OWASP DevSecOps Verification Standard

The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework that defines baseline requirements for any software project or organisation. You can use the DSOVS for:

• 🧐 Gap Analysis

  • DSOVS can be used to identify gaps that exist within a single or multiple software projects by providing internal or external analysts’ with a clearly defined standard that cover all areas of the secure software development lifecycle.

• 🗺️ Maturity Roadmap

  • DSOVS can be used by developers, architects, security people and anyone else to identify existing DevSecOps maturity levels whilst mapping a clear path to work towards heightened maturity.

• ⚠️ During Third-party Risk Asessments

  • DSOVS can be used to audit the software development lifecycle (SDLC) maturity of third-parties which is important as it ensures that their software development processes are resilient and helps identify any potential vulnerabilities that exist due to people, processes or software.

🧮 Self-Assessment Tool

Try it live at dsovs.com, or run it from the assessment/ folder. Rate your maturity against every DSOVS control and generate a report; it runs entirely in your browser, so your answers are saved locally on your device and never leave it. You can export your results as JSON or print them to PDF.

Building your own tooling? Every control is also published as machine-readable data: the JSON API is generated from the source-of-truth files under data/controls/.

💬 Connect with Us

#project-devsecops-verification-standard

@theonejvo (Jamieson Vincenti O'Reilly, Project Lead)

@yudhiy (Yudhi Yudhistira, Project Lead)

🎉 Get Involved

Your contribution will help the DSOVS evolve as processes and technologies are ever changing.

We welcome any kind of contribution and feedback to help make the DSOVS an even better open source project.

Join our community today and be part of the journey

• 🐞 Report errors (typos, grammar)
• 🛠️ Fix errors or propose changes using a Pull Request
• 🙋 Ask Questions
• 💡 New Ideas

For each phase, there are streams that the DSOVS assesses:## 📖 Table-of-Contents

Organisation Phase

✅ ORG-001 Risk Assessment

✅ ORG-002 Security Training

✅ ORG-003 Security Champion

✅ ORG-004 Security Reporting

Requirements Phase

✅ REQ-001 Security Policy and Regulatory Compliance

✅ REQ-002 Security Requirements and Standards

✅ REQ-003 Security User Stories and Acceptance Criterias

✅ REQ-004 Security Issues Tracking Design

✅ DES-001 Security Architecture Design Reviews

✅ DES-002 Threat Modelling

Code/Build Phase

✅ CODE-001 Secure Development Environment

✅ CODE-002 Hardcoded Secrets Detection

✅ CODE-003 Manual Secure Code Review

✅ CODE-004 Static Application Security Testing (SAST)

✅ CODE-005 Software Composition Analysis (SCA)

✅ CODE-006 Software License Compliance

✅ CODE-007 Inline IDE Secure Code Analysis

✅ CODE-008 Container Security Scanning

✅ CODE-009 Secure Dependency Management

Test Phase

✅ TEST-001 Security Test Management

✅ TEST-002 Dynamic Application Security Testing (DAST)

✅ TEST-003 Interactive Application Security Testing (IAST)

✅ TEST-004 Penetration Testing

✅ TEST-005 Security Test Coverage

Release/Deploy Phase

✅ REL-001 Artifact Signing

✅ REL-002 Secure Artifact Management

✅ REL-003 Secret Management

✅ REL-004 Secure Configuration

✅ REL-005 Security Policy Enforcement

✅ REL-006 Infrastructure-as-Code (IaC) Secure Deployment

✅ REL-007 Compliance Scanning

✅ REL-008 Secure Release Management

Operate/Monitor Phase

✅ OPR-001 Environment Hardening

✅ OPR-002 Application Hardening

✅ OPR-003 Environment Security Logging

✅ OPR-004 Application Security Logging

✅ OPR-005 Vulnerability Disclosure

✅ OPR-006 Certificate Management

✅ OPR-007 Attack Surface Management