DevSecOps Resources

View project on GitHub

What is DevSecOps?

DevSecOps (development, security, and operations) is an approach to culture, automation, and platform design that integrates security as a shared responsibility across the organization, and through every phase of the software development lifecycle – from initial design through integration, testing, deployment, and software delivery. It draws from ideas underpinnning DevOps, including agility, continuous integration and deployment, and ensures that security plays an integrated role.

DevOps outlines a software development process and an organizational culture shift that speeds the delivery of higher quality software by automating and integrating the efforts of development and IT operations teams – two groups that traditionally practiced in solos, separately from each other. DevOps principles target rapid and frequent cycles, where work is done in small chunks, called “sprints” with the aim of reducing cycles to weeks or even days. Using this type of pacing, effective security can’t be tacked-on at the end of the project – it needs to be a shared responsibility and integrated from start-to-end of a project, and across the organizaiton. It’s a mindset change that means that Cyber Security resources work in tandem with development and operations resources, building secuirity into the foundation of the development and DevOps processes. (

DevSecOps automatically bakes in security at every phase of the software development lifecycle, enabling development of secure software at the speed of Agile and DevOps. Addressing security issues as they emerge reduces cost (by catching problems before they are pushed into production), as well as the overall risk and attack surface) IBM learn devsecops.

Additional definitions:


DOD: DevSecOps Playbook Highlights:

  • Adopt a DevSecOps Culture:
    • Stakeholder transparency and visibility
    • Complete transparency across team members in real-time
    • All project resources easily accessible to the entire team; not everyone needs commit privileges (i.e. principle of least privelege)
    • Adopt and embrace ChatOps as the communication backbone for the DevSecOps team
    • All technical staff should be concerned with, and have a say in, baked-in security
  • Adopt Infrastructure as Code (IaC):
    • IT infrastructure supports and enables change, rather than being an obstacle or a constraint
    • Mitigates drift between environments by leveraging automation and push-button deployment
    • Enforces change management through GitOps with multiple approvers, as needed
    • Environmental changes are routine and fully automated, pivoting staff to focus on other tasks
    • Quicker recovery from failures, rather than assuming failure can be completely prevented
    • Empowers a continuous improvement ecosystem rather than “big bang” one and done activities
  • Adopt Containerized Microservices (this approach, in my opinion, should be weighed according to benefits vs effort)
    • Componentization via services
    • Organized around business capabilities
    • Product over project
    • Smart endpoints, dumb pipes
    • Decentralized governance and data management
    • Infrastructure automation support via IaC
    • Design for failure
    • Evolutionary design support
  • Adopt a Capability Model, not a Maturity Model
    • Metric High Performers Med. Performers Low Performers
      Deployment Freq. On-Demand >1xWeek<1xMnth >1xWeek<1xMnth
      Change lead time < 1 Hour >1xWeek<1xMnth >1xWeek<1xMnth
      MTTR < 1 Hour < 1 Day >1xWeek<1xMnth
      Change failure rate 0-15% 0-15% 31-45%
  • Drive Continuous Improvement through Key Capabilities
    • Continuous Delivery
      • use source code repos for all product artifacts
      • use trunkbased development methods
      • shift-left on security
      • implement test automation
      • implement continuous intgration
      • support test data management
      • implement continuous delivery
      • automate deployment
    • Architecture
      • use loosley coupled architecture
      • architect for empowered teams
    • Cultural
      • adopt a Likert scale survey to measure cultural change
      • encourage and support continuous learning initiatives
      • support and facilitate collaberation among and between teams
      • provide resources and tools that make work meaningful
      • support or embody transformational leadership
    • Product & Process
      • gather and implement customer feedback
      • make the flow of work visible through the value stream
      • work in small batches
      • foster and enable team experimentation
    • Lean Management & Monitoring
      • have a lightweight change approval process
      • monitor across application and infrastructure to inform business decisions
      • check system health proactively
      • improve processes and manage work with work-in-process (WIP) limits
      • visualize work to monitor quality and communicate throughout the team
  • Establish a Software Factory
    • Design
    • Instantiate
    • Verify
    • Operate & Monitor
  • Define a Meaningful DevSecOps Pipeline
    • every DevSecOps pipeline is a collection of process workflows and scripts running on a set of DevSecOps tools operating in unison with their associated software factory. The design of each pipeline must clearly identify the process flows and automation activities across the various DevSecOps stages:
    • plan
    • develop
    • build
    • test
    • release & deliver
    • deploy
    • operate
  • Adopt an Agile Acquistion Policy for Software
  • Tirelessly Pursue Cyber Resilience
    • Cyber Resilience is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on the systems that include cyber resources.”12 A primary goal of DevSecOps adoption is to “bake-in” cyber resiliency into applications as part of the software factory’s DevSecOps pipeline process.
  • Shift Test and Evaluation (T&E) Left into the Pipeline
    • The value of shifting test and evaluation activities into the software factory’s pipeline is that risk is reduced by finding problems early and fixing them fast while the change that created the problem is still in the forefront of the developer’s mind. Integration continues to be difficult to achieve between disparate systems, and the push for access to raw data to feed AI/ML algorithms is increasing, not decreasing. The ability to ensure these integrations work earlier in the process, not as a bolt-on after-the-fact integration, drives the delivery of relevant software at the speed of operations.

