With Security stage integrated into your team's pipelines, on, let's say, every release, Security stage is run and trigger Security pipelines to do the job. Security stage itself doesn't affect your time-to-market.
Security pipelines combine different types of security scanners in one "Security" stage.
Scans reports are sent to DefectDojo, where triage begins.
Hi, is there a place where the full documentation is available for easy consumption as a web page or PDF?
I can go through the markdown files on the document folder but I feel like there should be a consolidated document published somewhere (maybe the OWASP project page?) to make it easier to read and reference.
Since we are dealing with several privacy laws and regulations, I believe it makes sense to add a privacy component to the DevSecOps security guideline.
Hi folks,
As a DevSecOps practitioner for many sizes of development, there is a critical one for maintaining DevSecOps Pipeline to prevent integrity violation and DRY principle with the pipeline consuming
Abstraction Ideas:
Pipeline definition store as separate repos
Consuming pipeline as git sub-modules
Pipeline call should be visible and measured
Benefits:
Pipeline enforcement
Pipeline integrity
Pipeline scalability
I'm happy to help but not so sure which category should we put it on
I think we could add something related to the DevSecOps program management and metrics. Since the success of DevSecOps efforts on teams or enterprises relies on things like adoption, number of vulnerabilities, the time it takes to remediate the issues, etc. Application Vulnerability Management could be a good touchpoint to add to this guide.
Hey All,
I can provide some content about accessing to pipeline configs, user types and branch protection to secure pipeline config files.
Is this topic sound valuable for you?
Thnks.
I see that the SCA is a little bit less developed than other parts of the doc, so I'd be happy to expand on this to include various techniques, technologies, tools, and workflows on how this is done in a real-world scenario. Let me know if that's what you're interested in. I also gave a talk about it here.
I see no mention of IAST on the tools lists.
It's a very powerful technique that people could benefit from, especially if they already have some automated functional testing. Technically it's much faster than DAST and the sync between HTTP requests and stack is very useful in debugging.
Location:
As soon as you have something running you can do IAST on it. So I'd say potentially right next to or before the DAST component. Also, if you do DAST and perform some automatic crawl of the application a lot of times that will help the IAST tool. IAST is dependent on external traffic to have something to monitor.
Involve SBOM as artifacts release manifest in order to be aware of downstream dependencies. The benefits of the SBOM approach allow the security team to perform security assessments without the need for source code - might not available with third-party
Building private dependencies registry to secure store and sign-off for dependency to prevent availability and tampering issues from upstream maintainers
Code phrase:
Setup proper dependency security scanning tool in CI/CD pipeline
Setup Dependency Vulnerability Assessment to continuously scan and alerts for new finding developers