• Stars
    star
    4,394
  • Rank 9,751 (Top 0.2 %)
  • Language
  • License
    Creative Commons ...
  • Created about 9 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An authoritative list of awesome devsecops tools with the help from community experiments and contributions.

Awesome DevSecOps Awesome

Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program.

This list will not be fully comprehensive and will change as DevSecOps matures. We intend for it to be an awesome list that grows and changes as the community learns and improves how DevSecOps is implemented and adopted. To be included in this list, the information, tools, vendors or initiative must provide for Free or Open Source capabilities that help with the DevSecOps mission. Links that lead to a commercial aspect are noted with a (P).

Table of Contents generated with DocToc

Information

We've been working across the industry to learn more about the different types of DevOps + Security initiatives. This collection has been pulled together and includes: Podcasts, Videos, Presentations, and other Media to help you learn more about DevSecOps, SecDevOps, DevOpsSec, and/or DevOps + Security.

Guidelines

While we're not into the paper-way of doing things, sharing sound advice and good recommendations can make software stronger. We aim to make these guidelines better through code.

Presentations

Many talks are now targeting the change of adding Security into the DevOps environment. We've added some of the most notable ones here.

Initiatives

There are a variety of initiatives underway to migrate security and compliance into DevOps. We've included links for active projects here:

Keeping Informed

We've discovered a treasure trove of mailing lists and newsletters where DevSecOps like us are sharing their skills and insights.

Wardley Maps for Security

One way for people to continue to evolve their capabilities and share common understanding is through the development of Wardley Maps. We're collecting this information and providing some good examples here.

Training

DevSecOps requires an appetite for learning and agility to quickly acquire new skills. We've collected these links to help you learn how to do DevSecOps with us.

Labs

Labs are hands-on learning opportunities to grow your skills in Dev, Sec, and Ops. All skills are useful and need to be grown so that you can have the empathy, knowledge and trade to operate DevSecOps style.

Vulnerable Test Targets

It's important to build up knowledge by learning how to break applications left vulnerable by security mistakes. This section contains a list of vulnerable apps that can be deployed to learn what not to do. These same apps can be made safe by remediating the intentional vulnerabilities to learn how to prevent attackers from gaining access to underlying infrastructure or data.

Conferences

A body of knowledge for combining DevOps and Security has been delivered via conferences and meetups. This is a short list of the venues that have dedicated a portion of their agenda to it.

Podcasts

A small collection of DevOps and Security podcasts.

Books

Books focussed around DevSecOps, bringing the security focus up front.

Tools

This collection of tools are useful in establishing a DevSecOps platform. We have divided the tools into several categories that help with the different divisions of DevSecOps.

Dashboards

Visualization is an important element of identifying, sharing and evolving the security information that passes from the beginning of the creative process through to operations.

Automation

Automation platforms have an advantage of providing for scripted remediation when security defects are surfaced.

Hunting

This list of tools provide the capabilities necessary for finding security anomalies and identifying rules that should be automated and extended to support scale demands.

Testing

Testing is an essential element of a DevSecOps program because it helps to prepare teams for Rugged operations and to determine security defects before they can be exploited.

Alerting

Once you discover something important, response time is critical and essential to the Incident Response required to remediate a security defect. These links include some of the projects that provide for Alerting and Notifications.

Threat Intelligence

There are many sources for Threat Intelligence in the world. Some of these come from IP Intelligence and others from Malware repositories. This category contains tools that are useful in capturing threat intelligence and collating it.

Attack Modeling

DevSecOps requires a common attack modeling capability that can be done at speed and scale. Thankfully there are efforts underway to create these useful taxonomies that help us operationalize attack modeling and defenses.

Secret Management

To support security as code, sensitive credentials and secrets need to be managed, security, maintained and rotated using automation. The projects below provide DevOps teams with some good options for securing sensitive details used in building and deploying full stack software deployments.

Red Team

These are tools that we find helpful during Red Team and War Game exercises. The projects in this section help with reconnaissance, exploit development, and other activities common within the Kill Chain.

Visualization

Making DevSecOps discoveries is already hard enough with all the APIs and Command Line tools. This list provides tools to visualize your work either via flowcharts, graphs or maps.

Sharing

A collection of tools to help with sharing knowledge and telling the story.

ChatOps

One of the greatest changes you can make in your organization is boundaryless communications. Setting up ChatOps can enable everyone to come together and solve problems.

More Repositories

1

bootcamp

A open contribute bootcamp to develop DevSecOps skills...
Shell
646
star
2

devsecops

This repository contains information about DevSecOps and how to get involved in this community effort.
142
star
3

defcon-workshop

Python
65
star
4

wardley-maps

A repository for wardley maps related to security topics.
45
star
5

raindance

Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.
GCC Machine Description
43
star
6

radar

Radar provides for early checks and review for software defined templates.
Ruby
18
star
7

assumer

An AWS cross-account tool to support human access with MFA for the CLI and GUI.
Ruby
18
star
8

firebolt

A platform to create, catalog and deploy tests for tools such as Gauntlt, AttackIQ and Metasploit.
Ruby
16
star
9

ssl_checks

This repo contains a collection of scripts to help with checks for SSL
Shell
16
star
10

forecast

Forecast is a big data environment for understanding security anomalies as they are presented in a project and is meant to aid in the collection of data for the end-to-end CICD pipeline.
Ruby
15
star
11

playbook

Coordination is key to success and originates from experiments that begin with manual operations and later get automated to scale. Playbook helps with this process and provides an automation framework to support this maturation process.
9
star
12

x-bootcamp

An extreme bootcamp to enable teams to build DevSecOps into their environment.
GCC Machine Description
9
star
13

controlplane

Your infrastructure is moving and so is your root of trust. This project helps to define a new control plane for locking down access and policies.
8
star
14

science

It's time for some serious insights and for sharing the wealth. Here, we'll share the science behind making security decisions.
7
star
15

selfie

Ruby
7
star
16

devsecops.github.io

We host the DevSecOps projects site on Github Pages with the interface located here.
CSS
6
star
17

weatherman

Weatherman helps with visualizing security information and metrics for DevOps teams to remediate defects.
5
star
18

heroes

Everyone is a hero in their own way. This repo provides a means of capturing the stories for DevSecOps heroes.
4
star
19

restacker

Ruby
4
star
20

assumer-go

Go
1
star
21

atls

JavaScript
1
star
22

wm

An automation framework for finding and reporting bugs using chains
1
star