OWASP DevSecOps Verification Standard

OWASP DevSecOps Verification Standard

</a>

The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework that defines baseline requirements for any software project or organisation. You can use the DSOVS for:

  • 🧐 Gap Analysis
    • DSOVS can be used to identify gaps that exist within a single or multiple software projects by providing internal or external analysts’ with a clearly defined standard that cover all areas of the secure software development lifecycle.
  • πŸ—ΊοΈ Maturity Roadmap
    • DSOVS can be used by developers, architects, security people and anyone else to identify existing DevSecOps maturity levels whilst mapping a clear path to work towards heightened maturity.
  • ⚠️ During Third-party Risk Asessments
    • DSOVS can be used to audit the software development lifecycle (SDLC) maturity of third-parties which is important as it ensures that their software development processes are resilient and helps identify any potential vulnerabilities that exist due to people, processes or software.

πŸ’¬ Connect with Us

  • #project-devsecops-verification-standard
  • @realjvo (Jamieson Vincenti O'Reilly, Project Lead)
  • @yudhiy (Yudhi Yudhistira, Project Lead)
  • πŸŽ‰ Get Involved

    Your contribution will help the DSOVS evolve as processes and technologies are ever changing.

    We welcome any kind of contribution and feedback to help make the DSOVS an even better open source project.

    Join our community today and be part of the journey

    For each phase, there are streams that the DSOVS assesses:## πŸ“– Table-of-Contents

    Organisation Phase

    🚧 ORG-001 Risk Assessment

    🚧 ORG-002 Security Training

    🚧 ORG-003 Security Champion

    🚧 ORG-004 Security Reporting

    Requirements Phase

    🚧 REQ-001 Security Policy and Regulatory Compliance

    🚧 REQ-002 Security Requirements and Standards

    🚧 REQ-003 Security User Stories and Acceptance Criterias

    🚧 REQ-004 Security Issues Tracking Design

    🚧 DES-001 Security Architecture Design Reviews

    🚧 DES-002 Threat Modelling

    Code/Build Phase

    🚧 CODE-001 Secure Development Environment

    βœ… CODE-002 Hardcoded Secrets Detection

    🚧 CODE-003 Manual Secure Code Review

    🚧 CODE-004 Static Application Security Testing (SAST)

    🚧 CODE-005 Software Composition Analysis (SCA)

    🚧 CODE-006 Software License Compliance

    🚧 CODE-007 Inline IDE Secure Code Analysis

    🚧CODE-008 Container Security Scanning

    🚧 CODE-009 Secure Dependency Management

    Test Phase

    🚧 TEST-001 Security Test Management

    βœ… TEST-002 Dynamic Application Security Testing (DAST)

    🚧 TEST-003 Interactive Application Security Testing (IAST)

    🚧 TEST-004 Penetration Testing

    🚧 TEST-005 Security Test Coverage

    Release/Deploy Phase

    🚧 REL-001 Artifact Signing

    🚧 REL-002 Secure Artifact Management

    🚧 REL-003 Secret Management

    🚧 REL-004 Secure Configuration

    🚧 REL-005 Security Policy Enforcement

    🚧 REL-006 Infrastructure-as-Code (IaC) Secure Deployment

    🚧 REL-007 Compliance Scanning

    🚧 REL-008 Secure Release Management

    Operate/Monitor Phase

    🚧 OPR-001 Environment Hardening

    🚧 OPR-002 Application Hardening

    🚧 OPR-003 Environment Security Logging

    🚧 OPR-004 Application Security Logging

    βœ… OPR-005 Vulnerability Disclosure

    🚧 OPR-006 Certificate Management

    🚧 OPR-007 Attack Surface Management


    Get Involved

    Your contribution will help the DSOVS evolve as processes and technologies are ever changing. Please propose your changes by creating a new pull request in our GitHub Project.

    Feedback

    Please use the Github Issues for feedbacks:

    • What do you like?
    • What don’t you like?
    • How can we make DSOVS easier to use?
    • How could DSOVS be improved?