Skip to main content

DevSecOps and Shift-Left Security

DevSecOps: shift-left security, SAST/DAST/SCA automation, supply chain security, container scanning, secrets management, and security-as-code in the CI/CD pipeline.

Questa serie raccoglie 14 articoli (circa 197 minuti di lettura totale), pensati per un livello Advanced. Gli argomenti principali trattati sono DevSecOps, shift-left, SAST, DAST.

14Articles197 minTotal reading timeAdvancedLevel
DevSecOpsshift-leftSASTDASTsupply chain security

Series Articles

  1. 1

    01 - Introduzione a DevSecOps - Shift-Left e Sicurezza nel Ciclo di Sviluppo

    Cosa è DevSecOps vs SecOps, 5 pilastri shift-left, statistiche (70% vulnerabilità scoperte troppo tardi), tool landscape overview, maturity models.

  2. 2

    02 - SAST - Analisi Statica del Codice e Rilevamento Vulnerabilità

    SAST vs DAST vs interactive (IAST), tool comparison (SonarQube, Checkmarx, Semgrep), CI/CD integration, rule customization, false positive management, OWASP Top 10 detection.

  3. 3

    03 - DAST - Test Dinamico e Penetration Testing Automatico

    DAST tools (Burp Suite, OWASP ZAP), API testing, runtime vulnerabilities, CI/CD pipeline integration, scan scheduling, result triage, comparison SAST vs DAST.

  4. 4

    04 - SCA - Software Composition Analysis e Dependency Vulnerabilities

    SCA tools (Snyk, Black Duck, Dependabot), vuln database (NVD, CVE), transitive dependency analysis, license management, update strategies, compliance tracking.

  5. 5

    05 - Container Security - Image Scanning e Runtime Protection

    Container image vulnerabilities, scanning (Trivy, Clair), image signing, registry security, runtime monitoring (Falco), network policies, secrets in containers.

  6. 6

    06 - Supply Chain Security - SBOM e Sigstore per Artifact Integrity

    Software Bill of Materials (SBOM) standards (SPDX, CycloneDX), Sigstore for artifact signing, verification, provenance, CIA compliance, SolarWinds lesson.

  7. 7

    07 - Secret Management - Automazione e Rotazione di Credenziali

    HashiCorp Vault, sealed-secrets, AWS Secrets Manager, credential rotation, zero-trust secrets, audit logging, anti-patterns (hardcoded secrets).

  8. 8

    08 - Policy as Code - Enforcement di Security Policies nel Deployment

    OPA/Rego, Kyverno (Kubernetes), Sentinel (Terraform), policy examples (image registries, resource limits), testing policies, organizational rollout.

  9. 9

    09 - CI/CD Security Pipeline - Securing the Build and Deploy Process

    GitHub Actions/GitLab CI security, branch protection, code review enforcement, SBOM generation in CI, artifact signing, deployment approval workflows, audit logs.

  10. 10

    10 - Infrastructure as Code Scanning - IaC Security e Terraform Policy

    Terraform scanning (Checkov, tfsec), CloudFormation/ARM security, misconfig detection, policy enforcement, secrets in IaC, best practices.

  11. 11

    11 - Runtime Security - Monitoraggio e Rilevamento di Anomalie

    Falco (runtime threat detection), eBPF, behavioral analysis, incident response automation, forensics, integration con SIEM (Splunk, ELK).

  12. 12

    12 - Compliance Framework - GDPR, SOC2, ISO27001 Mapping e Automazione

    Compliance requirements (GDPR, SOC2, PCI-DSS, HIPAA, ISO27001), mapping a technical controls, audit logging, evidence collection, automation tools (CloudCompli, Vanta).

  13. 13

    13 - EU Normative e Data Protection - GDPR in Practice for Developers

    GDPR per developer (data minimization, encryption, retention, DPA, DPIA), NIS2 directive, privacy by design, technical implementation.

  14. 14

    14 - Case Study - Implementazione End-to-End di DevSecOps Pipeline

    Real startup: SAST + DAST + SCA + container scanning + secrets management + policy as code integrati in CI/CD. Timeline: 8 settimane, team di 2. Metriche: vulnerabilità rilevate, false positive rate, MTTR.

Test your knowledge!

Have you read all the articles? Check how much you've learned by taking this series' quizzes.

Take the quiz!