01 - Introduzione a DevSecOps - Shift-Left e Sicurezza nel Ciclo di Sviluppo
Cosa è DevSecOps vs SecOps, 5 pilastri shift-left, statistiche (70% vulnerabilità scoperte troppo tardi), tool landscape overview, maturity models.
DevSecOps: shift-left security, SAST/DAST/SCA automation, supply chain security, container scanning, secrets management, and security-as-code in the CI/CD pipeline.
Questa serie raccoglie 14 articoli (circa 197 minuti di lettura totale), pensati per un livello Advanced. Gli argomenti principali trattati sono DevSecOps, shift-left, SAST, DAST.
Cosa è DevSecOps vs SecOps, 5 pilastri shift-left, statistiche (70% vulnerabilità scoperte troppo tardi), tool landscape overview, maturity models.
SAST vs DAST vs interactive (IAST), tool comparison (SonarQube, Checkmarx, Semgrep), CI/CD integration, rule customization, false positive management, OWASP Top 10 detection.
DAST tools (Burp Suite, OWASP ZAP), API testing, runtime vulnerabilities, CI/CD pipeline integration, scan scheduling, result triage, comparison SAST vs DAST.
SCA tools (Snyk, Black Duck, Dependabot), vuln database (NVD, CVE), transitive dependency analysis, license management, update strategies, compliance tracking.
Container image vulnerabilities, scanning (Trivy, Clair), image signing, registry security, runtime monitoring (Falco), network policies, secrets in containers.
Software Bill of Materials (SBOM) standards (SPDX, CycloneDX), Sigstore for artifact signing, verification, provenance, CIA compliance, SolarWinds lesson.
HashiCorp Vault, sealed-secrets, AWS Secrets Manager, credential rotation, zero-trust secrets, audit logging, anti-patterns (hardcoded secrets).
OPA/Rego, Kyverno (Kubernetes), Sentinel (Terraform), policy examples (image registries, resource limits), testing policies, organizational rollout.
GitHub Actions/GitLab CI security, branch protection, code review enforcement, SBOM generation in CI, artifact signing, deployment approval workflows, audit logs.
Terraform scanning (Checkov, tfsec), CloudFormation/ARM security, misconfig detection, policy enforcement, secrets in IaC, best practices.
Falco (runtime threat detection), eBPF, behavioral analysis, incident response automation, forensics, integration con SIEM (Splunk, ELK).
Compliance requirements (GDPR, SOC2, PCI-DSS, HIPAA, ISO27001), mapping a technical controls, audit logging, evidence collection, automation tools (CloudCompli, Vanta).
GDPR per developer (data minimization, encryption, retention, DPA, DPIA), NIS2 directive, privacy by design, technical implementation.
Real startup: SAST + DAST + SCA + container scanning + secrets management + policy as code integrati in CI/CD. Timeline: 8 settimane, team di 2. Metriche: vulnerabilità rilevate, false positive rate, MTTR.
Have you read all the articles? Check how much you've learned by taking this series' quizzes.