readme upgrade

README.md

@@ -26,37 +26,111 @@ Leveraging the power of Github Actions and scripting, we'll cover a range of fun
 ## 🛠 Security Measures 🛠
 
 ### <a name="sast"></a>1️⃣ SAST (Static Application Security Testing)
-Automate the detection of vulnerabilities in your codebase before deployment to ensure a solid foundation for your web app's security.
+
+**Objective**:  
+To identify vulnerabilities in the source code prior to deployment, thereby reducing the potential attack surface.
+
+**Description**:  
+Static Application Security Testing (SAST) is a white-box testing methodology that analyzes source code for security vulnerabilities. It can identify issues such as SQL injection, cross-site scripting (XSS), and insecure data storage practices. Automation of SAST can be integrated into the CI/CD pipeline, allowing for early detection and remediation of vulnerabilities.
+
+**Tools**:  
+- Checkmarx
+- Fortify
+- Veracode
+
+---
 
 ### <a name="secret"></a>2️⃣ SECRET (Secret Scanning)
-Secrets are often the Achilles' heel of web applications. Automate the scanning of your codebase to protect sensitive information.
+
+**Objective**:  
+To detect and protect sensitive information like API keys, passwords, and tokens that may be inadvertently committed to the codebase.
+
+**Description**:  
+Secret scanning is an automated process that scans the codebase for hard-coded secrets. It is crucial for preventing accidental exposure of sensitive information. Automated secret scanning can be configured to trigger alerts or even block commits that contain sensitive information.
+
+**Tools**:  
+- GitGuardian
+- Gitleaks
+- TruffleHog
+
+---
 
 ### <a name="iac"></a>3️⃣ IAC (Infrastructure as Code)
-Automate security checks within your Infrastructure as Code (IAC) scripts to prevent misconfigurations and vulnerabilities.
+
+**Objective**:  
+To ensure that infrastructure provisioning scripts are free from misconfigurations and vulnerabilities.
+
+**Description**:  
+Infrastructure as Code (IaC) allows for the automated setup, configuration, and management of servers and other infrastructure components. Automated security checks on IaC scripts can identify insecure configurations, such as overly permissive security groups or unencrypted data storage, thereby preventing potential security incidents.
+
+**Tools**:  
+- KICS (Keeping Infrastructure as Code Secure)
+- Terraform
+- Ansible
+
+---
 
 ### <a name="sca"></a>4️⃣ SCA (Software Composition Analysis)
-Automate the identification and patching of vulnerable third-party libraries and dependencies.
+
+**Objective**:  
+To identify and remediate vulnerabilities in third-party libraries and dependencies.
+
+**Description**:  
+Software Composition Analysis (SCA) is essential for identifying vulnerabilities in open-source libraries and components that your application relies on. Automated SCA can flag out-of-date libraries and suggest updates or patches, thereby reducing the risk associated with third-party code.
+
+**Tools**:  
+- Snyk
+- WhiteSource
+- Black Duck
+
+---
 
 ### <a name="containers"></a>5️⃣ CONTAINERS (Container Security)
-Automate container security checks to ensure your app is safe from within.
+
+**Objective**:  
+To ensure that containerized applications are secure from both the operating system and application perspectives.
+
+**Description**:  
+Container security involves securing the container images, the runtime environment, and the orchestration layer. Automated container scanning can identify vulnerabilities in the images, misconfigurations, and non-compliance with best practices.
+
+**Tools**:  
+- Trivy
+- Aqua Trivy
+- Sysdig
+
+---
 
 ### <a name="dast"></a>6️⃣ DAST (Dynamic Application Security Testing)
-Automate DAST to catch issues in real-time while your app is running.
 
-### <a name="mfa"></a>7️⃣ MFA (Multi-Factor Authentication)
-Automate MFA configurations to bolster user account security.
+**Objective**:  
+To identify vulnerabilities in a running application, simulating how an attacker could exploit them.
+
+**Description**:  
+Dynamic Application Security Testing (DAST) is a black-box testing methodology that identifies vulnerabilities by interacting with a running application. Automated DAST can be configured to run periodically or based on triggers, providing real-time vulnerability assessment.
+
+**Tools**:  
+- OWASP ZAP
+- Burp Suite
+- AppSpider
 
 ---
 
-## 🌟 Additional Functionalities 🌟
-- **Code Quality Checks**: Integrate SonarQube for code quality assessments.
-- **License Compliance**: Utilize FOSSA or Black Duck for license compliance checks.
-- **Performance Testing**: Implement Apache JMeter for API performance testing.
-- **Backup Artifacts**: Configure a job to backup all generated artifacts to external storage for auditing.
+### <a name="mfa"></a>7️⃣ MFA (Multi-Factor Authentication)
+
+**Objective**:  
+To add an additional layer of security that requires multiple forms of verification before granting access.
+
+**Description**:  
+Multi-Factor Authentication (MFA) is a critical security control that requires users to provide two or more verification factors to gain access to a resource. Automating MFA configurations ensures consistent application of security policies across the user base.
+
+**Tools**:  
+- Authy
+- Google Authenticator
+- Duo Security
 
 ---
 
-## 🐍 Python App Considerations 🐍
+## <a name="python-app"></a>🐍 Python App Considerations 🐍
 ### 8 Things to Keep in Mind with Python Web Apps
 1. **Your Code**: Ensure code quality and security.
 2. **Your Infra**: Maintain a secure and scalable infrastructure.
@@ -67,4 +141,12 @@ Automate MFA configurations to bolster user account security.
 7. **Your People**: Train your team on security best practices.
 8. **Your Operations**: Implement secure operational procedures.
 
----
+---
+
+### <a name="additional-functionalities"></a> Pending Additional Functionalities
+- **Code Quality Checks**: Integrate SonarQube for code quality assessments.
+- **License Compliance**: Utilize FOSSA or Black Duck for license compliance checks.
+- **Performance Testing**: Implement Apache JMeter for API performance testing.
+- **Backup Artifacts**: Configure a job to backup all generated artifacts to external storage for auditing.
+---
+