Merge pull request OWASP#81 from Ali-Yazdani/master

adding a new version for doc structure V.03

Author: Ali-Yazdani

README.md

@@ -3,7 +3,7 @@ The OWASP DevSecOps Guideline explains how we can implement a secure pipeline an
 This project helps any companies of each size that have a development pipeline or, in other words, have a DevOps pipeline.
 We try to draw a perspective of a secure DevOps pipeline during this project and then improve it based on our customized requirements.  
 
-The Ideal goal is **"detect security issues (by design or application vulnerability) as fast as possible."**
+The Ideal goal is **"detect security issues (by design or application vulnerability) as early as possible."**
 
 ## Initial steps
 DevSecOps is all about putting security into DevOps. But to keep up with the pace of CI/CD, security has to be injected early into software writing and testing.
@@ -37,58 +37,54 @@ However, when using CI/CD tools to provide automation, keep in mind that the too
 
 ---
 ## Table of Contents:
+- [0-Intro](current-version/0-Intro)
+  - [0-1-Intro](current-version/0-Intro/0-1-Intro.md)
+  - [0-2-Overview](current-version/0-Intro/0-2-Overview.md)
+- [1-People](current-version/1-People)
+  - [1-1-Shape-the-team](current-version/1-People/1-1-Shape-the-team)
+    - [1-1-1-Security-champions](current-version/1-People/1-1-Shape-the-team/1-1-1-Security-champions.md)
+  - [1-2-Training](current-version/1-People/1-2-Training)
+    - [1-2-1-Secure-coding](current-version/1-People/1-2-Training/1-2-1-Secure-coding.md)
+    - [1-2-2-Security-CICD](current-version/1-People/1-2-Training/1-2-2-Security-CICD.md)
+- [2-Tools](current-version/2-Tools)
+  - [2-1-Design](current-version/2-Tools/2-1-Design)
+    - [2-1-1-Threat-modeling](current-version/2-Tools/2-1-Design/2-1-1-Threat-modeling.md)
+  - [2-2-Code](current-version/2-Tools/2-2-Code)
+    - [2-2-3-Interactive-Application-Security-Testing](current-version/2-Tools/2-2-Code/2-2-3-Interactive-Application-Security-Testing.md)
+    - [2-2-1-Pre-commit](current-version/2-Tools/2-2-Code/2-2-1-Pre-commit)
+      - [2-2-1-1-Pre-commit](current-version/2-Tools/2-2-Code/2-2-1-Pre-commit/2-2-1-1-Pre-commit.md)
+      - [2-2-1-2-Secrets-Management](current-version/2-Tools/2-2-Code/2-2-1-Pre-commit/2-2-1-2-Secrets-Management.md)
+      - [2-2-1-3-Linting-code](current-version/2-Tools/2-2-Code/2-2-1-Pre-commit/2-2-1-3-Linting-code.md)
+      - [2-2-1-4-Repository-Hardening](current-version/2-Tools/2-2-Code/2-2-1-Pre-commit/2-2-1-4-Repository-Hardening.md)
+    - [2-2-2-Static-Analysis](current-version/2-Tools/2-2-Code/2-2-2-Static-Analysis)
+      - [2-2-2-1-Static-Application-Security-Testing](current-version/2-Tools/2-2-Code/2-2-2-Static-Analysis/2-2-2-1-Static-Application-Security-Testing.md)
