# DevSecOps

## Secure Software Objectives

One simple way to describe the secure software objectives is to build or acquire software that satisŒies three Rs: Software must be reliable, resilient, and recoverable. 

● Reliability means that software should function as expected. 

● Resiliency means that software should withstand misuse and attack. 

● Recoverability means having the ability for normal business operations restoration with minimal disruption.

## Tools for implementing DevSecOps Automation

### Development

[Git Secrets](https://github.com/awslabs/git-secrets) - Prevents you from committing secrets and credentials into git repositories

Security plugins (Snyk, Fortify, Veracode) in any IDE ([VSCode](https://marketplace.visualstudio.com/VSCode), [IntelliJ](https://www.jetbrains.com/idea/))

[Trufflehog](https://github.com/trufflesecurity/trufflehog) - Find and verify credentials

### Security (Application Security Testing)

Code Quality - SonarQube, CodeQL

SAST Security (Static) - Veracode, Chackmarx, Fortify

Software Composition Analysis (SCA) Security - Fortify, Veracode, Blackduck, Snyk

DAST (Dynamic) Security - OWASP ZAP, BurpSuite, WebInspect, Veracode DAST, Acunetix

Infrastructure as Code (IaC) Security - Bridgecrew, Snyk

Container Security - AQUA, Qualys, Prisma Cloud

### Operations

Pipeline Building - Jenkins, Azure DevOps, GCP CludBuild, AWS, GitHub Actions, GitLab

Cloud Security Posture Management - AQUA, BridgeCrew

Container Registry Scanning - AQUA, AWS Native Registry

Infrastructure Scanning Tools - Chief Inspec (Compliance), Nessus

Cloud Security - Azure Defense, AWS Security Hub, Prowler (AWS)