OWASP DevSecOps Verification Standard

The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework for cyber security professionals to identify software security gaps within software development practices. The DSOVS helps organisation to highlight opportunities for quality improvements in the aspect of people, process, and tools within software development lifecycle. The DSOVS focuses on maturing capability in embedding security practices rather than merely implementing security tools. Therefore, the DSOVS is technology agnostic and does not bound to a specific software development methodology.

There are seven phases of OWASP DevSecOps Verification Standard that aligns with phases in most of software engineering practices:

  • Organisation
  • Requirement
  • Design
  • Code/Build
  • Test
  • Release/Deploy
  • Operate/Monitor

For each phase, there are streams that the DSOVS assesses:

  • Organisation
    • ORG-001 Risk Assessment
    • ORG-002 Security Training
    • ORG-003 Security Champion
    • ORG-004 Security Reporting
  • Requirement
    • REQ-001 Security Policy and Regulatory Compliance
    • REQ-002 Security Requirements and Standards
    • REQ-003 Security User Stories and Acceptance Criterias
    • REQ-004 Security Issues Tracking
  • Design
    • DES-001 Security Architecture Design Reviews
    • DES-002 Threat Modelling
  • Code/Build
    • CODE-001 Secure Development Environment
    • CODE-002 Hardcoded Secrets Detection
    • CODE-003 Manual Secure Code Review
    • CODE-004 Static Application Security Testing (SAST)
    • CODE-005 Software Composition Analysis (SCA)
    • CODE-006 Software License Compliance
    • CODE-007 Inline IDE Secure Code Analysis
    • CODE-008 Container Security Scanning
    • CODE-009 Secure Dependency Management
  • Test
    • TEST-001 Security Test Management
    • TEST-002 Dynamic Application Security Testing (DAST)
    • TEST-003 Interactive Application Security Testing (IAST)
    • TEST-004 Penetration Testing
    • TEST-005 Security Test Coverage
  • Release/Deploy
    • REL-001 Artifact Signing
    • REL-002 Secure Artifact Management
    • REL-003 Secret Management
    • REL-004 Secure Configuration
    • REL-005 Security Policy Enforcement
    • REL-006 Infrastructure-as-Code (IaC) Secure Deployment
    • REL-007 Compliance Scanning
    • REL-008 Secure Release Management
  • Operate/Monitor
    • OPR-001 Environment Hardening
    • OPR-002 Application Hardening
    • OPR-003 Environment Security Logging
    • OPR-004 Application Security Logging
    • OPR-005 Vulnerability Disclosure
    • OPR-006 Certificate Management

Get Involved

Your contribution will help the DSOVS evolve as processes and technologies are ever changing. Please propose your changes by creating a new pull request in our GitHub Project.


Please use the Github Issues for feedbacks:

  • What do you like?
  • What don’t you like?
  • How can we make DSOVS easier to use?
  • How could DSOVS be improved?