OWASP DevSecOps Verification Standard

OWASP DevSecOps Verification Standard

The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework that defines baseline requirements for any software project or organisation. You can use the DSOVS for:

  • ๐Ÿง Gap Analysis

    • DSOVS can be used to identify gaps that exist within a single or multiple software projects by providing internal or external analystsโ€™ with a clearly defined standard that cover all areas of the secure software development lifecycle.
  • ๐Ÿ—บ๏ธ Maturity Roadmap

    • DSOVS can be used by developers, architects, security people and anyone else to identify existing DevSecOps maturity levels whilst mapping a clear path to work towards heightened maturity.
  • โš ๏ธ During Third-party Risk Asessments

    • DSOVS can be used to audit the software development lifecycle (SDLC) maturity of third-parties which is important as it ensures that their software development processes are resilient and helps identify any potential vulnerabilities that exist due to people, processes or software.

๐Ÿ’ฌ Connect with Us

  • #project-devsecops-verification-standard
  • @realjvo (Jamieson Vincenti O'Reilly, Project Lead)
  • @yudhiy (Yudhi Yudhistira, Project Lead)
  • ๐ŸŽ‰ Get Involved

    Your contribution will help the DSOVS evolve as processes and technologies are ever changing.

    We welcome any kind of contribution and feedback to help make the DSOVS an even better open source project.

    Join our community today and be part of the journey

    For each phase, there are streams that the DSOVS assesses:## ๐Ÿ“– Table-of-Contents

    Organisation Phase

    ๐Ÿšง ORG-001 Risk Assessment

    ๐Ÿšง ORG-002 Security Training

    ๐Ÿšง ORG-003 Security Champion

    ๐Ÿšง ORG-004 Security Reporting

    Requirements Phase

    ๐Ÿšง REQ-001 Security Policy and Regulatory Compliance

    ๐Ÿšง REQ-002 Security Requirements and Standards

    ๐Ÿšง REQ-003 Security User Stories and Acceptance Criterias

    ๐Ÿšง REQ-004 Security Issues Tracking Design

    ๐Ÿšง DES-001 Security Architecture Design Reviews

    ๐Ÿšง DES-002 Threat Modelling

    Code/Build Phase

    ๐Ÿšง CODE-001 Secure Development Environment

    โœ… CODE-002 Hardcoded Secrets Detection

    ๐Ÿšง CODE-003 Manual Secure Code Review

    ๐Ÿšง CODE-004 Static Application Security Testing (SAST)

    ๐Ÿšง CODE-005 Software Composition Analysis (SCA)

    ๐Ÿšง CODE-006 Software License Compliance

    ๐Ÿšง CODE-007 Inline IDE Secure Code Analysis

    ๐ŸšงCODE-008 Container Security Scanning

    ๐Ÿšง CODE-009 Secure Dependency Management

    Test Phase

    ๐Ÿšง TEST-001 Security Test Management

    โœ… TEST-002 Dynamic Application Security Testing (DAST)

    ๐Ÿšง TEST-003 Interactive Application Security Testing (IAST)

    ๐Ÿšง TEST-004 Penetration Testing

    ๐Ÿšง TEST-005 Security Test Coverage

    Release/Deploy Phase

    ๐Ÿšง REL-001 Artifact Signing

    ๐Ÿšง REL-002 Secure Artifact Management

    ๐Ÿšง REL-003 Secret Management

    ๐Ÿšง REL-004 Secure Configuration

    ๐Ÿšง REL-005 Security Policy Enforcement

    ๐Ÿšง REL-006 Infrastructure-as-Code (IaC) Secure Deployment

    ๐Ÿšง REL-007 Compliance Scanning

    ๐Ÿšง REL-008 Secure Release Management

    Operate/Monitor Phase

    ๐Ÿšง OPR-001 Environment Hardening

    ๐Ÿšง OPR-002 Application Hardening

    ๐Ÿšง OPR-003 Environment Security Logging

    ๐Ÿšง OPR-004 Application Security Logging

    โœ… OPR-005 Vulnerability Disclosure

    ๐Ÿšง OPR-006 Certificate Management

    ๐Ÿšง OPR-007 Attack Surface Management


    Get Involved

    Your contribution will help the DSOVS evolve as processes and technologies are ever changing. Please propose your changes by creating a new pull request in our GitHub Project.

    Feedback

    Please use the Github Issues for feedbacks:

    • What do you like?
    • What donโ€™t you like?
    • How can we make DSOVS easier to use?
    • How could DSOVS be improved?