Beyond DevOps: Tools to Support Your Journey to DevSecOps
In the rapidly evolving world of software development, the integration of security into the DevOps process well known as DevSecOps, has emerged as a critical paradigm shift. The DevOps framework, while effective but requires an upgrade for today’s needs hence integrating security has given rise to the enhanced model of DevSecOps.
Through this blog I listed down DevSecOps tools, making it accessible and actionable for development teams of all sizes and sectors. Whether you’re just starting your DevSecOps journey or looking to enhance your existing practices, below resources may help to empower you with the tools, techniques, and strategies necessary to integrate security seamlessly into your DevOps processes.
I list down tools as per below categories:
- Threat Modeling Tools
- Secrets management
- Dependency management
- SAST
- DAST
- Containerisation and Kubernetes
- Infrastructure as code security
Threat modeling
Threat modeling as code (TMC) represents a modern approach to threat modeling, integrating it directly into the software development lifecycle (SDLC) as an automated, repeatable, and scalable process. This methodology allows for the early detection of security threats and vulnerabilities within applications and infrastructure, by treating threat models as part of the codebase itself.
There are open sources and commercial tools available :
OWASP Threat Dragon
An initiative by the Open Web Application Security Project (OWASP), Threat Dragon offers both a web-based and desktop application for drawing threat model diagrams and performing rule-based analysis of potential threats.
PyTM
This Python-based tool allows developers to define their system in code, using it to automatically generate threat models. It’s particularly useful for those who prefer a code-centric approach to threat modeling.
ThreatSpec
By annotating source code and infrastructure-as-code configurations with potential threats and mitigations, ThreatSpec facilitates the automatic generation of threat models, tightly integrating security considerations into the development process.
IriusRisk
Offers a comprehensive platform for threat modeling as code, supporting automation and integration into CI/CD pipelines, making it easier to address security from the design phase.
It also offers community edition as well as a free.
Threagile
Agile Threat Modeling Toolkit. A Go framework for threat modeling. The Threagile toolkit enables agile modeling of an architecture and its assets through YAML files directly within the IDE. Upon execution, it evaluates the architecture model against all standard and any custom risk rules.
Microsoft Threat Modeling Tool
Integral to Microsoft’s Security Development Lifecycle (SDL), enables early identification and mitigation of security issues, reducing development costs. Designed for usability, it simplifies threat modeling for developers of all skill levels with clear guidance.
Link to tool resources
Secrets management
git-secrets
This is from AWS labs, prevents you from committing secrets and credentials into git repositories.
GitHound
GitHound is a tool designed for discovering exposed API keys and sensitive data on GitHub through code search, pattern matching, and commit history analysis. Its unique advantage lies in leveraging GitHub’s code search to comprehensively scan the entire platform, unrestricted by repository, user, or organization boundaries.
TruffleHog
TruffleHog is a security tool specialized in uncovering hardcoded secrets within codebases, leveraging deep scanning techniques to identify sensitive information.
Hashicorp Vault
HashiCorp Vault is a tool designed for secrets management, providing encryption as a service and privileged access management, ensuring secure storage, access, and handling of sensitive data across distributed systems.
aws-secrets-manager-actions
This GitHub Action lets you export secrets stored in AWS Secrets Manager to environment values in your GitHub runner.
Dependency management
Conducting security testing and analysis on dependencies is crucial for identifying vulnerabilities that could lead to supply chain attacks. Generating an SBOM and implementing subsequent dependency scanning (Software Composition Analysis) are essential components of continuous integration (CI) processes. I listed below tools around this topic:
cdxgen
Creates CycloneDX Software Bill of Materials (SBOM) for your projects from source and container images.
Snyk
Snyk scans and monitors your projects for security vulnerabilities
Syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
SAST
Static code review tools, also known as Static Application Security Testing (SAST) tools, analyze source code to detect known patterns and relationships among methods, variables, classes, and libraries. Focuses on the codebase itself rather than compiled or built packages.
Bandit
Python specific SAST tool.
Semgrep
SAST that support 17+ languages.
nodejsscan
nodejsscan is a static security code scanner for Node.js applications.
SonarQube community
SonarQube not only displays the overall health of an application but also identifies and highlights newly introduced issues.
gosec
Inspects source code for security problems by scanning the Go AST.
.NET Security Guard
Vulnerability Patterns Detector for C# and VB.NET
The Automated Security Helper
It is collection of many tools integrated into one.
DAST
Dynamic Application Security Testing (DAST) is a security testing methodology that involves analyzing an application from the outside while it is running. DAST tools simulate attacks against a web application or service in order to identify security vulnerabilities that could be exploited by malicious users.
OWASP ZAP
The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools .
Akto
Proactive, Open source API security → API discovery, Testing in CI/CD, Test Library with 150+ Tests, Add custom tests, Sensitive data exposure
Wapiti
Web vulnerability scanner written in Python3
Nuclei
Nuclei leverages templates to send targeted requests, ensuring zero false positives and enabling rapid scanning across numerous hosts.
Nikto
A web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs.
Arachni
Web Application Security Scanner Framework aimed at helping penetration testers and administrators evaluate the security of web applications.
Containerisation and Kubernetes
KubiScan
A tool to scan Kubernetes cluster for risky permissions
kube-bench
Kubernetes benchmarking tool
KubeSec
Security risk analysis for Kubernetes resources
Sysdig
Offers deep visibility and security for Kubernetes, including threat prevention, compliance checks, and runtime security.
kubescape
Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.
kube-hunter
Hunt for security weaknesses in Kubernetes clusters.
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Harbor
An open source trusted cloud native registry project that stores, signs, and scans content.
Clair
Vulnerability Static Analysis for Containers.
Grype
A vulnerability scanner for container images and filesystems.
Infrastructure as code security
Checkov
Checkov by Bridgecrew proactively detects vulnerabilities and prevents cloud misconfigurations in infrastructure as code, container images, and open-source packages at build-time.
tfsec
tfsec employs static analysis on Terraform templates to identify potential security concerns, now including support for Terraform CDK.
terrascan
Terrascan is a static code analyzer for Infrastructure as Code.
cfn_nag
Looks for insecure patterns in CloudFormation.
As we wrap up this exploration of DevSecOps tools, remember that the journey towards integrating security seamlessly into the development lifecycle is ongoing. By leveraging the right tools and adopting a security-first mindset, we can significantly enhance the resilience and security of our software.
Thank you for joining us on this journey. I hope you’ve found valuable information via this blog to fortify your security posture and streamline your operations.