+      - [2-2-2-2-Software-Composition-Analysis](current-version/2-Tools/2-2-Code/2-2-2-Static-Analysis/2-2-2-2-Software-Composition-Analysis.md)
+      - [2-2-2-3-Infastructure-as-Code-Scanning](current-version/2-Tools/2-2-Code/2-2-2-Static-Analysis/2-2-2-3-Infastructure-as-Code-Scanning.md)
+      - [2-2-2-4-Container-Security](current-version/2-Tools/2-2-Code/2-2-2-Static-Analysis/2-2-2-4-Container-Security)
+        - [2-2-2-4-1-Container-Scanning](current-version/2-Tools/2-2-Code/2-2-2-Static-Analysis/2-2-2-4-Container-Security/2-2-2-4-1-Container-Scanning.md)
+        - [2-2-2-4-2-Container-Hardening](current-version/2-Tools/2-2-Code/2-2-2-Static-Analysis/2-2-2-4-Container-Security/2-2-2-4-2-Container-Hardening.md)
+  - [2-3-Build](current-version/2-Tools/2-3-Build)
+    - [2-3-1-Dynamic-Application-Security-Testing](current-version/2-Tools/2-3-Build/2-3-1-Dynamic-Application-Security-Testing.md)
+    - [2-3-2-Mobile-Application-Security-Test](current-version/2-Tools/2-3-Build/2-3-2-Mobile-Application-Security-Test.md)
+    - [2-3-3-API-Security](current-version/2-Tools/2-3-Build/2-3-3-API-Security.md)
+    - [2-3-4-Miss-Configuration-Check](current-version/2-Tools/2-3-Build/2-3-4-Miss-Configuration-Check.md)
+  - [2-4-Operation](current-version/2-Tools/2-4-Operation)
+    - [2-4-1-Cloud-Native-Security](current-version/2-Tools/2-4-Operation/2-4-1-Cloud-Native-Security.md)
+    - [2-4-2-Logging-and-Monitoring](current-version/2-Tools/2-4-Operation/2-4-2-Logging-and-Monitoring.md)
+    - [2-4-3-Pentest](current-version/2-Tools/2-4-Operation/2-4-3-Pentest.md)
+    - [2-4-4-Vulnerability-Management](current-version/2-Tools/2-4-Operation/2-4-4-Vulnerability-Management.md)
+    - [2-4-5-VDP|Bug-bounty](current-version/2-Tools/2-4-Operation/2-4-5-VDP|Bug-bounty.md)
+    - [2-4-6-Breach-and-attack-simulation](current-version/2-Tools/2-4-Operation/2-4-6-Breach-and-attack-simulation.md)
+- [3-Governance](current-version/3-Governance)
+  - [3-2-Data-protection](current-version/3-Governance/3-2-Data-protection.md)
+  - [3-1-Compliance-Auditing](current-version/3-Governance/3-1-Compliance-Auditing)
+    - [3-1-1-Compliance-Auditing](current-version/3-Governance/3-1-Compliance-Auditing/3-1-1-Compliance-Auditing.md)
+    - [3-1-2-Policy-as-code](current-version/3-Governance/3-1-Compliance-Auditing/3-1-2-Policy-as-code.md)
+    - [3-1-3-Security-benchmarking](current-version/3-Governance/3-1-Compliance-Auditing/3-1-3-Security-benchmarking.md)
+  - [3-3-Reporting](current-version/3-Governance/3-3-Reporting)
+    - [3-3-1-Tracking-maturities](current-version/3-Governance/3-3-Reporting/3-3-1-Tracking-maturities.md)
+    - [3-3-2-Central-vulnerability-management-dashboard](current-version/3-Governance/3-3-Reporting/3-3-2-Central-vulnerability-management-dashboard.md)
 
