PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • DevOps
  • Key Components:
  • DevSecOps
  • Components:
  • Importance of DevSecOps
  • Benefits of DevSecOps
  • Implementation of DevSecOps
  • DevSecOps in the SDLC
  • DevSecOps Framework
  • DevSecOps Tools
  • DevSecOps Culture
  • Challenges in Implementing DevSecOps
  • Best Practices of DevSecOps
  • DevSecOps in Agile Development

DevSecOps

Development, Security, Operations

DevOps

DevOps combines Software Development and IT Operations to shorten software release cycles through automation.

Key Components:

  • CI/CD Pipelines: Automate integrating and deploying code changes.

  • Environments/Infrastructure: Maintain environments for development, testing, and production.

  • Tech Stacks:

    • Version Control: Git, SVN

    • CI/CD Tools: Jenkins, GitLab, GitHub, Azure DevOps

    • Infrastructure: Docker, VMs, Vagrant, Terraform

    • Cloud Providers: Azure, AWS, GCP

    • Configuration Management: Ansible, Chef

DevSecOps

DevSecOps integrates security testing at every stage of the software development process, fostering collaboration between developers, security specialists, and operations teams to build secure and efficient software.

Components:

  • Development: Planning, coding, building, and testing the application.

  • Security: Introducing security earlier in the SDLC; ensuring code is free of vulnerabilities and performing thorough security testing.

  • Operations: Releasing, monitoring, and fixing issues in the software.

Importance of DevSecOps

  • Efficiently Address Security Issues: Integrates security into each development phase, avoiding delays and reducing costs.

  • Cultural Transformation: Makes security a shared responsibility among all team members.

Benefits of DevSecOps

  • Catch Vulnerabilities Early: Security checks at each stage help detect and fix issues sooner.

  • Reduce Time to Market: Automated security tests minimize delays.

  • Ensure Regulatory Compliance: Adopts professional security practices to meet industry standards.

  • Build a Security-Aware Culture: Teams proactively address security throughout development.

  • Develop Secure Features: Collaboration across teams ensures new features are secure.

Implementation of DevSecOps

  • DevOps: A practice combining development and operations through automation and collaboration.

  • CI/CD (Continuous Integration/Continuous Delivery): Automated build-and-test steps to efficiently deliver small changes.

  • Security Integration: Incorporates security assessments throughout CI/CD, making it a shared responsibility.

DevSecOps in the SDLC

  • Security testing traditionally occurs post-development.

  • DevSecOps integrates it throughout the SDLC:

    • Planning > Analysis > Design > Coding > Testing > Maintenance.

DevSecOps Framework

  • Pre-Commit Hooks: Scripts that run before changes are committed, ensuring code quality and security by catching issues early.

  • Security Pipelines: Dedicated pipelines for SAST, DAST, SCA.

  • Shift Left: Incorporates security early in the SDLC to catch issues sooner.

  • Shift Right: Continues security focus post-deployment to catch runtime issues.

DevSecOps Tools

  • SAST

    • Opensource: SonarQube, Bandit, FindSecBugs

    • Commercial: Checkmarx, Fortify, Veracode

  • DAST

    • Opensource: OWASP ZAP, Nuclei, Arachni, Wapiti

    • Commercial: Burp Suite, Acunetix, Netsparker, Nessus

  • SCA

    • Opensource: Snyk, Retire.js, OWASP Dependency-Check

    • Commercial: WhiteSource, Black Duck, Synk

  • Security in Infrastructure as Code

    • Opensource: TFLint, Checkov, Prowler

    • Commercial: Bridgecrew, CloudSploit, Prisma Cloud

  • Secret Management

    • Opensource: HashiCorp Vault, Mozilla SOPS, AWS Secrets Manager

    • Commercial: CyberArk Conjur, AWS Secrets Manager, Azure Key Vault.

  • CI/CD Integration: Jenkins, GitLab CI, GitHub Actions

  • Monitoring: Prometheus, Grafana, Splunk

  • Container Security: Aqua Security, Twistlock, Clair

DevSecOps Culture

  • Communication: Leadership promotes security practices' importance.

  • People: Collaboration between development, operations, and security teams.

  • Technology: Automated security testing tools.

  • Process: Continuous security testing and evaluation at every development stage.

Challenges in Implementing DevSecOps

  • Cultural Shift: Resistance to changing traditional roles and practices.

  • Tool Integration: Difficulty integrating diverse tools into a continuous delivery process.

Best Practices of DevSecOps

  • Shift Left: Early-stage security vulnerability checks.

  • Shift Right: Focus on post-deployment security.

  • Automated Security Tools: Integrate into CI/CD to avoid delays.

  • Promote Security Awareness: Make security a core value shared by all team members.

DevSecOps in Agile Development

  • Agile Mindset: Efficient application development with a focus on responding to changes.

  • Integration with Agile: DevSecOps introduces security practices into agile’s iterative cycles.

PreviousiOSNextBuilding CI Pipeline

Last updated 9 months ago