secure Coding

This ressource present a lot of best practices regarding application coding. This guide takes into account that many of our developers write integration pieces with the Lightning Platform and includes examples from other web platforms such as Java, ASP.NET, PHP and Ruby here

Standard & Compliance

The CIS benchmark for Software Supply Chain available here