-- [0-Intro](documents/0-Intro)
-  - [0-1-Intro](documents/0-Intro/0-1-Intro.md)
-  - [0-2-Overview](documents/0-Intro/0-2-Overview.md)
-- [1-Init](documents/1-Init)
-  - [1-1-Shape-the-team](documents/1-Init/1-1-Shape-the-team)
-    - [1-1-1-Security-champions](documents/1-Init/1-1-Shape-the-team/1-1-1-Security-champions.md)
-  - [1-2-Training](documents/1-Init/1-2-Training)
-    - [1-2-1-Secure-coding](documents/1-Init/1-2-Training/1-2-1-Secure-coding.md)
-    - [1-2-2-Security-CICD](documents/1-Init/1-2-Training/1-2-1-Security-CICD.md)
-- [2-Pre-commit](documents/2-Pre-commit)
-  - [2-1-Pre-commit](documents/2-Pre-commit/2-1-Pre-commit.md)
-  - [2-2-Threat-modeling](documents/2-Pre-commit/2-2-Threat-modeling.md)
-  - [2-3-Repository-hardening](documents/2-Pre-commit/2-3-Repository-hardening.md)
-  - [2-4-Secrets-Management](documents/2-Pre-commit/2-4-Secrets-Management.md)
-  - [2-5-Linting-code](documents/2-Pre-commit/2-5-Linting-code.md)
-- [3-Commit-CI](documents/3-Commit-CI)
-  - [3-2-Interactive-Application-Security-Testing](documents/3-Commit-CI/3-2-Interactive-Application-Security-Testing.md)
-  - [3-1-Static-analysis](documents/3-Commit-CI/3-1-Static-analysis)
-    - [3-1-1-Static-Application-Security-Testing](documents/3-Commit-CI/3-1-Static-analysis/3-1-1-Static-Application-Security-Testing.md)
-    - [3-1-2-Software-Composition-Analysis](documents/3-Commit-CI/3-1-Static-analysis/3-1-2-Software-Composition-Analysis.md)
-    - [3-1-3-Container-Security](documents/3-Commit-CI/3-1-Static-analysis/3-1-3-Container-Security)
-      - [3-1-3-1-Container-scanning](documents/3-Commit-CI/3-1-Static-analysis/3-1-3-Container-Security/3-1-3-1-Container-scanning.md)
-      - [3-1-3-2-Container-hardening](documents/3-Commit-CI/3-1-Static-analysis/3-1-3-Container-Security/3-1-3-2-Container-hardening.md)
-    - [3-1-4-Infastructure-as-code](documents/3-Commit-CI/3-1-Static-analysis/3-1-4-Infastructure-as-code.md)
-- [4-Continuous-delivery-CD](documents/4-Continuous-delivery-CD)
-  - [4-1-Dynamic-Application-Security-Testing](documents/4-Continuous-delivery-CD/4-1-Dynamic-Application-Security-Testing.md)
-  - [4-2-Mobile-Application-Security-Test](documents/4-Continuous-delivery-CD/4-2-Mobile-Application-Security-Test.md)
-  - [4-3-API-Security](documents/4-Continuous-delivery-CD/4-3-API-Security.md)
-  - [4-4-Miss-Configuration-Check](documents/4-Continuous-delivery-CD/4-4-Miss-Configuration-Check.md)
-- [5-Deploy-CD-Golive](documents/5-Deploy-CD-Golive)
-  - [5-1-Key-and-certificate-management](documents/5-Deploy-CD-Golive/5-1-Key-and-certificate-management.md)
-  - [5-2-Cloud-Native-Application-Protection-Platform](documents/5-Deploy-CD-Golive/5-2-Cloud-Native-Application-Protection-Platform.md)
-- [6-Operation](documents/6-Operation)
-  - [6-1-Runtime|Continuous-test](documents/6-Operation/6-1-Runtime|Continuous-test)
-    - [6-1-1-Infra-scanning](documents/6-Operation/6-1-Runtime|Continuous-test/6-1-1-Infra-scanning)
-      - [6-1-1-1-Could-resources](documents/6-Operation/6-1-Runtime|Continuous-test/6-1-1-Infra-scanning/6-1-1-1-Could-resources.md)
-      - [6-1-1-2-K8S-resources](documents/6-Operation/6-1-Runtime|Continuous-test/6-1-1-Infra-scanning/6-1-1-2-K8S-resources.md)
-    - [6-1-2-Image-scanning](documents/6-Operation/6-1-Runtime|Continuous-test/6-1-2-Image-scanning.md)  
-  - [6-2-Breach-and-attack-simulation](documents/6-Operation/6-2-Breach-and-attack-simulation.md)
-  - [6-3-Logging-and-Monitoring](documents/6-Operation/6-3-Logging-and-Monitoring.md)
-  - [6-4-Pentest](documents/6-Operation/6-4-Pentest.md)
-  - [6-5-VDP|Bug-bounty](documents/6-Operation/6-5-VDP|Bug-bounty.md)
-- [7-Governance](documents/7-Governance)
-  - [7-1-Compliance-Auditing](documents/7-Governance/7-1-Compliance-Auditing)
-    - [7-1-1-Compliance-Auditing](documents/7-Governance/7-1-Compliance-Auditing/7-1-1-Compliance-Auditing.md)
-    - [7-1-2-Policy-as-code](documents/7-Governance/7-1-Compliance-Auditing/7-1-2-Policy-as-code.md)
-    - [7-1-3-Security-benchmarking](documents/7-Governance/7-1-Compliance-Auditing/7-1-3-Security-benchmarking.md)
-  - [7-2-Data-protection](documents/7-Governance/7-2-Data-protection.md)
-  - [7-3-Reporting](documents/7-Governance/7-3-Reporting)
-    - [7-3-1-Tracking-maturities](documents/7-Governance/7-3-Reporting/7-3-1-Tracking-maturities.md)
-    - [7-3-2-Central-vulnerability-management-dashboard](documents/7-Governance/7-3-Reporting/7-3-2-Central-vulnerability-management-dashboard.md)
 
