Add DevSecOps documentation and guidance #436
Conversation
LizaShak
force-pushed
the
feature/dev-sec-ops-docs
branch
from
df97c40
to
d43812c
Compare
continuous-integration/dev-sec-ops/secret-management/secrets_rotation.md
Outdated
Show resolved
Hide resolved
...nuous-integration/dev-sec-ops/dependency-container-scanning/dependency_container_scanning.md
Outdated
Show resolved
Hide resolved
...nuous-integration/dev-sec-ops/dependency-container-scanning/dependency_container_scanning.md
Outdated
Show resolved
Hide resolved
|
Hey @LizaShak Just started review. |
There was a problem hiding this comment.
@LizaShak I have only 1 feedback item, aligned with @seushermsft.
continuous-integration/dev-sec-ops/secret-management/secrets_rotation.md
Outdated
Show resolved
Hide resolved
|
|
||
| ## Dependency and Container Scanning Frameworks and Tools | ||
|
|
||
| Use the tools and pipelines as suggested in [CSEDevSecOps Dependency and Container Scanning Scenarios](https://github.com/microsoft/CSEDevSecOps/tree/master/Scenarios/DependencyContainerScanning). |
There was a problem hiding this comment.
Given this is an open source playbook that we share with our customers and those outside Microsoft I don't think we should include this link. It is not accessible by people who are not part of the Microsoft org, it 404s.
| # Penetration Testing | ||
|
|
||
| A penetration test is a simulated attack against your application to check for exploitable security issues. | ||
| For further reading see [CSEDevSecOps PenetrationTesting Scenarios](https://github.com/microsoft/CSEDevSecOps/tree/master/Scenarios/PenetrationTesting) |
There was a problem hiding this comment.
Given this is an open source playbook that we share with our customers and those outside Microsoft I don't think we should include this link. It is not accessible by people who are not part of the Microsoft org, it 404s.
| ## The concept of DevSecOps | ||
|
|
||
| DevSecOps or DevOps security is about introducing security earlier in the life cycle of application development (a.k.a shift-left), thus minimizing the impact of vulnerabilities and bringing security closer to development team. | ||
| Further information is available [here](https://github.com/microsoft/CSEPackagedSprints/tree/master/DevSecOps). |
There was a problem hiding this comment.
Given this is an open source playbook that we share with our customers and those outside Microsoft I don't think we should include this link. It is not accessible by people who are not part of the Microsoft org, it 404s.
| ## CSE Packaged Sprints | ||
|
|
||
| DevOps, Identity, and Security have standard foundational requirements across Dev Crew projects. The CSE Packaged sprints are set out to tackle this repetitive work. Adding a packaged sprint offers a pathway to dramatically improve the process of incorporating foundational concepts. | ||
| Further information is available [here](https://github.com/microsoft/CSEPackagedSprints). |
There was a problem hiding this comment.
404s unless you are part of the Microsoft org in GitHub
|
|
||
| ## Resources | ||
|
|
||
| [CSEDevSecOps Scenarios](https://github.com/microsoft/CSEDevSecOps/tree/master/Scenarios) |
There was a problem hiding this comment.
404s unless you are part of the Microsoft org in GitHub
| # Credential Scanning | ||
|
|
||
| Credential scanning is the practice of automatically inspecting a project to ensure that no secrets are included in the project's source code. Secrets include database passwords, storage connection strings, admin logins, service principals, etc. | ||
| For further reading see [CSEDevSecOps Credential Scanning Scenarios](https://github.com/microsoft/CSEDevSecOps/tree/master/Scenarios/CredentialScanning). |
There was a problem hiding this comment.
404s unless you are part of the Microsoft org in GitHub
|
@LizaShak is there an update on this? Do you need some assistance? |
Hi @brockneedscoffee , we have checked with CSE DevSecOps team to see if those links will be public soon, and they won't in the near two months. So I am currently working on replacing those links with the relevant information. |
|
Once #607 is merged in all outstanding PRs including this one will have to make a few changes and merge master to adopt the new MKDocs structure. This main change is that all the md files move into a
Please don't hesitate to reach out with any questions and a number of us are more than happy to help with this process - reach out to @fnocera @TessFerrandez @omri374 and @brockneedscoffee |
Changes introduced in this PR: