- Published on
DevSecOps
- Authors
- Name
- Jackson Chen
Package Management
Nuget
https://learn.microsoft.com/en-us/nuget/what-is-nuget
An introduction to NuGet
chocolatey
The Package Manager for Windows - Modern Software Automation
Chocolatey for Business
Chocolatey for Business (C4B) has helped hundreds of system admins save time, reduce downtime, and accelerate deployment.
There are a lot of different installer formats and multiple approaches to deploying Windows software. Deploying software without package management on Windows can be complicated and time-consuming.
Chocolatey simplifies this through simple, repeatable, and automated approach, by using a universal packaging format for managing all Windows software. Regardless if installers are; native, zips, scripts, binaries or in-house developed - Chocolatey treats them as all 1st class citizens.
Write once, deploy anywhere, with anything, and then simply track & manage.
YUM and DNF
Linux, RHEL package management
DevOps Tools
Ansible
Built on open source, Red Hat® Ansible® Automation Platform is a hardened, tested subscription product that offers full life cycle support for organizations. Explore how Ansible can help you automate today—and scale for the future.
Even driven Ansible
https://www.redhat.com/en/technologies/management/ansible/event-driven-ansible?hsLang=en-us Event-Driven Ansible can process events containing discrete intelligence about conditions in the IT environment, determine the appropriate response to the event, then execute automated actions to address or remediate the event.
Ansible documentation
Ansible Playbook
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html
Python
Python is a programming language that lets you work quickly and integrate systems more effectively
C sharp
https://learn.microsoft.com/en-us/dotnet/csharp/tour-of-csharp/
C# - .Net object-oriented programming language.
C# enables developers to build many types of secure and robust applications that run in
Testing Toos
pytest
pytest: helps you write better programs
Pytest is a Python testing framework that originated from the PyPy project. It can be used to write various types of software tests, including unit tests, integration tests, end-to-end tests, and functional tests. Its features include parametrized testing, fixtures, and assert re-writing.
Pytest fixtures provide the contexts for tests by passing in parameter names in test cases; its parametrization eliminates duplicate code for testing multiple sets of input and output; and its rewritten assert statements provide detailed output for causes of failures.
Repository
pypi
The Python Package Index (PyPI) is a repository of software for the Python programming language
Database
postgresql
https://www.postgresql.org/ PostgreSQL is a powerful, open source object-relational database system with over 35 years of active development that has earned it a strong reputation for reliability, feature robustness, and performance.
Security
JFrog - Advanced Security
JFrog security features protect your software development from end-to-end on self-hosted, cloud, multi-cloud and hybrid environments. Xray is a component of JFrog advanced security, it scan code repository for vulnerability and best practices, and provide recommendation on how to fix them.
Manage Security and Compliance with JFrog Xray
https://jfrog.com/webinar/manage-security-and-compliance-with-jfrog-xray/
# DevOps - Artifactory
. Universal Binary Repository
. Native Package Support
. Release Lifecycle Management
. Container Registry
. ML Model Registry
. REST API
. OSS Proxy and Dependency Management
. Identity Management Integration
. 10,000 Base CI/CD Minutes / mo
# Security - Security Essentials (Xray)
. Open Source Vulnerability Scanning
. Container Scanning
. ML Model Scanning
. SBOM Build and Exports
. Premium Vulnerability Database
. Open Source License Compliance.
CI CD Pipeline
Bitbucket
https://bitbucket.org/ Bitbucket gives teams one place to plan projects, collaborate on code, test and deploy, all with free private Git repositories. Teams choose Bitbucket because it has a superior Jira integration, built-in CI/CD.
Bitbucket Data Center
It will replace Bitbucket server (end support in Feb 2024)
Cut out wait time by auto-merging your pull requests A feature that automates and streamlines the merging of pull requests. You no longer need to manually check if a pull request is ready for merge or constantly monitor builds and approvals. Bitbucket Data Center can now handle merging automatically once all criteria are met, making it a set-and-forget experience.
Streamline your review by adding Code Owners Experience smooth and efficient pull request creation with Code Owners in Bitbucket Data Center. By adding rules to a CODEOWNERS file, developers can define who needs to review specific files or parts of the repository.
Automate pull request commit messages with templates Instead of asking developers to add extra details to pull request commit messages, organisations can now set a tailored message template to satisfy their requirements and the details will be automatically populated for you in the merge dialog. Commit message templates also support variables, allowing your commit messages to include details such as the source and target branch, the list of approvers, and more. This helps ensure consistent, informative commit messages without wasting time copying and pasting the required details for each pull request.
Cut to the chase by searching by projects In large organisations finding a project among thousands of others can be hard. You don’t need to scroll through an endless alphabetical list of projects anymore. Our new search field makes finding the right project easy.
