Skip to content

JamieClamp/Notes_for_exam

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

156 Commits
Cac
Cac
 
 
DAST
DAST
 
 
Docker
Docker
 
 
ExtraToolScripts/Dependency-check
ExtraToolScripts/Dependency-check
 
 
FPAAndREmediation
FPAAndREmediation
 
 
IaC
IaC
 
 
LinuxBasics
LinuxBasics
 
 
SAST
SAST
 
 
SCA
SCA
 
 
VulnManagement
VulnManagement
 
 
Add Safety tool to Gitlab.md
Add Safety tool to Gitlab.md
 
 
Ansible.md
Ansible.md
 
 
Bandit.md
Bandit.md
 
 
Basics of Vi.md
Basics of Vi.md
 
 
Brakeman.md
Brakeman.md
 
 
Branches.md
Branches.md
 
 
COMPLETEDefectDojo.md
COMPLETEDefectDojo.md
 
 
Compliance as Code (CaC) using Inspec.md
Compliance as Code (CaC) using Inspec.md
 
 
DefectDojo.md
DefectDojo.md
 
 
DevSecOps.md
DevSecOps.md
 
 
Dynamic Analysis Using Zap.md
Dynamic Analysis Using Zap.md
 
 
Embed Nikto, SSLyze, and Nmap into GitLab.md
Embed Nikto, SSLyze, and Nmap into GitLab.md
 
 
Embed SSLyze, Nikto.md
Embed SSLyze, Nikto.md
 
 
Generic Installation Commands and Examples.md
Generic Installation Commands and Examples.md
 
 
Gitlab CI-CD Basics.md
Gitlab CI-CD Basics.md
 
 
Gospel.md
Gospel.md
 
 
Hardening Machines in Production CI CD Pipeline.md
Hardening Machines in Production CI CD Pipeline.md
 
 
How to Create Custom Inspec Profile.md
How to Create Custom Inspec Profile.md
 
 
Install RetireJs.md
Install RetireJs.md
 
 
Linux.md
Linux.md
 
 
NMAP.md
NMAP.md
 
 
Nikto.md
Nikto.md
 
 
OWASP TEN 10 Resources.md
OWASP TEN 10 Resources.md
 
 
README.md
README.md
 
 
SSLyze.md
SSLyze.md
 
 
Safety.md
Safety.md
 
 
TO DOHarding Environment using Ansible.md
TO DOHarding Environment using Ansible.md
 
 
Template.md
Template.md
 
 
TheirMasterYaml.yaml
TheirMasterYaml.yaml
 
 
Tools.md
Tools.md
 
 
Troubleshooting.md
Troubleshooting.md
 
 
Trufflehog.md
Trufflehog.md
 
 
Vulm_Management.md
Vulm_Management.md
 
 
Vulnerability Management with DefectDojo.md
Vulnerability Management with DefectDojo.md
 
 
ZAP.md
ZAP.md
 
 
embed retirejs.md
embed retirejs.md
 
 
masterYaml.yaml
masterYaml.yaml
 
 

Repository files navigation

PracticalDevSecOpsNotes

SAST has two parts: Secret Scanning: TruffleHog

Git Hook is run locally just before a git event like commit or push. Not good because cannot be automated on CI and admins can remove them.

Code Analysis: Bandit

Best Practices:

  1. Tested the tools locally before embedding in the pipeline
  2. Ensured the scans finish within 10 minutes
  3. Ensured they each run in their own jobs
  4. We saved the output in a file
  5. We didn’t fail the builds

Gospel:

  1. Maintain cordial relationships with Developers/QA and Operation teams
  2. Do not fail builds unless you are at maturity level 3 or 4
  3. Do not run any tool which takes more than 10 minutes in CI/CD pipelines
  4. Create separate jobs for each tool/scan
  5. Roll out tools/scans in phases (iteratively) even when critical/high severity issues are found
  6. Do not buy tools that does not provide APIs or CLIs
  7. Love the vendor who does per-use licensing model with all your heart, soul, mind and strength
  8. Verify if the tool vendors support incremental/baseline scans
  9. Create SAST/DAST custom rule sets. Tools are of no use without creating custom rules/tweaks down the line
  10. Do Everything as Code (EaC) to provide the audit-ability, measurability, and security
  11. Do False Positives as Code to control scope of the scans
  12. Link tool wiki in the pipeline as a comment for sharing your team’s expertise with others

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages