Resources and References

Attributions, References, and Resources

The goal of all of these exercises is to help development, operations, and security better understand how each group contributes to a secure SDLC. On the development and operations side, doing exercises like Threat Modeling and Capture the Flag as mentioned previously, help them develop a better understanding of how to weave security into their processes. Similarly on the security side, exercises like owning a service through production and shadowing helps them understand why development and operations structure their workflows the way they do.

As a reminder, make sure you have a firm understanding of where your gaps are so that as you begin to shift left you are doing so in a way that meets existing needs. As you continue your journey in security, there are several common resources that are used in the industry and went into the creation of this guide.

External contributors#

Patrick Debois, Director of Market Strategy, Snyk (Twitter)
Brad Lhotsky, System and Security Administrator, craigslist (Twitter)

Resources to Keep Handy#

Websites
- OWASP
- NIST
- CVE database (Common Vulnerabilities and Exposures by Mitre)
- CWE database (Common Weakness Enumeration by Mitre)
- NVD (National Vulnerability Database by NIST)
Books
- Alice and Bob Learn Application Security by Tanya Janca
- Defensive Security Handbook by Lee Brotherston, Amanda Berlin
- Tribe of Hackers Blue Team: Tribal Knowledge from the Best in Defensive Cybersecurity by Marcus J. Carey, Jennifer Jin

How to Contribute to this Guide#

Contributors are always welcome to help us keep the guide complete and correct. Also, in order to expand the content of the guide, topics related to the following have been slated to be added over time. If you would like to contribute to these topics, make suggestions, correct any errors, etc. please feel free to reach out by submitting a pull request or issue on GitHub (repository link here as well as the upper left). You can also reach out to us on our Community Forums.

Some top level topics that we are looking at:

Compliance: Outlining what it is and isn’t and how it relates to DevSecOps
Organizational design: Within the DevSecOps context
Incentivization: How to align incentives between development, operations, and security so they are complementary and not oppositional
New Resources: Please feel free to submit common resources for people to grow their knowledge in security and DevSecOps. Intended audience is the same as the guide, technologists outside of security looking to be security aware. For these, we do not favor any particular vendor, rather we are looking for common introductory material (e.g. Alice and Bob) and/or frequently referenced material (e.g. OWASP).