4.Release
Problems
- How to delivery products in public channels?
- How to manage those binaries?
CI
JFrog artifactory
CloudSmith
Jenkins
GoCD
Why is it important in DevSecOps?
In the case of DevSecops, the CI server triggers the security tools in different phases (e.g. Static Code Analysis, Dynamic Analysis, etc) and stores the logs/reports.
Software Composition Analysis
What is Software Composition Analysis?
SCA Tools
- Retire.js: Finding Vulnerable Libraries
- OSSAudit: Auditing Python Packages
- OWASP Dependency-Check
- Blackduck
Compliance as Code(CAC)
Why is CAC important in DevSecOps?
The Compliance as Code phase makes the compliance a part of the DevSecOps pipeline and ensures that on every release, the test server adheres to the security policies defined for the project. This reduces the attack surface and obviously helps with becoming compliance-ready.
CAC Tools��
- Inspec: Automating Compliance Checks
- ServerSpec: Automating Configuration Tests
- OpenSCAP: Automating Compliance Checks
Vulnerability Management
What is Vulnerability Management?
Vulnerability Assessment vs Vulnerability management