Curating the best DevSecOps resources and tooling.
DevSecOps is an extension of the DevOps movement that aims to bring security practices into the development lifecycle through developer-centric security tooling and processes.
Contributions welcome. Add links through pull requests or create an issue to start a discussion.
Contents
- Resources
- Articles
- Books
- Communities
- Conferences
- Newsletters
- Podcasts
- Secure Development Guidelines
- Secure Development Lifecycle Framework
- Toolchains
- Training
- Wikis
- Tools
- Dependency Management
- Dynamic Analysis
- Infrastructure as Code Analysis
- Intentionally Vulnerable Applications
- Monitoring
- Secrets Management
- Secrets Scanning
- Static Analysis
- Supply Chain Security
- Threat Modelling
- Related Lists
Resources
Articles
- Our Approach to Employee Security Training - Pager Duty - Guidelines to running security training within an organisation.
- DevSecOps: Making Security Central To Your DevOps Pipeline - Spacelift - An article explains what DevSecOps aims to achieve, why it’s advantageous, and how the DevSecOps lifecycle looks.
Books
- Alice and Bob Learn Application Security - Tanya Janca - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development.
Communities
- DevSecCon - Snyk - A community that runs conferences, a blog, a podcast and a Discord dedicated to DevSecOps.
- TAG Security - Cloud Native Computing Foundation - TAG Security facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.
Conferences
- AppSec Day - OWASP - An Australian application security conference run by OWASP.
- DevSecCon - Snyk - A network of DevSecOps conferences run by Snyk.
Newsletters
- Shift Security Left - Cossack Labs - A free biweekly newsletter for security-aware developers covering application security, secure architecture, DevSecOps, cryptography, incidents, etc. that can be useful for builders and (to a lesser extent) for breakers.
Podcasts
- Absolute AppSec - Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.
- Application Security Podcast - Security Journey - Interviews with industry experts about specific application security concepts.
- BeerSecOps - Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.
- DevSecOps Podcast Series - OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.
- The Secure Developer - Snyk - Discussion about security tools and best practices for software developers.
Secure Development Guidelines
- Application Security Verification Standard - OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.
- Coding Standards - CERT - A collection of secure development standards for C, C++, Java and Android development.
- Fundamental Practices for Secure Software Development - SAFECode - Guidelines for implementing key secure development practices throughout the SDLC.
- Proactive Controls - OWASP - OWASP's list of top ten controls that should be implemented in every software development project.