Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/noobpk/mlsecops-devsecops-awesome
A repository for MLSecOps and DevSecOps research and more!
https://github.com/noobpk/mlsecops-devsecops-awesome
List: mlsecops-devsecops-awesome
awesome awesome-list devops devsecops jenkins-pipeline mlops mlsecops
Last synced: about 1 month ago
JSON representation
A repository for MLSecOps and DevSecOps research and more!
- Host: GitHub
- URL: https://github.com/noobpk/mlsecops-devsecops-awesome
- Owner: noobpk
- License: mit
- Created: 2024-06-18T14:57:33.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2024-09-03T15:04:46.000Z (2 months ago)
- Last Synced: 2024-09-29T18:04:27.042Z (about 1 month ago)
- Topics: awesome, awesome-list, devops, devsecops, jenkins-pipeline, mlops, mlsecops
- Language: Groovy
- Homepage:
- Size: 151 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- ultimate-awesome - mlsecops-devsecops-awesome - A repository for MLSecOps and DevSecOps research and more!. (Other Lists / PowerShell Lists)
README
# MLSecOps - DevSecOps - Awesome
This project is dedicated to curating a comprehensive list of resources, tools, and best practices at the intersection of Machine Learning Security Operations (MLSecOps), and Development Security Operations (DevSecOps). Our goal is to provide a centralized hub for professionals, researchers, and enthusiasts who are passionate about integrating security into the development and deployment of machine learning systems.
## What is MLSecOps?
MLSecOps is an emerging field that focuses on the secure and efficient operation of machine learning models in production environments. It combines the principles of DevSecOps with the unique challenges of machine learning, emphasizing the importance of security, privacy, and compliance throughout the ML lifecycle.
## What is DevSecOps?
DevSecOps extends the traditional DevOps framework by incorporating security practices into the entire software development process. It aims to automate security checks and integrate them seamlessly into the CI/CD pipeline, ensuring that security is a fundamental part of the development workflow.
## Repository Overview
In this repository, you will find:
* Resources: Articles, papers, and tutorials on MLSecOps and DevSecOps.
* Tools: A curated list of open-source tools for securing ML models and development pipelines.
* Best Practices: Guidelines and methodologies for implementing security measures in ML projects.
* Case Studies: Real-world examples of successful MLSecOps and DevSecOps implementations.
* Community: Links to forums, conferences, and groups where you can connect with others interested in these fields.# Proposed Pipeline
### π₯ MLSecOps Pipeline
![image](https://github.com/user-attachments/assets/44ce27e4-5e41-41cf-ad3e-4a22286c54ef)
Article anlysis this DSO pipeline π [DevSecOps: A journey to protect your applications](https://lethanhphuc-pk.medium.com/devsecops-a-journey-to-protect-your-applications-fdee7b4700eb)
### π₯ DevSecOps Pipeline
![image](https://github.com/user-attachments/assets/dabe6315-e05f-4a3d-8c2a-501b9e329c2d)
Article anlysis this MLO pipeline π [MLSECOPS: Secure your Large Language Model (LLM) applications](https://lethanhphuc-pk.medium.com/mlsecops-secure-your-large-language-model-llm-applications-6b60cb25c4fa)
## Resources
### Articles
- [How MLSecOps Can Reshape AI Security](https://www.forbes.com/sites/forbestechcouncil/2023/12/04/how-mlsecops-can-reshape-ai-security/)
- [MLSecOps Explained: Building Security Into ML & AI](https://www.brighttalk.com/business/products/custom-webinars-sponsorable-events/originals-episode/SBA56-mlsecops-explained-building-security-into-ml-ai)
- [The Comprehensive Evolution Of DevSecOps In Modern Software Ecosystems](https://www.forbes.com/sites/forbestechcouncil/2024/03/06/the-comprehensive-evolution-of-devsecops-in-modern-software-ecosystems/)
- [Deploying a Netflix Clone on EKS Using a DevSecOps Pipeline](https://medium.com/@cloudwithmustafa/deploying-a-netflix-clone-on-eks-using-a-devsecops-pipeline-9ef84d5f952b)
- [DevSecOps (DevOps) Project: Deploying a Petshop Java-Based Application with CI/CD, Docker, and Kubernetes](https://medium.com/@21harsh12/devsecops-devops-project-deploying-a-petshop-java-based-application-with-ci-cd-docker-and-e737d3a5501b)### Papers
| Title | Abstract |
| --- | --- |
