DevOps Classroomnotes 16/Apr/2022

Standards

  • The OpenSCAP Project:

    • The Security Conent Automation Protocol (SCAP) is a U.S Security Standard Maintained by National Instititue of Standards and Technology
    • This project is collection of open-source tools for implementing and enforcing this standard
    • Refer Here
  • The Center for Internet Security (CIS)

    • They provide security benchmarks and National Checklist Program (NCP), defined by NIST
    • They offer guidance on the security configuration of the
      • operating systems
      • databases
      • virtualizations
      • frameworks
      • applications
    • Refer Here
  • The Cloud Controls Matrix (CCM)

    • The Cloud Security Aliance (CSA) has consolidate most security compliance methods into a single resource called as the Cloud Controls Matrix (CCM)
    • The CCM includes all security compliance controls suc as ISO, FedRAMP and NIST
    • It defines the control ID use to uniquely identify vulnerabilities
    • The CSA also provides the Consensus Assesments Initiative Questionarre (CAIQ) which is means of security self assesment for both consumers and providers
    • Refer Here
  • The Open Web Application Security Project (OWASP)
    • This is a community project that provides free articles, methodologies, documents, tools and technologies for web application security
    • Refer Here
  • Federal Information Processing Standards (FIPS)
    • These are security standards developed by US federal governement for use in non military governement computer systems.
    • Refer Here
    • Refer Here for storage cheatsheets

Identifying and Scoring Vulnerabilities

  • Common Vulnerabilities adn Exposure (CVE) is a dictionary-style list of standardized names for vulnerabilities and other information related to security exposures
  • CVE aims to standardize the names of publicly known vulnerabilities and security exposures
  • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabiliites
  • CVSS assigns severity scores to vulnerabilities, using which development can prioritize according the threat level
    Preview
    Preview
  • The National Checklist Program (NCP) provides secure configuration for specific software components

Exercise: Find all the vulnerabilites from NVD (National Vulnerability Database)

  • Docker
  • Kubernetes
  • Tomcat
  • Nginx

DAST

  • Owasp ZAP Refer Here is the free tool to test your application for passive and active tests: Refer Here for the tool download
    Preview
    Preview

Next Steps:

  • Jenkins Server Up:
    • Python Code
      • SCA
      • SAST
      • DAST
    • Java Code
      • SCA
      • SAST
      • DAST

Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Wordpress Development Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube