Month: October 2020

Starting points in DevSecOps journey

Hello friends,

During my journey to become a Microsoft Azure Security professional, I have compiled set of useful resources in addition to the exam materials. These resources do complement cloud and application security with open-source tooling, and a book that is much needed for success.

I am excited to share this with my network and DevSecOps enthusiasts ๐Ÿ™‚

  1. WhiteSource Bolt – is a #free developer tool for finding and fixing open source vulnerabilities.
  2. Find Security Bugs – it is a SpotBugs plugin for security audits of Java web applications – https://find-sec-bugs.github.io/
  3. OWASP Zed Attack Proxy (ZAP) – one of the most popular free web security tool, actively maintained by a dedicated international team of volunteers – https://owasp.org/www-project-zap/
  4. Sqlmap – is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers – http://sqlmap.org/
  5. OpenVAS – Open Vulnerability Assessment Scanner is a full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated testing, various high level and low level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. – https://openvas.org/
  6. Recon-ng – is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly – https://tools.kali.org/information-gathering/recon-ng
  7. OWASP Glue – is a framework for running a series of tools. Generally, it is intended as a backbone for automating a security analysis pipeline of tools – https://github.com/OWASP/glue
  8. Awesome DevSecOps book. Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program.
  9. #lambhack is A vulnerable serverless lambda application. This is certainly a bad idea to base any coding patterns of what you see here. It allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks and more.
  10. Black Duck is a commercial alternative to WhiteSource Bolt. It helps to manage the risks that come with the use of open source. Black Duck software composition analysis solutions and open source audits give you the insight you need to track the open source in your code, mitigate security and license compliance risks, and automatically enforce open source policies using your existing DevOps tools and processes.
  11. OWASP Honeypot-Project. Goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Based around the earlier OWASP/WASC Distributed Web Honeypots Project.
  12. Open Source Honeypots That Detect Threats For Free. You could read details on this interesting post.

Note: in noway this presents a complete guide. However, I hope it will guide your project into a more successful DevSecOps state.

I do encouragetoย comment and shareย your tips and resources here. This will ultimately help every community member to become a better security professional. Thanks!