| [Integrating MLSecOps in the Biotechnology Industry 5.0](https://arxiv.org/abs/2402.07967) | Biotechnology Industry 5.0 is advancing with the integration of cutting-edge technologies like Machine Learning (ML), the Internet Of Things (IoT), and cloud computing. It is no surprise that an industry that utilizes data from customers and can alter their lives is a target of a variety of attacks. This chapter provides a perspective of how Machine Learning Security Operations (MLSecOps) can help secure the biotechnology Industry 5.0. The chapter provides an analysis of the threats in the biotechnology Industry 5.0 and how ML algorithms can help secure with industry best practices. This chapter explores the scope of MLSecOps in the biotechnology Industry 5.0, highlighting how crucial it is to comply with current regulatory frameworks. With biotechnology Industry 5.0 developing innovative solutions in healthcare, supply chain management, biomanufacturing, pharmaceuticals sectors, and more, the chapter also discusses the MLSecOps best practices that industry and enterprises should follow while also considering ethical responsibilities. Overall, the chapter provides a discussion of how to integrate MLSecOps into the design, deployment, and regulation of the processes in biotechnology Industry 5.0. |
| [Security Risks and Best Practices of MLOps: A Multivocal Literature Review](https://ceur-ws.org/Vol-3731/paper13.pdf) | MLOps and tools are designed to streamline the deployment practices and maintenance of production grade ML-enabled systems. As with any software workflow and component, they are susceptible to various security threats. In this paper, we present a Multivocal Literature Review (MLR) aimed at gauging current knowledge of the risks associated with the implementation of MLOps processes and the best practices recommended for their mitigation. By analyzing a varied range of sources of academic papers and non-peer-reviewed technical articles, we synthesize 15 risks and 27 related best practices, which we categorize into 8 themes. We find that while some of the risks are known security threats that can be mitigated through well-established cybersecurity best practices, others represent MLOps-specific risks, mostly related to the management of data and models. |
| [Backdoor Attacks to Deep Neural Networks: A Survey of the Literature, Challenges, and Future Research Directions](https://ieeexplore.ieee.org/abstract/document/10403914) | Deep neural network (DNN) classifiers are potent instruments that can be used in various security-sensitive applications. Still, they are dangerous to certain attacks that impede or distort their learning process. For example, backdoor attacks involve polluting the DNN learning set with a few samples from one or more source classes, which are then labeled as target classes by an attacker. Even if the DNN is trained on clean samples with no backdoors, this attack will still be successful if a backdoor pattern exists in the training data. Backdoor attacks are difficult to spot and can be used to make the DNN behave maliciously, depending on the target selected by the attacker. In this study, we survey the literature and highlight the latest advances in backdoor attack strategies and defense mechanisms. We finalize the discussion on challenges and open issues, as well as future research opportunities. |
| [The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline](https://wjaets.com/content/emergence-and-importance-devsecops-integrating-and-reviewing-security-practices-within) | The emergence of DevSecOps marks a significant paradigm shift in software development, focusing on integrating security practices seamlessly into the DevOps pipeline. This paper explores the evolution, principles, and importance of DevSecOps in contemporary software engineering. DevSecOps arises from the recognition that traditional security measures often lag behind the rapid pace of DevOps development cycles, leading to vulnerabilities and breaches. By integrating security early and continuously throughout the software development lifecycle, DevSecOps aims to proactively identify and mitigate risks without impeding the agility and speed of DevOps practices. This paper delves into the core principles of DevSecOps, emphasizing automation, collaboration, and cultural transformation. Automation streamlines security processes, enabling the automated testing and validation of code for vulnerabilities. Collaboration fosters communication and shared responsibility among developers, operations, and security teams, breaking down silos and promoting a collective approach to security. Cultural transformation involves cultivating a security-first mindset across the organization, where security is not an afterthought but an inherent part of the development process. The importance of DevSecOps cannot be overstated in today's digital landscape, where cyber threats are omnipresent and the cost of security breaches is staggering. By integrating security into every stage of the DevOps pipeline, organizations can enhance their resilience to cyber attacks, comply with regulatory requirements, and build trust with customers. DevSecOps represents a holistic approach to software development that prioritizes security without compromising speed or innovation. Embracing DevSecOps principles is imperative for organizations seeking to stay ahead in an increasingly complex and hostile digital environment. |### Tutorials
