DevSecOps - All in one

On this page you will find tools and references to not-to-be-missed documentation for a good start in DevSecOps.
DevSecOps - All in one

Image from https://news.aliasrobotics.com/secdevops/.

I will not talk about agility but only the technical part. Indeed, I will help you to integrate the security in the full life cycle of your projects.

I split the different tools in four categories.

The two first categories are SAST (Static application Security Testing) and DAST (Dynamic Application Security Testing). Both SAST and DAST are methods for security testing, but they are used very differently. This article explains more in detail the difference between this two techniques.

The two others categories are monitoring and reporting.

SAST (Static Analysis)

Git Secrets

This two tools below search for sensitive information (private keys, credentials, API KEY, ...) in your Git repository, I strongly suggest you to use them if you have public repositories.

Tools : Truffle Hog / Gitleaks

Code Analysis

Code analysis is a very important part for detecting vulnerabilities in your applications.

Our goals is to detect vulnerabilities as soon of possible, this where IDE Plugins come in. They will help developers to detect weaknesses in their code before commit it.

There is a list a IDE plugins for :
Java : SonarLint, findbugs-eclipse-plugin, Snyk Security Scanner, shift-left scan
PHP : PHP Phan, PHP IntelliSense
JS : ESLint, JSHint / JSLint, JS Snippets
They are plenty others plugins available.

In addition to the plugins, you need to use code analysis tools in your pipeline. For example, this pipeline can be triggered when a commit is made.

Tools : Sonarqube support a large variety of language.
Don't hesitate to look for tools that are specific to your programming languages, for example in PHP you have : phpstan, phpcs-security-audit, ...

CVE in dependencies / docker images / config files / ...

CVE stands for Common Vulnerability Exposure. It's very important to often check if your dependencies contains known vulnerabilities, especially for public applications. It can be very trivial for an attacker to detects which services you use and their versions.

Docker images : Trivy, Clair, Anchore
Dockerfile : hadolint, Dockle
Terrafrom : Checkov, Terrascan
Ansible : ansible-lint
Nginx : GIXY
Dependencies : OWASP Dependency-Check
Again here, you can check for more tools according to what you need to secure. For example, in PHP you install packages through composer, so you can look for a tool that scan composer packages, ex : composersecuritychecker.

DAST (Dynamic Analysis)

Instead of SAST, dynamic analysis requires a running application. This second technique will complement the work made by static analysis.

Web Scanner : OWASP ZAP, Nikto
SQL Injection : sqlmap
Vulnerability Scanner : OpenVAS, Nessus
Port Scanner : nmap
As always, try to find tools that are made for your applications.

Tips : SecureCodebox offers you different docker images for these tools.

Monitoring

Logs & alerting : logwatch
Attack detection : PortSentry, scanlogd, Snort, Blare

Reporting

Reporting is the key to patch vulnerabilities quickly. Everyone in the project must be aware of all the vulnerabilities not yet solved. You need to centralize the reports of all your tools at the same place.

Vulnerability management tool : DefectDojo

Tips : If you use Jira as tickets system, some tools send directly the reports to it or with the help of a plugin.

If you are still motivated, here is a list of amazing references.

References

I hope you enjoyed this article !