Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

8/18/2017
01:50 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Finding Tools for DevSecOps

Finding the right tools can be the start of the right path toward DevSecOps. Here's how to start the hunt.

When DevSecOps are defined it can begin a process. But ultimately process requires tools to become practice. Where do you go to find tools to use when an organization wants to move beyond theory adding security to DevOps?

The good news is that there are sources for tools, and the better news is that there are some third-party lists for those tools. Depending on just how dedicated your organization is to the principles of open source, one resource might be the only directory you need to get started, but in any case, your organization will not be left without options.

GitHub

GitHub, the code-repository resource that has become the home to thousands of open source projects and software-designer portfolios, has a page dedicated to DevSecOps. The page, modestly titled "Awesome DevSecOps," features resources ranging from automation and testing tools to podcasts and conferences.

Many of the resources listed on Awesome DevSecOps are valuable whether you're moving in the DevOps world or not. For example, WebGoat is a basic resource for learning web app security no matter which development discipline you're using. In the same way, while team-wide communication is critical for DevSecOps (and DevOps in general), there's nothing DevOps-specific about Slack or HipChat. Taken as a whole, though, the GitHub page may be the single resource that is currently most comprehensive when it comes to tools for those in starting down the DevSecOps path.

Virtualizing the Cable Architecture @ SCTE/ISBE's Cable-Tec Expo


You're invited to attend Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo on October 18 featuring Comcast's Rob Howald and Charter's John Dickinson.

That doesn't mean it's the only resource, though. DevSecOps.org has links to tools and references that those getting started in the field would find useful. There are also links to projects, presentations, and even comics on the site, as well as a way to join the Linkedin group run by this group of security professionals.

It should be noted that, as with an group of volunteers, activity can wax and wane, and some of the sections haven't been refreshed in a while. The principles expressed are still useful, though, and beginners will find a great deal to help them on their way in the pages.

In addition to these two sites, there are a number of vendor-sponsored sites and pages that deal with the tools and practices around DevSecOps. They aren't listed here -- that's what Google is for.

The fact is that most tools used in DevSecOps are common to the tools used in DevOps. There are scores of sites available for finding those, though GitHub once again provides a good place to start. As with DevOps, agile, and all the variations on them that are scattered around the enterprise development and operations landscape, the biggest tool that any organization can have is a willingness to change coupled with champions able to muscle, cajole, and inspire teams through the rough spots.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.