Simple
Table of contents
DevSecOps simple model more focus on fast and scalable
| Stages | Description | Tools |
|---|---|---|
| Threat Modeling | Identify and analyze potential security threats and vulnerabilities in the system design and architecture. | Microsoft Threat Modeling Tool, Pytm |
| SAST (Static Application Security Testing) | Analyze source code to identify security vulnerabilities and coding flaws. | Snyk - SonarQube - Checkmarx - Fortify - Veracode |
| SCA (Software Composition Analysis) | Identify and manage open-source and third-party components for known vulnerabilities and license compliance. | Snyk - Sonatype Nexus Lifecycle - WhiteSource - Black Duck |
| Secure Pipeline | Implement security controls and best practices in the CI/CD pipeline to ensure the integrity and security of the software delivery process. | Jenkins - GitLab CI/CD - CircleCI |
| Real-time distributed messaging platforms | Utilize messaging platforms for real-time communication, collaboration, and incident response. | Slack - Microsoft Teams - Mattermost - Discord |
| Artifacts | Securely manage and store build artifacts, such as Docker images or software packages. | Docker Registry - Nexus Repository Manager - JFrog Artifactory |
| Configuration Management | Manage and enforce secure configuration settings across the infrastructure and applications. | Ansible - Chef - Puppet - Terraform |
| DAST (Dynamic Application Security Testing) | Test running applications to identify vulnerabilities and security weaknesses in real-time. | Nuclei - Burp Suite - Acunetix - Netsparker |
| IAST (Interactive Application Security Testing) | Perform security testing during application runtime to identify vulnerabilities and provide real-time feedback. | Contrast Security - Seeker - Quotium Seeker |
| Smoke Test | Execute basic tests to ensure the essential functionality of the application after each deployment. | Selenium - Cypress - Postman |
| Cloud Infrastructure | Securely configure and manage cloud infrastructure and services. | AWS CloudFormation - Azure Resource Manager - Google Cloud Deployment Manager |
| Secret Management | Securely store and manage sensitive information, such as API keys, passwords, and certificates. | HashiCorp Vault - AWS Secrets Manager - Azure Key Vault |
| Threat Intelligence | Gather and analyze threat intelligence data to proactively identify potential security threats and vulnerabilities. | OpenCTI |
| Vulnerability Assessment | Conduct regular vulnerability assessments and scans to identify and prioritize vulnerabilities. | Nessus - Qualys - OpenVAS - Rapid7 InsightVM |
| Monitoring | Continuously monitor applications and infrastructure for security events and anomalies. | ELK Stack (Elasticsearch, Logstash, Kibana) - Splunk - Prometheus - Grafana |
| Virtual Patching | Apply temporary security measures to mitigate vulnerabilities until a permanent fix is implemented. | OpenRASP |
| MISecOps (Machine Learning in Security Operations) | Utilize machine learning techniques to enhance security operations and automate threat detection and response. | IBM Watson for Cyber Security - Splunk User Behavior Analytics (UBA) - Darktrace |
| AiSecOps (Artificial Intelligence in Security Operations) | Apply artificial intelligence algorithms and techniques to improve security operations and automate threat analysis and response. | Cylance - IBM QRadar - Palo Alto Networks Cortex XDR |