This self-paced course will help you prepare for the Azure Developer certification exam AZ-204: Developing Solutions for Microsoft Azure.
DevSecOps & Tools
In this blog, you will learn about Tools available for DevSecOps. DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.
Why DevSecOps is important?
IT infrastructure has undergone huge changes in recent years. The shift to dynamic provisioning, shared resources, and cloud computing has driven benefits around IT speed, agility and cost, and all of this has helped to improve application development.
DevOps vs. DevSecOps: The integration :
Integrating security into DevOps to deliver DevSecOps requires new mindsets, processes, and tools. Security and risk management leaders need to adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making security as silent and seamless as possible. However, this is difficult for two different disciplines.
How to Integrate the DevSecOps ?
- A developer creates code within a version control management system.
- The changes are committed to the version control management system.
- Another developer retrieves the code from the version control management system and carries out an analysis of the static code to identify any security defects or bugs in code quality.
- An environment is then created, using an infrastructure-as-code tool, such as Chef. The application is deployed and security configurations are applied to the system.
- A test automation suite is then executed against the newly deployed application, including back-end, UI, integration, security tests, and API.
- If the application passes these tests, it is deployed to a production environment.
- This new production environment is monitored continuously to identify any active security threats to the system.
Categories of DevSecOps :
Code Security Tools :
1.SonarQube / SonarCloud
2.Source Guard
3.Shiftleft Scan
4.checkmarx
5.Veracode Greenlight
Build Security Tools :
1.Burp Suite
2.Zed Attack Proxy (ZAP)
3.ModSecurity
4.WhiteSource Bolt
5.Skipfish
6. Veracode SourceClear
Code Security Tools :
1.Yelp
2.CredScan
3.Changeme
4.Secret-code-scanner
5.Veracode Greenlight
Artifactory Security Tools :
1.Jfrog Xray
2.Kroll Parser
3.Archiva
4.Aqua
5.Anchore
SCA Security Tools :
1.Qualys
2.Snyk
3.WhiteSource
4.Veracode
5.CheckMarx
Container Security Tools :
- Aqua Security Tools
- Anchore Container security
- Whitesource
- Twistlock
- Qualis
- Clair
Penetration Testing Tools :
- Qualys
- Snyk
- WhiteSource
- Veracode
Threat Modelling Tools :
1.OWASP Threat Dragon
2.Microsoft Threat Modelling Tool 2016.
3.Threat Modeler
4.Raindance
5.Threatspec
6.PyTM
Website Vulnerability Tools :
1.URL Freezer
2.SQLi Scanner
3.XSS Scanner
4.Drupal
5.Joomla
Overall the article looks good. But I disagree with few of the tools placed in wrong category.
Correct me, if I am wrong here:
1. Burp and ZAP are being used for catching low hanging fruits in automated fashion and should be in Test Phase rather than build phase.
2. Drupal and Joomla and popular PHP, MySQL based CMS not a vulnerability tools.
3. You forgot to include very famous paid TM tool i.e Irius
4. Do you suggest Qualys in CI/CD pipeline for security scanning?
5. Burp and ZAP and also Penetration Testing tools (DAST)
6. OWASP Dependency check is missing from Code security tools
7. I can’t see anything related to Application vulnerability management like DefectDojo