Bitbucket Documentation
https://support.atlassian.com/bitbucket-cloud/resources/
Bitbucket Server and Data Center comparison
Bitbucket server support end at February 2024. Bitbuck 8.15.x is the first datacenter only release. Bitbucket Server 8.14.x release will continue to support server licenses until February 15, 2024.
Bamboo
https://www.atlassian.com/software/bamboo
Developers describe Bamboo as "Tie automated builds, tests, and releases together in a single workflow". Focus on coding and count on Bamboo as your CI and build server! Create multi-stage build plans, set up triggers to start builds upon commits, and assign agents to your critical builds and deployments. On the other hand, Bitbucket is detailed as "One place to plan projects, collaborate on code, test and deploy, all with free private repositories". Bitbucket gives teams one place to plan projects, collaborate on code, test and deploy, all with free private Git repositories.
Bamboo can be classified as a tool in the "Continuous Integration" category, while Bitbucket is grouped under "Code Collaboration & Version Control". Build, test, and deploy with confidence - Bamboo Data Center is a continuous delivery pipeline that offers resilience, reliability, and scalibility for teams of any size.
. Workflow automation Unleash the power of agile development with automated workflows from code to deployment.
. Built-in disaster recovery Keep teams online and on track with build resilence and high availability.
. Scale with confidence Increase capacity and maintain performance as your organization grows.
Bamboo, Bitbucket, and Jira Software are fully integrated and give us full traceability from the time a feature request is made all the way to deployment.
- Connect Bamboo with Bitbucket and Jira, across any deployment type, for a seamless experience.
- Release with ease by using Docker and AWS CodeDeploy to deliver your final product.
- Integrate with Opsgenie to empower your response teams to investigate incidents quickly.
Bamboo server and data center feature comparison
Artifactory
# Artifactory is the Repository or Repo
JFrog Artifactory: Enterprise Universal Repository Manager.
JFrog Artifactory serves as a central hub for DevOps, integrating with tools and processes to improve automation, increase integrity, and incorporate best practices along the way. GIT is good to be used for faster and high availability operations during code release cycle.
puppet
https://www.puppet.com/ Infrastructure Automation & Compliance at Enterprise Scale
Chef
https://www.chef.io/ Extend DevOps Value with Cloud-to-Edge Security and Compliance. Configure, deploy and manage your entire application infrastructure in a secure and compliant way.
Monitoring
Prometheus
https://prometheus.io/ Power your metrics and alerting with the leading open-source monitoring solution
Prometheus Documentation
https://prometheus.io/docs/prometheus/latest/getting_started/ https://prometheus.io/docs/introduction/overview/
https://prometheus.io/download/
Grafana
Grafana Documentation
https://grafana.com/docs/ https://grafana.com/docs/grafana-cloud/monitor-infrastructure/integrations/get-started/
Red Hat, CentOS, RHEL, and Fedora Installation
sudo yum install -y https://dl.grafana.com/enterprise/release/grafana-enterprise-10.2.2-1.x86_64.rpm
Obersium
Network monitoring with intuition.
Observium is a network monitoring and management platform that provides real-time insight into network health and performance. It can automatically discover network devices and services, collect performance metrics, and generate alerts when problems are detected.
Observium includes a web-based interface that allows users to view network status and performance metrics in real time, as well as historical data. It is designed to be easy to use and maintain, with a focus on providing the information that network administrators need to quickly identify and resolve issues
Observium supports a wide range of device types, platforms and operating systems including Cisco, Windows, Linux, HP, Juniper, Dell, FreeBSD, Brocade, Netscaler, NetApp and many more.
Security
Splunk
Splunk Security Orchestration, Automation and Response (SOAR) free community edition
https://www.splunk.com/en_us/products/splunk-security-orchestration-and-automation.html
Trivy
https://trivy.dev/ Trivy is the most popular open source security scanner, reliable, fast, and easy to use. Use Trivy to find vulnerabilities & IaC misconfigurations, SBOM discovery, Cloud scanning, Kubernetes security risks,and more.
Selenium
https://www.selenium.dev/ Selenium automates browsers. That's it! What you do with that power is entirely up to you.
Selenium documentation
https://www.selenium.dev/documentation/
cAdvisor
cAdvisor (short for container Advisor) analyzes and exposes resource usage and performance data from running containers.
Velociraptor
https://www.rapid7.com/products/velociraptor/ Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
Chef InSpec
https://docs.chef.io/inspec/ Chef InSpec is an open-source framework for testing and auditing your applications and infrastructure. It compares the actual state of your system with the desired state that you express in easy-to-read and easy-to-write Chef InSpec code. It detects violations and displays findings in the form of a report, but puts you in control of remediation.