 
 

current-version/0-Intro/0-1-Intro.md

@@ -0,0 +1,22 @@
+## Introduction to the OWASP DevSecOps Guideline  
+The OWASP DevSecOps Guideline explains how we can transition from a traditional approach to achieving security that starts with requirements and ends with security testing to an approach that brings together Development, Security, and Operations throughout the software lifecycle -- a "DevSecOps" approach.
+
+This project's goal is to help companies of any size to add security to their DevOps pipeline and culture. There is no one **right** way to do DevSecOps, so it's important to stay focused.  
+
+DevSecOps strives to **"produce demonstrably secure code"** by:
+* leveraging automation to create short feedback loops to developers
+* breaking down the silos between development, security, and operations
+* breaking down security work into small pieces to create flow
+* making decisions based on threat intelligence from operations
+* establishing a culture of security experimentation and learning
+
+There are tools to support security processes across the software development lifecycle. Every company should have processes in place to ensure:
+* **Custom Code Security** - your custom code has the right defenses and is free from vulnerabilities, including applications, APIs, serverless, mobile, infrastructure as code, etc...
+* **Supply Chain Security** - your platform, framework, libraries, containers, and other components 
+* **Runtime Protection** - you detect attacks on your software and prevent them from being exploited 
+
+If you do these three processes well, you will be in relatively good shape in terms of application security. In this document, we will explore a variety of automated solutions that can help you implement these three processes.
+
+The goal is not to use all of the tools in your pipeline.  The goal is to ensure secure code emerges from your pipeline. You need to pick and choose the tools that are effective with your organization's people, process, technology, and culture. You will very likely want to use each tool for what it is best at, rather than repeating all tests with all tools.  Of course, every software development organization is different and you are free to select tools and the exact location where you want to implement the tools. 
+
+![Secure Pipeline](/current-version/assets/images/Pipeline-view.png)

documents/0-Intro/0-2-Overview.md current-version/0-Intro/0-2-Overview.mddocuments/0-Intro/0-2-Overview.md renamed to current-version/0-Intro/0-2-Overview.md

@@ -0,0 +1,23 @@
+## Pre-commit
+
+The Pre-commit phase is important because it can prevent security issues before they are submitted to a central (Git) repository.
+
+Making sure that there are no secrets in the code, and that the code follows certain guidelines (According to the Linter rules) will result in a higher quality code.
+
+In the following, we take a look into different types of pre-commit actions that are as follows:
+1. Secrets Management
+2. Linting Code
+
+
+The following image can give you a better view of what the pre-commit means and why we must consider it. 
+
+![Pre Commit](/current-version/assets/images/pre-commit.png)
+
+## Tools:
+
++ [Pre-Commit](https://pre-commit.com/) - A framework for managing and maintaining multi-language pre-commit hooks.
+
+
+### References
+
++ [Wikipedia - Lint (software)](https://en.wikipedia.org/wiki/Lint_(software))

…ape-the-team/1-1-1-Security-champions.md …ape-the-team/1-1-1-Security-champions.mddocuments/1-Init/1-1-Shape-the-team/1-1-1-Security-champions.md renamed to current-version/1-People/1-1-Shape-the-team/1-1-1-Security-champions.md documents/1-Init/1-1-Shape-the-team/1-1-1-Security-champions.md renamed to current-version/1-People/1-1-Shape-the-team/1-1-1-Security-champions.md