- [MLSecOps with Automated Online and Offline ML Model Evaluations on Kubernetes](https://www.youtube.com/watch?v=5WUhmWTMo4g&pp=ygURbWxzZWNvcHMgdHV0b3JpYWw%3D)
- ["What is MLSecOps?" Building security into MLOps workflows by leveraging DevSecOps principles.](https://www.youtube.com/watch?v=iwPKQbZumN0&pp=ygURbWxzZWNvcHMgdHV0b3JpYWw%3D)
- [DevSecOps Tutorial for Beginners | CI Pipeline with GitHub Actions and Docker Scout](https://www.youtube.com/watch?v=gLJdrXPn0ns&pp=ygUSZGV2c2Vjb3BzIHR1dG9yaWFs)
- [DevSecOps Pipeline Project: Deploy Netflix Clone on Kubernetes](https://www.youtube.com/watch?v=g8X5AoqCJHc&pp=ygUSZGV2c2Vjb3BzIHR1dG9yaWFs)
- [DevSecOps with Jenkins | Boost Your CICD Pipeline Security !!](https://www.youtube.com/watch?v=QUIXJW_h_K0&pp=ygUSZGV2c2Vjb3BzIHR1dG9yaWFs)### Cousers
- [Practical DevSecOps](https://www.practical-devsecops.com/)
- [DevSecOps Training](https://www.eccouncil.org/train-certify/certified-devsecops-engineer-ecde/)
- [DevSecOps : Master Securing CI/CD | DevOps Pipeline |Handson](https://www.udemy.com/course/devsecops/?utm_source=adwords&utm_medium=udemyads&utm_campaign=Search_DSA_Beta_Prof_la.EN_cc.ROW-English&campaigntype=Search&portfolio=ROW-English&language=EN&product=Course&test=&audience=DSA&topic=&priority=Beta&utm_content=deal4584&utm_term=_._ag_162511579564_._ad_696197165427_._kw__._de_c_._dm__._pl__._ti_dsa-1677053911888_._li_9198559_._pd__._&matchtype=&gad_source=1&gclid=CjwKCAjw74e1BhBnEiwAbqOAjOS1FIYA31Sgo8GjmN7B6Gh5pWR_x1yWCZ0ftdx38RLWVytcJiTdzRoCWtgQAvD_BwE&couponCode=2021PM25)## Tools
Pipeline
Stages
Tool
Description
MLSecOps
Stage 1
Pre-Commit Hook Scans
A framework for managing and maintaining multi-language pre-commit hooks.
Trivy Vulnerability Scanner
Comprehensive vulnerability scanner for containers and other artifacts.
Trunk Check
Automated Code Quality for Teams: universal formatting, linting, static analysis, and security.
Stage 2
AWS S3 bucket
A bucket is a container for objects stored in Amazon S3.
Nexus Repository
Sonatype Nexus Repository
Stage 3
Gitleak
Secret scanner for git repositories, files, and directories.
Sonarqube
Open-source platform for continuous inspection of code quality.
Trivy
Comprehensive vulnerability scanner for containers and other artifacts.
Horusec
Tool to perform static code analysis to identify security flaws.
OWASP Dependency-Check
Tool that identifies project dependencies and checks for known vulnerabilities.
NB Defense
Security tool for Jupyter notebooks, scanning for vulnerabilities and risks.
Compliance check
PIC/DSS, ISO/IEC 27001, NIST 800-53B, ...
compliance-checker
Python tool to check your datasets against compliance standards
Stage 4
Quality Gate
Define a rule/ policy for test result.
Stage 5
EarlyStopping
Stop training when a monitored metric has stopped improving.
KFold
K-Fold cross-validator.
Stage 6
EarlyStopping
Metrics and scoring: quantifying the quality of predictions.
Stage 7
modelscan
Protection Against ML Model Serialization Attacks.
Vigil
LLM prompt injection and security scanner.
Garak
LLM vulnerability scanner.
Stage 8
Quality Gate
Define a rule/ policy for test result.
Stage 9
OpenPubKey
OpenPubkey is a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys.
Stage 10
AWS S3 bucket
A bucket is a container for objects stored in Amazon S3.
Nexus Repository
Sonatype Nexus Repository
DevSecOps
Stage 1
Pre-Commit Hook Scans
A framework for managing and maintaining multi-language pre-commit hooks.
Trivy Vulnerability Scanner
Comprehensive vulnerability scanner for containers and other artifacts.
Trunk Check
Automated Code Quality for Teams: universal formatting, linting, static analysis, and security.
Stage 2
AWS S3 bucket
A bucket is a container for objects stored in Amazon S3.
Nexus Repository
Sonatype Nexus Repository
Stage 3
Gitleak
Secret scanner for git repositories, files, and directories.
Sonarqube
Open-source platform for continuous inspection of code quality.
Trivy
Comprehensive vulnerability scanner for containers and other artifacts.
Horusec
Tool to perform static code analysis to identify security flaws.
OWASP Dependency-Check
Tool that identifies project dependencies and checks for known vulnerabilities.
Checkov
Checkov scans cloud infrastructure configurations to find misconfigurations.
TFlint
A Pluggable Terraform Linter.
terraform-compliance
terraform-compliance is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
tfsec
tfsec uses static analysis of your terraform code to spot potential misconfigurations.
OpenPubKey
OpenPubkey is a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys.
Stage 4
Quality Gate
Define a rule/ policy for test result.
Stage 5
Build image
Docker buildx build.
Stage 6
Synk
Snyk Container helps you find and fix vulnerabilities in container images, based on container registry scans.
Docker Scount
Scan docker image.
Burp Suite
The class-leading vulnerability scanning, penetration testing, and web app security platform.
Acunetix
Acunetix is an end-to-end web security scanner.
OWASP ZAP
ZAP is a free and open source web application scanner that can help you find vulnerabilities and test your web applications.
Stage 7
Quality Gate
Define a rule/ policy for test result.
Stage 8
OpenPubKey
OpenPubkey is a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys.
Docker content trust key
Trust for an image tag is managed through the use of signing keys.
Stage 9
AWS S3 bucket
A bucket is a container for objects stored in Amazon S3.
Nexus Repository
Sonatype Nexus Repository
Stage 10
Nessus
Nessus Vulnerability Scanner.
Nmap
Security Scanner, Port Scanner, & Network Exploration Tool.
OpenPubKey
OpenPubkey is a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys.
Docker content trust key
Trust for an image tag is managed through the use of signing keys.
Compliance check
PIC/DSS, ISO/IEC 27001, NIST 800-53B, ...
OpenSCAP
OpenSCAP is an open source project that provides tools and policies for managing system security and standards compliance
Stage 11
Quality Gate
N/A
Stage 12
gemini-self-protector
Gemini - Runtime Application Self Protection Solution (G-SP).
Monitoring
All stage
Slack webhook
Sending messages using incoming webhooks.
Telegram Bot
Telegram Bot API.
Deject Dojo
Application vulnerability management tool.
ELK stack
Elasticsearch, Logstash and Kibana.
PagerDuty
Automate, manage, and improve your operations with over 700 integrations and generative AI.
Prometheus
Power your metrics and alerting with the leading open-source monitoring solution.
Grafana
Grafana is the open source analytics & monitoring solution for every database.
Key Management
All stage have use key or credential
HashiCorp Vault
Manage access to secrets and stop credentials from falling into the wrong hands with identity-based security.
AWS Key Management Service
Create and control keys used to encrypt or digitally sign your data.
AWS Secrets Manager
Centrally manage the lifecycle of secrets.
## Best Practices
- [OWASP LLMSVS](https://owasp.org/www-project-llm-verification-standard/)
- [OWASP Top 10 for Large Language Model Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
- [OWASP Machine Learning Security Top Ten](https://owasp.org/www-project-machine-learning-security-top-10/)
- [MITRE ATLASβ’ (Adversarial Threat Landscape for Artificial-Intelligence Systems)](https://atlas.mitre.org/)
- [OWASP DevSecOps](https://devsecops.owasp.org/)
- [OWASP Devsecops Maturity Model](https://owasp.org/www-project-devsecops-maturity-model/)
- [OWASP DevSecOps Guideline](https://owasp.org/www-project-devsecops-guideline/)
- [DevSecOps-Playbook-Securestack](https://github.com/6mile/DevSecOps-Playbook)
- [DevSecOps-Department of Defense (DoD)](https://public.cyber.mil/devsecops/)## Case Studies
- [Automating Application Security to Protect Corporate Data Assets at the Speed of Business](https://www.contrastsecurity.com/customer-success/asg-technologies)
- [Enhancing the GuardRails solution](https://maddevs.io/case-studies/guardrails/)
- [DevOps in Action: Real-world Case Studies](https://medium.com/@vinodvamanbhat/devops-in-action-real-world-case-studies-db7907149814)
- [Large scale transformation with DevSecOps](https://www.capacitas.co.uk/ukhsa-case-study)## Community
- [MLSecOps Community](https://community.mlsecops.com/)
- [DevSecOps](https://dev.to/t/devsecops)
- [DevSecCon](https://www.devseccon.com/)## Contribution
We welcome contributions from the community to help us expand and improve this repository. If you have suggestions, tools, or resources that you believe should be included, please feel free to submit a pull request or open an issue.
Thank you for visiting our repository. We hope you find it a valuable resource in your journey towards secure and effective machine learning operations.