English • 한국어 • 日本語

Roadmap for everyone who wants DevSecOps.

What is DevSecOps and Why is it Important?

DevSecOps is a culture and practice that aims to integrate security into every phase of the software development lifecycle (SDLC). It emphasizes collaboration between Development, Security, and Operations teams. The goal is to build secure software from the ground up, reduce vulnerabilities, and ensure faster, safer deployments. This roadmap provides a curated list of resources and tools to help individuals and organizations implement DevSecOps practices.

📜 Table of Contents

• Roadmap
• Tools
• Resources
  • 0. DevSecOps Overview
  • 1. Design
  • 2. Develop
  • 3. Build
  • 4. Test
  • 5. Deploy
  • 6. Operate and Monitor
• Security of CICD
• Awesome resources
• Other roadmaps
• Wrap Up
• Contributors
• Contribute

📖 How to Use This Roadmap

This roadmap is designed to be a comprehensive guide for individuals and organizations looking to adopt or improve their DevSecOps practices. Here's how you can make the most of it:

1. Understand the Basics: If you're new to DevSecOps, start with the "What is DevSecOps and Why is it Important?" section to get a foundational understanding.
2. View the Big Picture: The main Roadmap image provides a visual overview of the different stages and areas within DevSecOps. Use this to orient yourself.
3. Explore Tools: The Tools section offers a curated list of software and services that can help you implement various DevSecOps capabilities.
4. Dive into Resources: The Resources section is categorized by the DevSecOps lifecycle (Design, Develop, Build, Test, Deploy, Operate and Monitor). Each category contains links to articles, guides, and official documentation. You can explore these based on your specific needs or areas of interest.
5. Focus on CI/CD Security: If your focus is on securing your pipelines, the Security of CICD section provides targeted resources.
6. Contribute: This is a community-driven effort. If you have suggestions, find broken links, or want to add new resources, please see our CONTRIBUTING.md guide.

You don't have to go through it linearly. Feel free to jump to the sections that are most relevant to your current challenges or learning goals.

💭 Roadmap

🔩 Tools

This project includes a curated list of tools to help you implement DevSecOps practices. These tools cover various stages of the SDLC, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), secret management, threat modeling, component analysis, and more.

➡️ Explore the DevSecOps Tools List

This list is designed to help you quickly find and compare tools, reducing the time spent on searching and decision-making.

📦 Resources

0. DevSecOps Overview

• Overview
  1. DevSecOps in Wikipedia
  2. Zero to DevSecOps (OWASP Meetup)
  3. DevSecOps What Why And How (BlackHat USA-19)
  4. DevSecOps – Security and Test Automation (Mitre)
  5. DevSecOps: Making Security Central To Your DevOps Pipeline
  6. Strengthen and Scale security using DevSecOps
  7. DSOVS (OWASP DevSecOps Verification Standard)
  8. What is DevSecOps? (Github)

1. Design

• Development Lifecycle
  1. SDL(Secure Development Lifecycle) by Microsoft
  2. OWASP's Software Assurance Maturity Model
  3. Building Security In Maturity Model (BSIMM)
  4. NIST's Secure Software Development Framework
  5. DevSecOps basics: 9 tips for shifting left (Gitlab)
  6. 6 Ways to bring security to the speed of DevOps (Gitlab)
• Threat Model
  1. What is Threat Modeling / Wikipedia
  2. Threat Modeling by OWASP
  3. Application Threat Modeling by OWASP
  4. Agile Threat Modeling Toolkit
  5. OWASP Threat Dragon

2. Develop

• Secure Coding
  1. Secure coding guide by Apple
  2. Secure Coding Guidelines for Java SE
  3. Go-SCP / Go programming language secure coding practices guide
  4. Android App security best practices by Google
  5. Securing Rails Applications

3. Build

• SAST(Static Application Security Testing)
  1. Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1
  2. Announcing third-party code scanning tools: static analysis & developer security training
  3. SAST levels defined by OWASP

4. Test

• DAST(Dynamic Application Security Testing)
  1. Dynamic Application Security Testing with ZAP and GitHub Actions
  2. Dynamic Application Security Testing (DAST) in Gitlab
  3. DAST using projectdiscovery Nuclei (github action)
  4. ZAPCon 2021-Democratizing ZAP with test automation and domain specific languages
  5. DAST levels defined by OWASP
• Penetration testing
  1. Penetration Testing at DevSecOps Speed

5. Deploy

• Security Hardening & Config
  1. CIS Benchmarks
  2. DevSecOps in Kubernetes
• Security Scanning
  1. Best practices for scanning images (docker)

6. Operate and Monitor

• RASP(Run-time Application Security Protection)
  1. Runtime Application Self-Protection by rapid7
  2. Jumpstarting your devsecops - Pipeline with IAST and RASP
• Security Audit
• Security Monitor
  1. IAST(Interactive Application Security Testing)
     • IAST levels defined by OWASP
  2. Metrics, Monitoring, Alerting
• Security Analysis
  1. Attack Surface Analysis Cheat Sheet by OWASP

Security of CICD

• Github Actions
  1. Security hardening for GitHub Actions
  2. Github Actions Security Best Practices
  3. GitHub Actions Security Best Practices [cheat sheet included]
• Jenkins
  1. Securing Jenkins
  2. Securing Jenkins CI Systems by SANS
  3. DEPRECATED/chef-jenkins-hardening

Awesome Resources

• https://github.com/TaptuIT/awesome-devsecops

🚀 Other roadmaps

U.S. Department of Defense	Larry Maccherone
The DevSecOps Security Checklist	Gitlab security devops diagram

🙏🏼 Wrap Up

If you think the roadmap can be improved, please do open a PR with any updates and submit any issues. Also, I will continue to improve this, so you might want to star this repository to revisit.

Idea from: Go Developer Roadmap

Contributors