OWASP DevSecOps Verification Standard
OWASP DevSecOps Verification Standard
The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework that defines baseline requirements for any software project or organisation. You can use the DSOVS for:
-
๐ง Gap Analysis
- DSOVS can be used to identify gaps that exist within a single or multiple software projects by providing internal or external analystsโ with a clearly defined standard that cover all areas of the secure software development lifecycle.
-
๐บ๏ธ Maturity Roadmap
- DSOVS can be used by developers, architects, security people and anyone else to identify existing DevSecOps maturity levels whilst mapping a clear path to work towards heightened maturity.
-
โ ๏ธ During Third-party Risk Asessments
- DSOVS can be used to audit the software development lifecycle (SDLC) maturity of third-parties which is important as it ensures that their software development processes are resilient and helps identify any potential vulnerabilities that exist due to people, processes or software.
๐ฌ Connect with Us
๐ Get Involved
Your contribution will help the DSOVS evolve as processes and technologies are ever changing.
We welcome any kind of contribution and feedback to help make the DSOVS an even better open source project.
Join our community today and be part of the journey
- ๐ Report errors (typos, grammar)
- ๐ ๏ธ Fix errors or propose changes using a Pull Request
- ๐ Ask Questions
- ๐ก New Ideas
For each phase, there are streams that the DSOVS assesses:## ๐ Table-of-Contents
Organisation Phase
๐ง ORG-002 Security Training
๐ง ORG-003 Security Champion
๐ง ORG-004 Security Reporting
Requirements Phase
๐ง REQ-001 Security Policy and Regulatory Compliance
๐ง REQ-002 Security Requirements and Standards
๐ง REQ-003 Security User Stories and Acceptance Criterias
๐ง REQ-004 Security Issues Tracking Design
๐ง DES-001 Security Architecture Design Reviews
Code/Build Phase
๐ง CODE-001 Secure Development Environment
โ CODE-002 Hardcoded Secrets Detection
๐ง CODE-003 Manual Secure Code Review
๐ง CODE-004 Static Application Security Testing (SAST)
๐ง CODE-005 Software Composition Analysis (SCA)
๐ง CODE-006 Software License Compliance
๐ง CODE-007 Inline IDE Secure Code Analysis
๐งCODE-008 Container Security Scanning
๐ง CODE-009 Secure Dependency Management
Test Phase
๐ง TEST-001 Security Test Management
โ TEST-002 Dynamic Application Security Testing (DAST)
๐ง TEST-003 Interactive Application Security Testing (IAST)
๐ง TEST-004 Penetration Testing
๐ง TEST-005 Security Test Coverage
Release/Deploy Phase
๐ง REL-002 Secure Artifact Management
๐ง REL-003 Secret Management
๐ง REL-004 Secure Configuration
๐ง REL-005 Security Policy Enforcement
๐ง REL-006 Infrastructure-as-Code (IaC) Secure Deployment
๐ง REL-007 Compliance Scanning
๐ง REL-008 Secure Release Management
Operate/Monitor Phase
๐ง OPR-001 Environment Hardening
๐ง OPR-002 Application Hardening
๐ง OPR-003 Environment Security Logging
๐ง OPR-004 Application Security Logging
โ OPR-005 Vulnerability Disclosure
Get Involved
Your contribution will help the DSOVS evolve as processes and technologies are ever changing. Please propose your changes by creating a new pull request in our GitHub Project.
Feedback
Please use the Github Issues for feedbacks:
- What do you like?
- What donโt you like?
- How can we make DSOVS easier to use?
- How could DSOVS be improved?