DevSecOps University

Git & GitHub Crash Course For Beginners by Traversy Media

Git Demo – Create, Clone, Merge Repositories by Valaxy Technologies

Git Tutorial for Beginners by Intellipat

Git Handbook by Github

Git cheat sheet by Atlassian

Git Strategies for DevOps by Ahmad Iqbal Ali

Learn the Basics of Git in Under 10 Minutes by Gowtham Venkatesan

Understanding Git Explain it Like I’m Five by Kevin Cooper

Git – the simple guide by Roger Dudler

The Git Supremacy by Mayank Arya

Version Controlling with Git in Visual Studio Code and Azure DevOps by Azure

Learn Git Branching

GitLab Beginner Tutorial by Raghav Pal

DevOps CI CD by Java Home Cloud

Best practices for securing CI/CD pipeline by Victoria Almazova

CI/CD Platform in AWS with Terraform, Ansible & Docker by Mohamed Labouardy

Continuous delivery from first principles to production by Tom

Let’s Build A CI CD Pipeline by Jean De Klerk

Intro to CI/CD with Python by Chris Arceneaux

Gitlab CI/CD by Johan Duran

Building Your First CI/CD Pipeline in Azure by Benjamin Hodge

Continuous Integration with GitLab CI by Pete Johanson

Introduction to GitLab Workflow by Gitlab

From Dev to Prod with GitLab CI by Stephan Hochdorfer

Scaling Continuous Deployment at Facebook and OANDA by Tony Savor

Continuous Delivery with Jenkins in the real World by Gianluca Arbezzano

What is CICD — Concepts in Continuous Integration and Deployment by Sanjay Nair

An absolute beginners guide to Continuous Delivery by Erin Snyder

An Introduction to Continuous Integration, Delivery, and Deployment by Justin Ellingwood

Getting Started in CI/CD for Beginners by Samsha

What to Consider Before Applying CI/CD | A Beginner’s Cheat Sheet by Katalon

An Introduction to CI/CD Best Practices By Justin Ellingwood

​GitOps – Operations by Pull Request by Weave Works

GitOps 101: What Is GitOps, and Why Would You Use It? by Chris Riley

CI/CD on Google Cloud by Google

A Modern ci/cd pipeline on pure continuous integration/continuous delivery (ci/cd) on pure storage by PureStorage

List of Continuous Integration services by Awesome CI

Continuous Integration, Continuous Delivery & Deployment (CI/CD) by Docker

DevOps – Are we there yet? by MindTree

Gitlab CI/CD Crash Course by Avicenna Wisesa

Automate your work with Gitlab CI/CD tool! by Marcin Nowacki

Beginner-Friendly Introduction to GitLab CI/CD by Zuri Hunter

GitLab CI/CD Examples

How To Set Up Continuous Integration Pipelines with GitLab CI on Ubuntu 16.04 by Justin Ellingwood

Adopting Modern CI/CD Practices for Adobe Experience Platform Pipeline Jaemi Bremner

How We Build Code at Netflix by Netflix

A beginner’s guide to building DevOps pipelines with open source tools Bryant Son

Rapid release at massive scale by Chuck Rossi

How To Build a CI/CD Pipeline in AWS in 5 Minutes and 58 Seconds by Allen Helton

Common security challenges in CI/CD workflow by Meera Rao

Python CI/CD Workshop by Datapunks

GitLab Git Workshop by Gitlab

Gitlab-training by Netways

Gitlab-ci-training by Ondrej Sika

Introduction to JFrog Artifactory by Narshima Pai

Introduction to Artifactory by Oren Ezer

How to integrate nexus with jenkins and upload artifacts to nexus server step by step by Madhu Sudhan Reddy

Six Reasons to Use a Repository Manager Now by Tim OBrien

Sample Devops project nexus artifactory up-loader pipeline Jenkins pipeline code Real-time by Madhu Sudhan Reddy

Blogs

Artifact Management by Scott Rich

Devops artifacts – artifactory, sonatype nexus, maven artifact repository, and apache archiva by BogoToBogo

Artifactory Repository Manager – Tutorial by Simon Scholz

Nexus Repository Manager – Tutorial by Simon Scholz

DevOps: 8 Reasons for DevOps to use a Binary Repository Manager by Jfrog

Repository Management Tools by MindMajix

Apache Archiva – Apache Archiva™ is an extensible repository management software that helps taking care of your own personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as Maven, Continuum, and ANT.

Maven Repositories – A repository in Maven holds build artifacts and dependencies of varying types

Cloud Smith – Cloudsmith is the preferred software platform for securely storing and sharing packages and containers.

Jfrog – Artifactory is a product by JFrog that serves as a binary repository manager

Nexus repository oss – The free artifact repository with universal format support.

Holistic configuration management at Facebook by Chunqiang Tang

SaltStack is more than just configuration management by Thomas Hatch

DSC in Configuration Management tool world by Ben Gelens

Evolution of Configuration Management into a DevOps/Agile World by Marisa Sawatphadungkij

Exiting Vacuum: Integrating Configuration Management into your Ecosystem by Sascha Bates

Configuration Management with Salt Stack: Zero to Hero by Wesley Whetstone

Cloud Native Configuration Management 2020 and beyond by Eric Sorenson

Puppet, the Automation Journey: Configuration Management, Automation and the Cloud by Brendan Rosewarne

Configuration Management in DevOps by Bmc Blog

Top 10 Configuration Management Tools You Need to Know About by UpGuard

Modern Configuration Management: Configuration as Code by Chef

Configuration Management 101: Writing Ansible Playbooks By Erika Heidi

Configuration Management and Continuous Deployment by Anilkumar Patel

Using Ansible for configuration management  by Eric Goebelbecker

Change and Configuration Management — The DevOps Way by Isaac Ndung’u

A Newbie’s Guide to Configuration Management Tools and How to Get Started by Ofer Velich

Automating Configuration Management for DevOps Test Environments by Capgemini

A Beginner’s Guide to Chef by Linode

Automation, Provisioning & Configuration Management (CHEF) by Sudhi

All About a Configuration Management Tool Called Chef By Mitesh Soni Configuration Management 101: Writing Chef Recipes By Erika Heidi

Chef vs. Puppet by Asaf Yigal

Chef vs Puppet — A Detailed Comparison Of The Configuration Management Tools by Spec India

Approaches to Configuration Management: Chef, Ansible, and Kubernetes by Kublr Team

Configuration Management 101: Writing Puppet Manifests By Erika Heidi

Puppet Tutorial for Beginners: Resources, Classes, Manifest, Modules by Guru99

A Beginner’s Guide to Salt by Linode

Getting Started with Salt Stack-the Other Configuration Management System Built with Python by Ben Hosmer

Use Salt for Basic Configuration Management By Bejoy Abraham Mathews

An Introduction to SaltStack Terminology and Concepts By Justin Ellingwood

Configuration management on Gcloud by Google

Holistic Configuration Management at Facebook by Chunqiang Tang, Thawan Kooburat, Pradeep Venkatachalam, Akshay Chander, Zhe Wen, Aravind Narayanan, Patrick Dowell, and Robert Karl

Ansible – Ansible is an open-source IT Configuration Management, Deployment & Orchestration tool

Chef – Chef is an automation tool that provides a way to define infrastructure as code.

Vagrant – Vagrant is a tool for building and managing virtual machine environments in a single workflow

Puppet – Puppet is a powerful enterprise-grade configuration management tool

SaltStack Saltstack is Python-based, open-source software for event-driven IT automation, remote task execution, and configuration management.

Archaius – Archaius is a configuration management library with a focus on Dynamic Properties sourced from multiple configuration stores.

Hands-on labs

HPC configuration management using Puppet 5 by cwmoller

Ansible From Zero to Best Practices by Will Thames

Puppet Learning-VM by Puppet

Introduction to AWS Security by Bill Ried

AWS Security by Design by Shafreen Sayyed

Advanced Security Best Practices Masterclass by Ian Massingham

The Fundamentals of AWS Cloud Security by Becky Weiss

Security Best Practices the Well-Architected Way by Ben Potter

Introduction to AWS Security Hub by Ely Kahn

A Cloud Security Architecture Workshop by Dave Shackleford

Successfully Implementing DEV-SEC-OPS in the Cloud by Jimmy Jenis

AWSSecurityChecklist by AWS

AWS Security Blog by AWS

AWS Security Best Practises by AWS

AWS Security Pillar by AWS

Best Practices for Security and Compliance with Amazon Web Services by Trend Micro

Amazon Web Services: Overview of Security Processes by AWS

AWS Security Fundamentals by AWS

AWS Security Primer by Michael Wittig

The Fundamental Security Concepts in AWS – Part 1 by Tom Porter

Tools

Scout Suite – Scout Suite is an open-source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

Cs Suite – Cloud Security Suite – One-stop tool for auditing the security posture of AWS/GCP/Azure infrastructure.

AWS-security-benchmark– Open source demos, concept, and guidance related to the AWS CIS Foundation framework.

AWS WAF Security Automations – A solution that contains all AWS WAF samples developed so far – waf-reactive-blacklist, waf-bad-bot-blocking, waf-block-bad-behaving, and waf-reputation-lists.

AWS-security-automation – Collection of scripts and resources for DevSecOps and Automated Incident Response Security

Hands-on

flaws by Scott Piper

Flaws2 by Scott Piper

Cloud Goat by RhinoSecurity

AWS Security Workshops by AWS

Serverless Security Workshop by AWS

AWS Security Workshop by Sppum

Books on threat modeling

• Threat Modeling: Designing for Security by Adam Shostack

• Threat Modeling by Frank Swiderski , Window Snyder

• Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis by Tony UcedaVelez (Author), Marco M. Morana (Author)

• Threat Modeling by Matthew J. Coles, Izar Tarandach

Courses/Training videos on threat modeling

Free

Threat Modeling, or Architectural Risk Analysis by Coursera

Threat Modeling Workshop by Robert Hurlbut

Paid

DevSecOps Expert by Practical DevSecOps

Threat Modeling Fundamentals by Pluralsight

CyberSec First Responder: Threat Detection & Response CFR210 by Stone River eLearning

Learning Threat Modeling for Security Professionals by Adam Shostack

Threat Modeling: Spoofing In Depth by Adam Shostack

Threat Modeling: Tampering in Depth by Adam Shostack

Threat Modeling or Whiteboard Hacking training by Toreon

Tutorials and blogs which explain threat modeling

What Is Security Threat Modeling? by Lawrence C. Miller, Peter H. Gregory

Threat-modeling CheatSheet By Owasp by OWASP

Threat Modeling in the Enterprise, Part 1: Understanding the Basics by Stiliyana Simeonova

Threat Modeling: What, Why, and How? By Adam Shostack

Threat Modeling for Dummies by Adam Englander

DevSecOps, Threat Modeling and You: Get started using the STRIDE method by Bruno Amaro Almeida

Threat Modeling: The Why, How, When and Which Tools by Debarghya Pandit

Threat-modeling datasheet by Synopsys

Threat Modeling blog by Security Innovation

Threat Modeling: 6 Mistakes You’re Probably Making by Jeff Petters

How to Create a Threat Model for Cloud Infrastructure Security by Pat Cable

Why You Should Care About Threat Modelling by Suresh Marisetty

Benefits of Threat Modeling by Sangita Prajapati

Threat Modeling: a Summary of Available Methods Whitepaper by Nataliya Shevchenko, Timothy A. Chick, Paige O’Riordan, Thomas Patrick Scanlon, PhD, & Carol Woody, PhD

Threat Modelling Toolkit by ThoughtWorks

How to get started with Threat Modeling, before you get hacked by Hackernoon

Thread Modeling tutorial by Geeks For Geeks

How to analyze the security of your application with threat modeling by Goran Aviani

Tactical Threat Modeling by SafeCode

The Power of a Tailored Threat Model Whitepaper by Looking Glass

7 Easy Steps For Building a Scalable Threat Modeling Process by Threatmodeler

Where is my Threat Model? by Abhishek Datta

Tools which helps in threat modeling

Free tools

OWASP Threat Dragon – An online threat modeling web application including system diagramming and a rule engine to auto-generate threats/mitigations.

Microsoft Threat Modeling Tool – Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.

Owasp-threat-dragon-gitlab – This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of Github. You can use it with the Gitlab.com or your own instance of Gitlab.

raindance – Project intended to make Attack Maps part of software development by reducing the time it takes to complete them

threatspec – Threatspec is an open-source project that aims to close the gap between development and security by bringing the threat modeling process further into the development process.

Paid tools

Irius risk – Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system that guides the user through straight forward questions about the technical architecture, the planned features and the security context of the application.

SD elements – Automate Threat Modeling with SD Elements

Static Analysis Security Testing for Dummies… and You by Kevin Fealey

Application Security Testing by Semi Yulianto

Static Analysis for Dynamic Assessments by Greg Patton

Static Code Analysis: Scan All Your Code For Bugs by Dr. Jared DeMott

Bug Hunting with Static Code Analysis by Nick Jones

Static Application Security Testing With CICD Pipelines Using Whitesource by Mohamad Radwan

Walk through of GitLab’s APEX Static Application Security Testing (SAST) for Salesforce Development by Lucas C

*AST In CI/CD – how to make it WORK by Ofer Maor

How to integrate SAST into the DevSecOps pipeline in 5 simple steps by Meera Rao

SAST vs DAST – Why SAST? by Sharon Solomon

What is Static Analysis Within CI/CD Pipelines? by Logan Raki

OWASP SAST Benchmark by Owasp

SAST tools by OWASP

Dynamic Security Testing with OWASP Zap by Omer Levi Hevroni

Practical Dynamic Application Security Testing within an Enterprise by Nicholas Kenney

Let’s take baby steps to security testing by Christina Thalayasingam

Automated Static And Dynamic Security Analysis of Mobile Apps by Raveendar & Rajesh

Dynamic application security testing (DAST) by Port Swigger

Integrating Web Vulnerability Scanners in Continuous Integration: DAST for CI/CD by Davor Petreski

Dynamic Application Security Testing (DAST) by GitLab

DAST Scan Automation in CICD Pipeline by Satish Govindappa

Veracode Dynamic Analysis + Jenkins: Integrate DAST Into Your CI/CD Pipeline By Marina Kvitnitsky

Integrating OWASP ZAP in DevSecOps Pipeline by BreachLock

DAST vs SAST: A Case for Dynamic Application Security Testing by Ian Muscat

SAST vs DAST: What is the right choice for application security testing? by Anita D’Amico

Automating DAST Scans with Jenkins, Arachni & ThreadFix by Matthias Rohr

Free

W3af – w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

Wapti – Wapiti allows you to audit the security of your websites or web applications.

Vega – Vega is a free and open-source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information and other vulnerabilities. It is written in Java, GUI based and runs on Linux, OS X, and Windows.

Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.

Paid

Burp Suite – Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Detectify – Automated security and asset monitoring for all teams.Scan your web apps for 1500+ vulnerabilities

NetSparker – Netsparker is a scalable, multi-user web application security solution with built-in workflow and reporting tools ideal for security teams. It’s available as a hosted and self-hosted solution and can be fully integrated into any development or testing environment.

Security as Code Webinar by Ellie Mae’s

Implementing Security as Code by Julio Faerman

Security as Code A SecDevOps Use Case by Ed Bellis

DevSecCon: Security as code, secure DevOps techniques on track by Robert Lemos

How to deliver security as code: 11 tips to get started by Johanna Curiel

Tools

Gauntlt – Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.

Checkov – Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.

Terrascan – A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.

tfsec – tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support.

CFripper – Library designed to be used as part of a Lambda function to “rip apart” a CloudFormation template and check it for security compliance.

Cfn nag – The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure.

terraform-aws-secure-baseline – A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.2.0.

Compliance as Code: Automate Compliance Using Open Source Technology by RedHat

Compliance as Code with InSpec 1.0 by Chef

Continuous Assurance and Continuous Compliance via Data, Graph, Query and Code by Erkang Zheng

Managing Compliance as Code: Using Chef InSpec for All Its Possibilities by Chef

Compliance as Code – Lessons Learned From Regulated Organizations by Sergiu Bodiu

Compliance As Code – Webinar by Anitian

Compliance As Code by Dorien Koelemeijer

Exception Handling: Compliance as Code by Chef

Infrastructure and Compliance as Code for Universities by Blake Dworaczyk, Adam Mikeal, Nick Rycar.

DevSecOps Delight with Compliance as Code by Anthony Rees

InSpec Compliance as Code by Kent Picat Gruber

What’s the fuss with ‘Compliance as Code’ ? by Mario Platt

Why building compliance into your code will benefit your entire company by Vanessa Wegner

Compliance as Code with InSpec By Michael Ducy

6 Benefits of Compliance as Code for the Enterprise by Cliff Almond

Codifying Your Configuration Standards by Phil Dorczuk

Inspec -Chef InSpec is a free and open-source framework for testing and auditing your applications and infrastructure.

Compliance Masonry – Compliance Masonry is a command-line interface (CLI) that allows users to construct certification documentation using the OpenControl Schema.