Intro: Building and deploying a DevSecOps Pipeline.

CYBERPROS Solutions

As we start this journey, we want to focus on the image above. This shows the project plan that we will be covering to build and secure our pipeline. We will start by creating a project in AWS, will clone it to Git, add Static Application Security Testing (SAST) scanning tool — SonarCloud, scan for secrets using Trufflehog, do Software Composition Analysis (SCA) using Snyk, and lastly do a post deploy Dynamic Application Security Testing (DAST) using OWASP ZAP.

*There are multiple tools available for each step, so the focus will be more on the step, not what tool is being used.

- So what are the learning objectives?

• Learn what are the methods of automating secure software deployment using Continuous Integration / Continuous Delivery & Deployment (CI/CD).
• Develop understanding of where and how we need to put modern security controls for DevSecOps.
• Get hands on with the CI/CD Pipelines.

Buckle up — let’s get started.

• Basic knowledge of AWS cloud environment is preferred. I’ll cover this in future series.
• I’ll point out when we need to create an account in the tools named above — don’t sweat it, it takes just a minute.
• I’ll be using Windows OS, but at times I might use Ubuntu OS.
  - If you are on MacOS, I’ll introduce Brew that will help you download packages we will need.
  - If you are on Linux, even better.