DevSecOps

DevSecOps Learning Resources to start with

Building Your DevSecOps Toolkit: Must-Have DevSecOps Learning Resources

What it DevSecOps

DevSecOps integrates security into every stage of the software development and operations lifecycle. Instead of waiting until the end of development to check for security issues, DevSecOps ensures that security is considered throughout development, testing, and deployment. The idea is to build security into the process, making it a shared responsibility among developers, security, and operations teams.

Example: 

Imagine a team developing a web application. In a traditional approach, security testing might happen after the app is almost finished. In DevSecOps, security is integrated from the start, with automated tools scanning code for vulnerabilities in real-time as it’s written and security teams working closely with developers to fix issues quickly.

Roles & Responsibilities:

  • Implementing security tools into the continuous integration/continuous deployment (CI/CD) pipelines to automatically scan for vulnerabilities and security issues during development.
  • Ensuring developers are trained to write secure code and are aware of common vulnerabilities (e.g., SQL Injection, Cross-Site Scripting).
  • Automating security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)) as part of the regular development process.
  • Monitoring deployed applications for security issues in real time and ensuring that patches are deployed quickly when vulnerabilities are found.
  • Encouraging collaboration between development, security, and operations teams to ensure security is a shared responsibility, not an afterthought.

Skills Required for DevSecOps:

  • Automation tools: Experience with CI/CD tools like Jenkins, GitLab CI, CircleCI, and automating security scans within the development pipeline.
  • Security testing tools: Knowledge of SAST, DAST, and software composition analysis (SCA) tools like SonarQube, Checkmarx, or OWASP ZAP to find vulnerabilities early in the development cycle.
  • Secure coding: Understanding secure coding principles and teaching developers to code securely.
  • Collaboration and communication: Ability to work across teams (development, security, operations) to ensure security is embedded in all phases of software development.
  • Infrastructure as Code (IaC): Securing cloud infrastructure by automating the creation and management of infrastructure using tools like Terraform or AWS CloudFormation, and ensuring the infrastructure is secure by design.

In short, why DevSecOps matters:

  • Security as part of the process: In DevSecOps, security is integrated throughout the development lifecycle, not just at the end. This contrasts with traditional security approaches, where security testing happens after development.
  • Automation-focused: DevSecOps heavily relies on automated tools to scan for vulnerabilities and implement security fixes quickly and efficiently.
  • Collaboration: It emphasises breaking down silos between development, security, and operations teams, ensuring all teams are responsible for security.

DevSecOps Learning Resources: Starters

Here are some DevSecOps learning resources to help you become a skilled DevSecOps engineer. They will boost your confidence in this domain, and you will be ready to explore further.

Books

  1. The Phoenix Project by Gene Kim – A novel that illustrates how DevOps principles can transform IT operations and business performance. I would highly recommend this book to every IT professional specially Developers, QA, Infra engineers, DevOps, and security folks.
  2. Learning DevSecOps – A practical guide to integrating security into DevOps pipelines to deliver secure software faster. Quite a new release (published in May 2024)
  3. Securing DevOps: Securing in the cloud – It explores modern DevOps security techniques and tools to secure cloud environments. One of the books that I went through in past.
  4. Security in DevOps by PackT – Comprehensive strategies for embedding security into DevOps workflows.
  5. Agile Application Security – A guide to building secure applications with agile methodologies. Being a DevSecOps engineer, you should have a faur idea of appsec.
devsecops learning resources

Certifications

  1. CDP by Practical DevSecOps –  Certified DevSecOps Professional, a hands-on certification focused on applying security in DevOps practices. I had given my feedback after this examination in 2020
  2. DevSecOps Essentials by EC-Council – A foundational certification covering essential skills and knowledge for implementing security in DevOps.
  3. E|CDE by EC-Council – EC-Council Certified DevSecOps Engineer, designed for professionals aiming to integrate security into DevOps environments.

Courses

  1. DevSecOps Fundamentals on Udemy – A beginner’s course on understanding and implementing DevSecOps practices in software development.
  2. DevSecOps for Absolute Beginners – An introductory course for those new to DevSecOps, covering key concepts and tools.
  3. DevSecOps by KodeCloud – A practical course on mastering DevSecOps tools and methodologies with hands-on labs. You should try it.

Tools

DevSecOps tools can be categorised into several groups based on their functionality. These categories include:

  1. Static Application Security Testing (SAST) Tools
    1. Sonarqube: Static code analysis tool supporting multiple programming languages.
    2. Bandit: A security linter for Python
    3. Brakeman: Security scanner for Ruby on Rails applications.
    4. SpotBugs: Static analysis tool to find security vulnerabilities in Java code
    5. Semgrep: Lightweight static analysis tool supporting multiple languages and frameworks
    6. Coverity: Comprehensive static code analysis to detect software defects and vulnerabilities.
    7. Git secrets: Detects secrets and sensitive information within git commits and prevents them from being included.
  2. Dynamic Application Security Testing (DAST) Tools
    1. OWASP ZAP: Open-source tool used for finding vulnerabilities in web applications.
    2. Nikto: Web server scanner that detects outdated versions and security issues.
    3. Arachni: Web application security scanner for identifying vulnerabilities.
    4. Burp Suite: Integrated platform for performing security testing of web applications.
    5. Akto and Levo (API Security): Tools specifically designed to scan and secure APIs.
  3. Software Composition Analysis (SCA) Tools
    1. Snyk: Security platform that scans open-source dependencies for known vulnerabilities.
    2. OWASP Dependency Check: Open-source tool to identify publicly disclosed vulnerabilities in dependencies.
    3. Dependabot: Automatically checks dependencies for vulnerabilities and sends pull requests to update them.
    4. Retire.js: Scanner that helps identify known vulnerabilities in JavaScript libraries.
    5. npm audit: Security audit tool for Node.js applications, focusing on package vulnerabilities.
  4. Container Security Tools
    1. Clair: Open-source tool for the static analysis of vulnerabilities in containers.
    2. Trivy: Comprehensive vulnerability scanner for containers, Kubernetes, and IaC.
    3. Checkov: Infrastructure as code static analysis tool for Terraform, Kubernetes, and more.
    4. Kube-bench: Checks whether Kubernetes clusters are deployed according to security best practices.
    5. Kubesec: Tool to secure Kubernetes resources by scanning YAML files.
    6. Hadolint: Dockerfile linter to check for best practices and potential vulnerabilities.
  5. Infrastructure as Code (IaC) Security Tools
    1. Terraform-grunt: Tool to test security of Terraform configurations.
    2. ScoutSuite: Multi-cloud security auditing tool for cloud infrastructure.
    3. Kics by Checkmarx: Open-source IaC scanning tool for identifying vulnerabilities.
    4. TFLint: Linter to detect errors and security issues in Terraform templates.
    5. Prowler: Security tool to perform AWS security best practices checks.
    6. Terrascan: Static code analyzer for IaC to detect vulnerabilities.
  6. Compliance and Governance Tools
    Think of policy as code and compliance as code from a DevOps and DevSecOps perspective
    1. Chef Inspec: Framework for defining and testing security and compliance policies as code.
    2. Open Policy Agent (OPA): General-purpose policy engine for enforcing policies across the stack.
    3. HashiCorp Sentinel: Policy-as-code framework integrated with HashiCorp products.
    4. AWS Config: Monitors and audits the configuration of AWS resources to maintain compliance.
    5. OpenSCAP: Suite of open-source tools for auditing compliance with security standards.
  7. Security Dashboard and Analytics Tools
    1. DefectDojo: Open-source application vulnerability management tool.
    2. ELK: Elasticsearch, Logstash, and Kibana stack for centralized logging and analytics.
    3. OWASP dependency Track: Continuous monitoring of vulnerabilities in third-party dependencies.
    4. JFrog XRay: Universal component analysis tool to detect vulnerabilities and license compliance issues.

Summary

These are not the holistic list, but these tools will help you start with and excel in DevSecOps. I would recommend making sure you have good hands-on experience with these tools for different projects that cover (for a real-world experience feel):

  1. An application
  2. Cloud environment
  3. Full stack implementation

All the best for your career in DevSecOps, and happy learning!

Share your Thoughts