Chef InSpec is a run-time framework and rule language used to specify compliance, security, and policy requirements. It includes a collection of resources that help you write auditing controls quickly and easily.
Cipherscan
https://linuxsecurity.expert/tools/cipherscan/ cipherscan is commonly used for information gathering, security assessment, system hardening, or web application analysis. Target users for this tool are auditors, pentesters, security professionals, and system administrators.
OpenScap
https://www.open-scap.org/ The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. We maintain great flexibility and interoperability, reducing the costs of performing security audits.
Velociraptor
https://www.rapid7.com/products/velociraptor/ Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.
Tenable
Tenable Nessus
https://www.tenable.com/products/nessus There are two products: Nessux Expert and Nessus Professional
File System
XFS
GlusterFS
https://www.gluster.org/ Gluster is a free and open source software scalable network filesystem.
NFS
https://www.techtarget.com/searchenterprisedesktop/definition/Network-File-System
Network File System (NFS) is a networking protocol for distributed file sharing.
Authentication and Directory
Microsoft Active Directory
https://www.quest.com/solutions/active-directory/what-is-active-directory.aspx
FreeIPA
https://www.freeipa.org/ Integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate.
OpenLDIF
Other Tools
LinEnum
LinEnum is a simple bash script that performs common commands related to privilege escalation, saving time and allowing more effort to be put toward getting root. It is important to understand what commands LinEnum executes, so that you are able to manually enumerate privesc vulnerabilities in a situation where you're unable to use LinEnum or other like scripts.
Prometheus Node Exporter
The node_exporter is designed to monitor the host system. Deploying in containers requires extra care in order to avoid monitoring the container itself.
Remote Access
rdp
ssh
https://www.techtarget.com/searchsecurity/definition/Secure-Shell
xrdp
xrdp provides a graphical login to remote machines using RDP (Microsoft Remote Desktop Protocol). xrdp accepts connections from variety of RDP clients: FreeRDP, rdesktop, NeutrinoRDP and Microsoft Remote Desktop Client (for Windows, macOS, iOS and Android).
Testing Tools
Locust
https://locust.io/ An open source load testing tool. Define user behaviour with Python code, and swarm your system with millions of simultaneous users.
Search Tool
OpenSearch
OpenSearch is the flexible, scalable, open-source way to build solutions for data-intensive applications. Explore, enrich, and visualize your data with built-in performance, developer-friendly tools, and powerful integrations for machine learning, data processing, and more.
Elasticsearch
API Tools
Postman
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
DevOps Pipeline
Spectral
https://spectralops.io/ SpectralOps is a scanning tool that can be integrated within your CI/CD system to automatically identify security blindspots and sensitive assets like secret keys, unsecured API endpoints, credentials, and misconfigurations in real-time. It scans your entire codebase and sends instant notifications once an issue is detected, enabling your team to easily and quickly resolve it.
Datadog
https://www.datadoghq.com/monitoring/security-monitoring-tools/ Track potential threats across your entire stack in one tool with Datadog Security Monitoring.
Security Monitoring Tools
security monitoring tools are the vigilant guardians of your digital realm, which has become a prime target for cybercriminals seeking to exploit vulnerabilities and gain unauthorized access. Cyber security monitoring tools encompass a variety of software solutions designed to detect, prevent, and respond to cyber threats, ensuring the safety and integrity of your data, systems, and networks. These tools act as watchful sentinels, continuously analyzing network activities, identifying vulnerabilities, and providing real-time alerts when suspicious activities are detected.
Network Security Monitoring Tools Network security monitoring tools focus on scrutinizing network traffic, and flagging any anomalies or potentially malicious activities. They provide a comprehensive view of data flowing in and out of your network, aiding in the early detection of cyber threats.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) IDS and IPS work hand in hand to identify and thwart unauthorized access attempts. IDS monitors network traffic for suspicious patterns, while IPS immediately blocks or prevents potential threats.
Snort
Snort, an open-source intrusion detection system (IDS), is a powerful tool for monitoring network traffic. It analyzes packets and alerts administrators to suspicious activities, helping detect unauthorized access attempts and potential breaches.
- Security Information and Event Management (SIEM) Software SIEM software collects and analyzes security data from various sources, enabling organizations to detect and respond to security incidents effectively. It correlates data, generates alerts, and provides valuable insights for threat mitigation.
Tools - such as ArcSight, LogRhythm
- Endpoint Detection and Response (EDR) Solutions EDR solutions focus on individual devices, or endpoints, within a network. They monitor endpoint activities, detect malicious behavior, and facilitate swift response and remediation.
1. SOAR - Security Orchestration Automation Response
2. EDR - Endpoint Dection Response
3. IDAM - Identity Access Management