DevSecOps


Components of DevSecOps / 

  1. Code Analysis
  2. Change Management
  3. Compliance Monitoring
  4. Threat Investigation
  5. Vulnerability Assessment 
  6. Security Training
Ops side Automation

1. Vulnerability scanning
2. Network Security
3. Automated Patching Compilance
4. Encryption 

Type of Tools

1. Static Application Securtiy Testing SAST
1.1. Fortify
1.2. AppScan
1.3. CheckMarx
1.4 SonarQube
1.5 Burp
1.6 Nesus
1.7 MobSF
1.8 Crucible (auditing software)
OpenSource tools: 
1.9. FindSecBugs 
1.10. Brakeman
1.11. PMD

2. Dynamic Application Securtiy Testing DAST
2.1 WebInspect
2.2 Burt
2.3 AppSpider
2.4 sqlmap
OpenSource
2.5 Zaps

* Vulnerability Testing
1. Qualiss
2 Nesis
3. OpenVAS (Free)
4. NACL (Cloud security check) 

3. Interactive Application Securtiy Testing IAST
It uses Instrumentation like performance monitoring tool. 
It works at JRE or DotNet Run time level. 
3.1 Contrast
3.2 Seeker 

* Continuous Monitoring
1. Recon-ng (for Python)
2. Contrast RASP

* OWASP Glue Tool Project : Docker container, to keep all the tools together. 

These tools should be part of single CI/CD pipeline. FindSecBugs is part of Java IDE. 

Reference

0 comments:

Post a Comment