DevSecOps - HackMD

# DevSecOps --- ## Why? ## What? ## How? --- ## Why? --- ## Hacks ![](https://i.imgur.com/ezNu8OA.png) --- ## Hacks ![](https://i.imgur.com/VLtQpx8.png) --- ## Hacks ![](https://i.imgur.com/9hhRytZ.png) --- ## Hacks ![](https://i.imgur.com/88zLHpa.png) --- ## OWASP Top 10 ![](https://i.imgur.com/C1m95pl.png) [Reference](https://www.synopsys.com/glossary/what-is-owasp-top-10.html) --- ## Test DVNA https://github.com/appsecco/dvna ```bash docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite ``` --- ## XSS ``` <script>alert(1)</script> ``` --- ## XSS Redirect to a different domain ``` <svg onload="window.location='http://www.rewanthtammana.com'"> </svg> ``` --- ## What? --- ## What? ![](https://i.imgur.com/g7eQEfs.png) [Reference](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls) --- ## What? ![](https://i.imgur.com/VC8QGI5.png) [Reference](https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.atlassian.com%2Fdevops%2Fdevops-tools%2Fdevsecops-tools&psig=AOvVaw1Cci8kmLP_pL5-eK8_ZM_s&ust=1681310428770000&source=images&cd=vfe&ved=0CBAQjhxqFwoTCLCj28mHov4CFQAAAAAdAAAAABAQ) --- ## How? --- 1. Simple CD - Deploy index.html to Github pages 2. (Optional) Build image & push to dockerhub 3. Integrate CI check - maybe gitleaks 4. Enforce CI check before CD 5. Centralized workflows 6. Include SCA, SAST, etc 7. Connect all pieces together --- ## Types of security checks 1. pre-commit hooks 2. SAST 3. SCA 4. Image scanning 5. DAST 6. IAST 7. RASP ... ... --- ## More on devsecops * [DoD Enterprise DevSecOps Design](https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf) * [OWASP DevSecOps Guide](https://owasp.org/www-project-devsecops-guideline/) --- ### Social media Website: [rewanthtammana.com](rewanthtammana.com) Twitter: [@rewanthtammana](https://twitter.com/rewanthtammana) LinkedIn: [/in/rewanthtammana](https://linkedin.com/in/rewanthtammana)