DevOps Classroomnotes 16/Apr/2022


  • The OpenSCAP Project:

    • The Security Conent Automation Protocol (SCAP) is a U.S Security Standard Maintained by National Instititue of Standards and Technology
    • This project is collection of open-source tools for implementing and enforcing this standard
    • Refer Here
  • The Center for Internet Security (CIS)

    • They provide security benchmarks and National Checklist Program (NCP), defined by NIST
    • They offer guidance on the security configuration of the
      • operating systems
      • databases
      • virtualizations
      • frameworks
      • applications
    • Refer Here
  • The Cloud Controls Matrix (CCM)

    • The Cloud Security Aliance (CSA) has consolidate most security compliance methods into a single resource called as the Cloud Controls Matrix (CCM)
    • The CCM includes all security compliance controls suc as ISO, FedRAMP and NIST
    • It defines the control ID use to uniquely identify vulnerabilities
    • The CSA also provides the Consensus Assesments Initiative Questionarre (CAIQ) which is means of security self assesment for both consumers and providers
    • Refer Here
  • The Open Web Application Security Project (OWASP)
    • This is a community project that provides free articles, methodologies, documents, tools and technologies for web application security
    • Refer Here
  • Federal Information Processing Standards (FIPS)
    • These are security standards developed by US federal governement for use in non military governement computer systems.
    • Refer Here
    • Refer Here for storage cheatsheets

Identifying and Scoring Vulnerabilities

  • Common Vulnerabilities adn Exposure (CVE) is a dictionary-style list of standardized names for vulnerabilities and other information related to security exposures
  • CVE aims to standardize the names of publicly known vulnerabilities and security exposures
  • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabiliites
  • CVSS assigns severity scores to vulnerabilities, using which development can prioritize according the threat level
  • The National Checklist Program (NCP) provides secure configuration for specific software components

Exercise: Find all the vulnerabilites from NVD (National Vulnerability Database)

  • Docker
  • Kubernetes
  • Tomcat
  • Nginx


  • Owasp ZAP Refer Here is the free tool to test your application for passive and active tests: Refer Here for the tool download

Next Steps:

  • Jenkins Server Up:
    • Python Code
      • SCA
      • SAST
      • DAST
    • Java Code
      • SCA
      • SAST
      • DAST

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner