Implement DevSecOps to Secure your CI/CD pipeline

1

OWASP Zed Attack Proxy (ZAP)

Pen testing is a proactive cybersecurity practice where security experts target individual components or whole applications to find vulnerabilities that can be exploited to compromise the application and data. ZAP, Metasploit, and Burp Suite can be used for doing pen tests and it can discover vulnerabilities that might be missed by SAST and DAST tools. The downside of a pen test is that it takes more time depending on the coverage and configuration. The proper pen test might take up to several weeks, and with DevOps development speed, it becomes unsustainable. However, it's still worth adding Internal VAPT which can be done on every feature release to move fast and external VAPT can be done biannually or annually to keep overall security in check.

#Tool #Developer Tools #Proxy 11 social mentions

OWASP Dependency-Check a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. We can also publish our SBOM report to Dependency-Track and visualize our software components and their vulnerabilities.

#Security #Code Analysis #Web Application Security 16 social mentions

3

OpenSearch

OpenSearch/Elasticsearch: It is a real-time distributed and analytic engine that helps in performing various kinds of search operations.

#Custom Search Engine #Search Engine #Custom Search 25 social mentions

4

Nmap

Nmap and Wireshark, tcpdump tools can be used to scan networks and packets.

#Security #Security Monitoring #Monitoring Tools 187 social mentions

5

NewRelic

Although all cloud providers have their own monitoring toolsets and some tools are accessible from the marketplace. Also, there are paid monitoring tool providers like Newrelic, Datadog, Appdynamics, and Splunk that provide all types of monitoring.

#Application Performance Monitoring #Performance Monitoring #Monitoring Tools 81 social mentions

6

Mochajs

In Unit tests, individual software code components are checked if it is working as expected or not. Unit tests isolate a function or module of code and verify its correctness. We can use tools like JaCoCo for Java and Mocha, and Jasmine for NodeJS to generate unit test reports. We can also send these reports to SonarQube which shows us code coverage and the percentage of your code covered by your test cases.

#Development Tools #Javascript UI Libraries #JavaScript Framework 87 social mentions

7

Jasmine

In Unit tests, individual software code components are checked if it is working as expected or not. Unit tests isolate a function or module of code and verify its correctness. We can use tools like JaCoCo for Java and Mocha, and Jasmine for NodeJS to generate unit test reports. We can also send these reports to SonarQube which shows us code coverage and the percentage of your code covered by your test cases.

#Automated Testing #Testing #Developer Tools 28 social mentions

8

Google

Dgoss edit nginx Goss add port 80 Goss add http https://google.com Goss add file /etc/nginx/nginx.conf Goss add user nginx # Once we exit it will copy the goss.yaml from the container to the current directory and we can modify it as per our validation. # Validate [root@home ~]# dgoss run -p 8000:80 nginx INFO: Starting docker container INFO: Container ID: 5f8d9e20 INFO: Sleeping for 0.2 INFO: Container health INFO: Running Tests Port: tcp:80: listening: matches expectation: [true] Port: tcp:80: ip: matches expectation: [["0.0.0.0"]] HTTP: https://google.com: status: matches expectation: [200] File: /etc/nginx/nginx.conf: exists: matches expectation: [true] File: /etc/nginx/nginx.conf: mode: matches expectation: ["0644"] File: /etc/nginx/nginx.conf: owner: matches expectation: ["root"] File: /etc/nginx/nginx.conf: group: matches expectation: ["root"] User: nginx: uid: matches expectation: [101] User: nginx: gid: matches expectation: [101] User: nginx: home: matches expectation: ["/nonexistent"] User: nginx: groups: matches expectation: [["nginx"]] User: nginx: shell: matches expectation: ["/bin/false"] Total Duration: 0.409s Count: 13, Failed: 0, Skipped: 0 INFO: Deleting container.

#Search Engine #Internet Search #Web Search 3693 social mentions

9

CoreOS Clair

Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning.

#Web Application Security #Code Collaboration #Security & Privacy 15 social mentions

10

Jaeger

Application performance Monitoring (APM) improves the visibility into a distributed microservices architecture. The APM data can help enhance software security by allowing a full view of an application. Distributed tracing tools like Zipkin and Jaeger kind of stitch all logs together and bring full visibility of requests from start to end. It speeds up response time for new bugs or attacks.

#Monitoring Tools #Performance Monitoring #Log Management 8 social mentions

11

Tetragon

Falco is a cloud native Kubernetes threat detection tool. It can detect unexpected behavior, intrusions, and data theft in real time. In the backend, it uses Linux eBPF technology to trace your system and applications at runtime. For example, it can detect if someone tries to read a secret file inside a container, access a pod as a root user, etc, and trigger a webhook or send logs to the monitoring system. There are similar tools like Tetragon, KubeArmor, and Tracee which also provide Kubernetes runtime security.

#Utilities #Application Utilities #Security 2 social mentions

12

Sysdig Falco

Falco is a cloud native Kubernetes threat detection tool. It can detect unexpected behavior, intrusions, and data theft in real time. In the backend, it uses Linux eBPF technology to trace your system and applications at runtime. For example, it can detect if someone tries to read a secret file inside a container, access a pod as a root user, etc, and trigger a webhook or send logs to the monitoring system. There are similar tools like Tetragon, KubeArmor, and Tracee which also provide Kubernetes runtime security.

#Monitoring Tools #Cyber Security #Security 12 social mentions

Zap.sh -cmd -quickurl http://example.com/ -quickprogress -quickout example.report.html.

#Software Development #Software Development Tools #Web Development Tools 2414 social mentions

14

Visual Studio Code

Install linting tools inside the code editor like Visual Studio Code. One of the most popular linting tools is SonarLint. Which highlights bugs and security vulnerabilities as you write code.

#Text Editors #IDE #Software Development 1021 social mentions