OWASP DevSecOps Verification Standard
OWASP DevSecOps Verification Standard
The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework that defines baseline requirements for any software project or organisation. You can use the DSOVS for:
-
π§ Gap Analysis
- DSOVS can be used to identify gaps that exist within a single or multiple software projects by providing internal or external analystsβ with a clearly defined standard that cover all areas of the secure software development lifecycle.
-
πΊοΈ Maturity Roadmap
- DSOVS can be used by developers, architects, security people and anyone else to identify existing DevSecOps maturity levels whilst mapping a clear path to work towards heightened maturity.
-
β οΈ During Third-party Risk Asessments
- DSOVS can be used to audit the software development lifecycle (SDLC) maturity of third-parties which is important as it ensures that their software development processes are resilient and helps identify any potential vulnerabilities that exist due to people, processes or software.
π¬ Connect with Us
#project-devsecops-verification-standard
@realjvo (Jamieson Vincenti O'Reilly, Project Lead) @yudhiy (Yudhi Yudhistira, Project Lead)π Get Involved
Your contribution will help the DSOVS evolve as processes and technologies are ever changing.
We welcome any kind of contribution and feedback to help make the DSOVS an even better open source project.
Join our community today and be part of the journey
- π Report errors (typos, grammar)
- π οΈ Fix errors or propose changes using a Pull Request
- π Ask Questions
- π‘ New Ideas
For each phase, there are streams that the DSOVS assesses:## π Table-of-Contents
Organisation Phase
π§ ORG-002 Security Training
π§ ORG-003 Security Champion
π§ ORG-004 Security Reporting
Requirements Phase
π§ REQ-001 Security Policy and Regulatory Compliance
π§ REQ-002 Security Requirements and Standards
π§ REQ-003 Security User Stories and Acceptance Criterias
π§ REQ-004 Security Issues Tracking Design
π§ DES-001 Security Architecture Design Reviews
Code/Build Phase
π§ CODE-001 Secure Development Environment
β CODE-002 Hardcoded Secrets Detection
π§ CODE-003 Manual Secure Code Review
π§ CODE-004 Static Application Security Testing (SAST)
π§ CODE-005 Software Composition Analysis (SCA)
π§ CODE-006 Software License Compliance
π§ CODE-007 Inline IDE Secure Code Analysis
π§CODE-008 Container Security Scanning
π§ CODE-009 Secure Dependency Management
Test Phase
π§ TEST-001 Security Test Management
β TEST-002 Dynamic Application Security Testing (DAST)
π§ TEST-003 Interactive Application Security Testing (IAST)
π§ TEST-004 Penetration Testing
π§ TEST-005 Security Test Coverage
Release/Deploy Phase
π§ REL-002 Secure Artifact Management
π§ REL-003 Secret Management
π§ REL-004 Secure Configuration
π§ REL-005 Security Policy Enforcement
π§ REL-006 Infrastructure-as-Code (IaC) Secure Deployment
π§ REL-007 Compliance Scanning
π§ REL-008 Secure Release Management
Operate/Monitor Phase
π§ OPR-001 Environment Hardening
π§ OPR-002 Application Hardening
π§ OPR-003 Environment Security Logging
π§ OPR-004 Application Security Logging
β OPR-005 Vulnerability Disclosure
Get Involved
Your contribution will help the DSOVS evolve as processes and technologies are ever changing. Please propose your changes by creating a new pull request in our GitHub Project.
Feedback
Please use the Github Issues for feedbacks:
- What do you like?
- What donβt you like?
- How can we make DSOVS easier to use?
- How could DSOVS be improved?