NIST: Engineering Trustworthy Secure Systems

CI/CD The What, Why and How Security is hard, even for a multi-billion business like AWS


Development Security

(forked from the toniblyx repo:) | Name | URL | Description | Popularity | Metadata | | :———- | :———- | :———- | :———- | :———-: | | CFN NAG | | CloudFormation security test (Ruby) |stars| contributorswatcherslast-commit open-issues closed-issues | | Git-secrets | | |stars| contributorswatcherslast-commit open-issues closed-issues | | Repository of sample Custom Rules for AWS Config | | |stars| contributorswatcherslast-commit open-issues closed-issues | | CFripper | | “Lambda function to ““rip apart”” a CloudFormation template and check it for security compliance.” |stars| contributorswatcherslast-commit open-issues closed-issues | | Assume | | A simple CLI utility that makes it easier to switch between different AWS roles |stars| contributorswatcherslast-commit open-issues closed-issues | | Terrascan | | A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate |stars| contributorswatcherslast-commit open-issues closed-issues | | tfsec | | Provides static analysis of your terraform templates to spot potential security issues |stars| contributorswatcherslast-commit open-issues closed-issues | | Checkov | | Terraform, Cloudformation and Kubernetes static analysis written in python |stars| contributorswatcherslast-commit open-issues closed-issues | | Yor | | Automatically tag and trace infrastructure as code frameworks (Terraform, Cloudformation and Serverless) |stars| contributorswatcherslast-commit open-issues closed-issues | | pytest-services | | Unit testing framework for test driven security of AWS configurations and more |stars| contributorswatcherslast-commit open-issues closed-issues | | IAM Least-Privileged Role Generator | | A Serverless framework plugin that statically analyzes AWS Lambda function code and automagically generates least-privileged IAM roles. |stars| contributorswatcherslast-commit open-issues closed-issues | | AWS Vault | | A vault for securely storing and accessing AWS credentials in development environments |stars| contributorswatcherslast-commit open-issues closed-issues | | AWS Service Control Policies | | Collection of semi-useful Service Control Policies and scripts to manage them |stars| contributorswatcherslast-commit open-issues closed-issues | | LambdaGuard | | AWS Lambda auditing tool that provides a meaningful overview in terms of statistical analysis AWS service dependencies and configuration checks from the security perspective |stars| contributorswatcherslast-commit open-issues closed-issues | | Terraform-compliance | | A lightweight security focused BDD test framework against terraform (with helpful code for AWS) |stars| contributorswatcherslast-commit open-issues closed-issues | | Get a List of AWS Managed Policies | | a way to get a list of all AWS managed policies |stars| contributorswatcherslast-commit open-issues closed-issues | | Parliament | | AWS IAM linting library |stars| contributorswatchers last-commit open-issues closed-issues | | AWS-ComplianceMachineDontStop | | Proof of Value Terraform Scripts to utilize Amazon Web Services (AWS) Security Identity & Compliance Services to Support your AWS Account Security Posture |stars| contributorswatcherslast-commit open-issues closed-issues | | detect-secrets | | An enterprise friendly way of detecting and preventing secrets in code. |stars| contributorswatcherslast-commit open-issues closed-issues | | tf-parliament | | Run Parliament AWS IAM Checker on Terraform Files |stars| contributors watchers last-commit open-issues closed-issues | | aws-gate | | Better AWS SSM Session manager CLI client | stars| contributors watchers last-commit open-issues closed-issues | | iam-lint | | Github action for linting AWS IAM policy documents for correctness and possible security issues |stars | contributors watchers last-commit open-issues closed-issues | | Regula | | Regula checks Terraform for AWS security and compliance using Open Policy Agent/Rego | stars | contributors watchers last-commit open-issues closed-issues | | whispers | | Identify hardcoded secrets and dangerous behaviours | stars | contributors watchers last-commit open-issues closed-issues | | cloudformation-guard | | A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax. | stars | contributors watchers last-commit open-issues closed-issues | | IAMFinder | | Enumerates and finds users and IAM roles in a target AWS account | stars| contributors watchers last-commit open-issues closed-issues | | iamlive | | Generate a basic IAM policy from AWS client-side monitoring (CSM) | stars | contributors watchers last-commit open-issues closed-issues | | aws-allowlister | | Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks. | stars | contributors watchers last-commit open-issues closed-issues | | Leapp | | Cross-platform app for managing AWS credentials programmatically, based on Electron |stars| contributorswatcherslast-commit open-issues closed-issues | | KICS | | Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code |stars| contributorswatcherslast-commit open-issues closed-issues | | SecurityHub CIS Compliance Automator | | Automatically configure your AWS Account to meet 95% of the 200+ controls for CIS Compliance, PCI DSS Compliance and AWS Security Best Practice |stars| contributorswatcherslast-commit open-issues closed-issues |

Additional Resources