@@ -0,0 +1,58 @@
+# Take care secrets and credentials
+
+
+*How can you ensure that sensitive information are not pushed to a repository?*
+
+This is one of the [OWASP Top Ten issues](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure) and
+several bug bounties write-ups are related to this kind of issue, eg hard-coded credentials pushed by mistake.
+
+You should scan your commits and your repository, and detect any sensitive information such as password, secret key, confidential, etc.
+following the process shown in the picture.
+<br/>
+
+The ideal approach is detecting and preventing the exposure of sensitive data before that they hit the repository,
+because they are then visible in the history. In case of code hosting platforms, secrets can still linger 
+on the web and be searchable after you remove them from the repository.
+
+A complimentary approach is scanning the repo for sensitive information, and then remove them;
+note that when a credential is leaked, it is already compromised and should be invalidated.
+
+## Detecting secrets in several locations
+
+- **Detecting existing secrets** by searching in a repository for existing secrets.
+- **Using Pre-commit hooks** in order to prevent secrets for entering our code base.
+- **Detecting secrets in a pipeline** .
+
+## Why Detecting Secrets?
+
++ The secrets should not be hardcoded.
++ The secrets should not be unencrypted.
++ The secrets should not be stored in source code.
++ The code history does not contain inadvertent secrets.
+
+## Where and when to Detect Secrets?
+![Pre Commit](/current-version/assets/images/pre-commit.png)
+
+
+Well, the best location is the **pre-commit** location, This ensure that before a secret actually enters your code base, it is intercepted, and the developer or to committer gets a message. Another location is the build server or the **build** process. The build server retrieves source code, which is already committed and then it can analyze the source code where it contains new secrets or when it contains known secrets that the secrets are actually validated or audited.
+
+---
+Here are some helpful tools to automatically scan repositories for sensitive information.
+Scans can be implemented directly in our pipeline, and be repeatable and efficient. 
+
+## Tools:
+- **Open-source**:
+  + [gittyleaks](https://github.com/kootenpv/gittyleaks) - Find sensitive information for a git repo
+  + [git-secrets](https://github.com/awslabs/git-secrets) - Prevents you from committing secrets and credentials into git repositories
+  + [Repo-supervisor](https://github.com/auth0/repo-supervisor) - Scan your code for security misconfiguration, search for passwords and secrets
+  + [truffleHog](https://github.com/dxa4481/truffleHog) - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
+  + [Git Hound](https://github.com/ezekg/git-hound) - Git plugin that prevents sensitive data from being committed
+  + [Github Secret Scanning](https://docs.github.com/en/code-security/secret-scanning) - Github built in feature for secret detection
+  
+- **Proprietary software**:
+  + [GitGuardian](https://gitguardian.com) - Keep secrets out of your source code
+  + [Spectralops](https://spectralops.io) - Developer-first Cloud Security
+  + [TruffleSecurity](https://trufflesecurity.com) - Unhearth your secrets
+  + [GitHub Advanced Security](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) - GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally
+  + [BluBracket](https://blubracket.com) - Prevent secrets and credentials in code
+  + [Nightfall](https://nightfall.ai) - Find and protect secrets and keys across the cloud

…Init/1-2-Training/1-2-1-Secure-coding.md …ople/1-2-Training/1-2-1-Secure-coding.mddocuments/1-Init/1-2-Training/1-2-1-Secure-coding.md renamed to current-version/1-People/1-2-Training/1-2-1-Secure-coding.md documents/1-Init/1-2-Training/1-2-1-Secure-coding.md renamed to current-version/1-People/1-2-Training/1-2-1-Secure-coding.md

@@ -0,0 +1,43 @@
+## Linting Code
+
+### What Is Linting?  
+Linting is the automated checking of your source code for programmatic and stylistic errors. This is done by using a lint tool (otherwise known as linter). A lint tool is a basic static code analyzer.
+
+### What can Linting do?
+- Linting can **detect errors** in a code and errors that can lead to a security vulnerabilities.
+- Linters Can Also **detect formatting or styling issues** and makes the code more readable for more secure code.
+- Linters can **suggest best practices**.
+- Also they can **increases overall quality of the code**.
+- Since everybody follows the same linting rules it **makes maintenance of code easier**.
+
+
+### Basic Lint Tools
+Lint tools are the most basic form of static analysis. Using lint tools can be helpful for identifying common errors, such as:
+- Indexing beyond arrays.
+- Dereferencing null pointers.
+- (Potentially) dangerous data type combinations.
+- Unreachable code.
+- Non-portable constructs.
+
+### Advanced Static Analysis Tools
+Advanced static analysis tools typically deliver:
+- Pattern-based simulation.
+- Quality and complexity metrics.
+- Best practice recommendations for developers.
+- Support for multiple safety and security-focused coding standards.
+- Out-of-the-box certification for use in the development of safety-critical applications.
+
+### Issues with Linters
++ Not every language has "quality" standard linter tools available, each framwork usually has one or several linters.
++ Different versions or configurations can lead to different results.
++ Since some linters are very verbose and information overload can lead to focusing on "unimportant" issues.
+
+### Where and When to Use Linter
+![Pre Commit](/current-version/assets/images/pre-commit.png) 
+
+You can perform it in the **pre-commit** phase, so locally before actually committing code to your local repository to your local clone. Another phase where you often see linting is during the **build** phase, So here the build server pulls the code from the Git repository and performs linting on it and reports back that results from linting phase.
+
+
+### References
+
++ [Preforce](https://www.perforce.com/blog/qac/what-lint-code-and-why-linting-important)