DevSecOps Fundamentals bibliography

Standards-body + government · 6

1. Cybersecurity and Infrastructure Security Agency (2023). Software Bill of Materials (SBOM) Resources. CISA. https://www.cisa.gov/sbom
2. Cybersecurity and Infrastructure Security Agency (2024). Secure Software Self-Attestation Common Form. CISA. https://www.cisa.gov/secure-software-attestation-form
3. OWASP Foundation (2019). OWASP Application Security Verification Standard (ASVS) v4. OWASP Foundation. https://owasp.org/www-project-application-security-verification-standard/
4. OWASP Foundation (2021). OWASP Top 10 (2021). OWASP Foundation. https://owasp.org/Top10/
5. OWASP Foundation (2024). OWASP Source Code Analysis Tools (SAST), Vulnerability Scanning Tools (DAST), and Component Analysis Tools (SCA) Catalogs. OWASP Foundation. https://owasp.org/www-community/Source_Code_Analysis_Tools
6. OWASP Foundation (2024). CycloneDX SBOM Specification. OWASP Foundation. https://cyclonedx.org/

Books + monographs · 1

1. Forsgren, N., Humble, J., & Kim, G. (2018). Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations. IT Revolution Press. https://itrevolution.com/product/accelerate/

Other primary sources · 13

1. Open Source Security Foundation (OpenSSF) (2023). Supply chain Levels for Software Artifacts (SLSA) v1.0. Linux Foundation. https://slsa.dev/spec/v1.0/
2. The Falco Authors (2024). Falco: Kubernetes-Native Threat Detection. CNCF Sandbox / Sysdig. https://falco.org/
3. Isovalent / Tetragon Authors (2024). Tetragon: Security Observability and Runtime Enforcement. CNCF / Isovalent. https://tetragon.io/
4. Office of Management and Budget (2022). Memorandum M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. Executive Office of the President. https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf
5. Chandramouli, R., Fettke, F., & Iorga, M. (2024). Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines (NIST SP 800-204D). National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-204D
6. Forsgren, N., Smith, D., Humble, J., & Frazelle, J. (2019). DevOps Research and Assessment (DORA): 2019 State of DevOps Report. DORA / Google Cloud. https://services.google.com/fh/files/misc/state-of-devops-2019.pdf
7. Linux Foundation (2024). SPDX (Software Package Data Exchange). Linux Foundation. https://spdx.dev/
8. GitHub (2024). About Security Hardening with OpenID Connect. GitHub Documentation. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
9. The White House (2021). Executive Order 14028: Improving the Nation's Cybersecurity. Executive Office of the President. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
10. ISC2 (2024). Cybersecurity Workforce Study 2024. International Information System Security Certification Consortium. https://www.isc2.org/research
11. Center for Internet Security (2021). CIS Controls v8. Center for Internet Security. https://www.cisecurity.org/controls/v8
12. Souppaya, M., Scarfone, K., & Dodson, D. (2022). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (NIST SP 800-218). National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-218
13. U.S. Bureau of Labor Statistics (2024). Occupational Employment and Wage Statistics, May 2024: 15-1212 Information Security Analysts. U.S. Department of Labor. https://www.bls.gov/oes/current/oes151212.htm