DevSecOps Guideline
9.1 DevSecOps Guideline
The OWASP DevSecOps Guideline project explains how to best implement a secure pipeline, using best practices and introducing automation tools to help ‘shift-left’ security issues.
The DevSecOps Guideline is in active development as an OWASP Production documentation project and can be accessed from the web document or downloaded as a PDF.
What is the DevSecOps Guideline?
The DevOps (combining software Development and release Operations) pipelines use automation to integrate various established activities within the development and release processes into pipeline steps. This enables the use of Continuous integration / Continuous Delivery/Deployment (CI/CD) within an organization. DevSecOps (combining security with DevOps) seeks to add steps into the existing CI/CD pipelines to build security into the development and release process.
The DevSecOps Guideline is a collection of advice and theory that explains how to embed security into DevOps. It covers various foundational topics such as Threat Modeling pipelines, Secrets Management and Linting Code. It then explains and illustrates various vulnerability scanning steps commonly used in CI/CD pipelines:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Interactive Application Security Testing (IAST)
- Software Composition Analysis (SCA)
- Infrastructure Vulnerability Scanning
- Container Vulnerability Scanning
The DevSecOps Guideline is a concise guide that provides the foundational knowledge to implement DevSecOps.
How to use the DevSecOps Guideline
The DevSecOps Guideline is document can be accessed from the web document or downloaded as a PDF. It is concise enough that all the sections can be read within a short time, and it provides enough knowledge to understand the concept behind DevSecOps and what activities are involved.
It provides an excellent overview of DevSecOps which shows how the steps of a typical CI/CD pipeline fit together and what sort of tools can be applied in each step to secure the pipeline. Many of the pages in the DevSecOps Guideline contain lists of tools that can be applied to the pipeline step.
The DevSecOps Guideline document is in the process of being expanded and updated which will build on the existing 2023 version.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage