├── .gitignore ├── 404.html ├── Gemfile ├── README.md ├── _config.yml ├── assets └── images │ └── README.md ├── document ├── CODE-001-Secure-Development-Environment.md ├── CODE-002-Hardcoded-Secrets-Detection.md ├── CODE-003-Manual-Secure-Code-Review.md ├── CODE-004-Static-Application-Security-Testing-SAST.md ├── CODE-005-Software-Composition-Analysis-SCA.md ├── CODE-006-Software-License-Compliance.md ├── CODE-007-Inline-IDE-Secure-Code-Analysis.md ├── CODE-008-Container-Security-Scanning.md ├── CODE-009-Secure-Dependency-Management.md ├── DES-001-Secure-Architecture-Design-Reviews.md ├── DES-002-Threat-Modelling.md ├── OPR-001-Environment-Hardening.md ├── OPR-002-Application-Hardening.md ├── OPR-003-Environment-Security-Logging.md ├── OPR-004-Application-Security-Logging.md ├── OPR-005-Responsible-Disclosure.md ├── OPR-006-Certificate-Management.md ├── OPR-007-Attack-Surface-Management.md ├── ORG-001-Risk-Assessment.md ├── ORG-002-Security-Training.md ├── ORG-003-Security-Champion.md ├── ORG-004-Security-Reporting.md ├── REL-001-Artifact-Signing.md ├── REL-002-Secure-Artifact-Management.md ├── REL-003-Secret-Management.md ├── REL-004-Secure-Configuration.md ├── REL-005-Security-Policy-Enforcement.md ├── REL-006-Infrastructure-as-Code-Secure-Deployment.md ├── REL-007-Compliance-Scanning.md ├── REL-008-Secure-Release-Management.md ├── REQ-001-Security-Policy-and-Regulatory-Compliance.md ├── REQ-002-Security-Requirements-and-Standards.md ├── REQ-003-Security-User-Stories-and-Acceptance-Criteria.md ├── REQ-004-Security-Issues-Tracking.md ├── TEST-001-Security-Test-Management.md ├── TEST-002-Dynamic-Application-Security-Testing-DAST.md ├── TEST-003-Interactive-Application-Security-Testing-IAST.md ├── TEST-004-Penetration-Testing.md ├── TEST-005-Security-Test-Coverage.md └── images │ ├── azure.svg │ ├── github.svg │ ├── gitlab.svg │ ├── linkedin.svg │ ├── logo.svg │ └── slack_logo.png ├── index.md ├── info.md ├── leaders.md ├── tab_contributing.md ├── v1.1 └── DevSecOps-VerificationStandard-v1.1.xlsx └── v1 └── DevSecOps-VerificationStandard-v1.xlsx /.gitignore: -------------------------------------------------------------------------------- 1 | /Gemfile 2 | /Gemfile.lock 3 | /favicon.ico 4 | _site/ -------------------------------------------------------------------------------- /404.html: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: 404 - Not Found 4 | layout: col-generic 5 | 6 | --- 7 | 8 |
9 |

10 |

WHOA THAT PAGE CANNOT BE FOUND

11 |

Try the SEARCH function in the main navigation to find something. If you are looking for chapter information, please see Chapters for the correct chapter. For information about OWASP projects see Projects. For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.

12 | 13 |
14 |

If all else fails you can search our historical site.

15 |
16 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | group :jekyll_plugins do 3 | gem "github-pages" 4 | end -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OWASP DevSecOps Verification Standard 2 | 3 | 4 | 5 | The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework that defines baseline requirements for any software project or organisation. You can use the DSOVS for: 6 | 7 | - 🧐 **Gap Analysis** 8 | 9 | - DSOVS can be used to identify gaps that exist within a single or multiple software projects by providing internal or external analysts' with a clearly defined standard that cover all areas of the secure software development lifecycle. 10 | 11 | - 🗺️ **Maturity Roadmap** 12 | 13 | - DSOVS can be used by developers, architects, security people and anyone else to identify existing DevSecOps maturity levels whilst mapping a clear path to work towards heightened maturity. 14 | 15 | - ⚠️ **During Third-party Risk Asessments** 16 | - DSOVS can be used to audit the software development lifecycle (SDLC) maturity of third-parties which is important as it ensures that their software development processes are resilient and helps identify any potential vulnerabilities that exist due to people, processes or software. 17 | 18 | ## 💬 Connect with Us 19 | 20 |
  • #project-devsecops-verification-standard
    • 21 |
  • @realjvo (Jamieson Vincenti O'Reilly, Project Lead)
  • @yudhiy (Yudhi Yudhistira, Project Lead)
    • 22 | 23 | ## 🎉 Get Involved 24 | 25 | Your contribution will help the DSOVS evolve as processes and technologies are ever changing. 26 | 27 | We welcome any kind of contribution and feedback to help make the DSOVS an even better open source project. 28 | 29 | Join our community today and be part of the journey 30 | 31 | - 🐞 [Report errors (typos, grammar)](https://github.com/OWASP/www-project-devsecops-verification-standard/issues) 32 | - 🛠️ [Fix errors or propose changes using a Pull Request](https://github.com/OWASP/www-project-devsecops-verification-standard/pulls) 33 | - 🙋 [Ask Questions](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/q-a) 34 | - 💡 [New Ideas](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) 35 | 36 | For each phase, there are streams that the DSOVS assesses:## 📖 Table-of-Contents 37 | 38 | ### Organisation Phase 39 | 40 | 🚧 [ORG-001 Risk Assessment](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-001-Risk-Assessment.md) 41 | 42 | 🚧 [ORG-002 Security Training](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-002-Security-Training.md) 43 | 44 | 🚧 [ORG-003 Security Champion](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-003-Security-Champion.md) 45 | 46 | 🚧 [ORG-004 Security Reporting](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-004-Security-Reporting.md) 47 | 48 | ### Requirements Phase 49 | 50 | 🚧 [REQ-001 Security Policy and Regulatory Compliance](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-001-Security-Policy-and-Regulatory-Compliance.md) 51 | 52 | 🚧 [REQ-002 Security Requirements and Standards](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-002-Security-Requirements-and-Standards.md) 53 | 54 | 🚧 [REQ-003 Security User Stories and Acceptance Criterias](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-003-Security-User-Stories-and-Acceptance-Criteria.md) 55 | 56 | 🚧 [REQ-004 Security Issues Tracking Design](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-004-Security-Issues-Tracking.md) 57 | 58 | 🚧 [DES-001 Security Architecture Design Reviews](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/DES-001-Secure-Architecture-Design-Reviews.md) 59 | 60 | 🚧 [DES-002 Threat Modelling](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/DES-002-Threat-Modelling.md) 61 | 62 | ### Code/Build Phase 63 | 64 | 🚧 [CODE-001 Secure Development Environment](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-001-Secure-Development-Environment.md) 65 | 66 | ✅ [CODE-002 Hardcoded Secrets Detection](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-002-Hardcoded-Secrets-Detection.md) 67 | 68 | 🚧 [CODE-003 Manual Secure Code Review](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-003-Manual-Secure-Code-Review.md) 69 | 70 | 🚧 [CODE-004 Static Application Security Testing (SAST)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-004-Static-Application-Security-Testing-SAST.md) 71 | 72 | 🚧 [CODE-005 Software Composition Analysis (SCA)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-005-Software-Composition-Analysis-SCA.md) 73 | 74 | 🚧 [CODE-006 Software License Compliance](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-006-Software-License-Compliance.md) 75 | 76 | 🚧 [CODE-007 Inline IDE Secure Code Analysis](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-007-Inline-IDE-Secure-Code-Analysis.md) 77 | 78 | 🚧[CODE-008 Container Security Scanning](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-008-Container-Security-Scanning.md) 79 | 80 | 🚧 [CODE-009 Secure Dependency Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-009-Secure-Dependency-Management.md) 81 | 82 | ### Test Phase 83 | 84 | 🚧 [TEST-001 Security Test Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-001-Security-Test-Management.md) 85 | 86 | ✅ [TEST-002 Dynamic Application Security Testing (DAST)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-002-Dynamic-Application-Security-Testing-DAST.md) 87 | 88 | 🚧 [TEST-003 Interactive Application Security Testing (IAST)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-003-Interactive-Application-Security-Testing-IAST.md) 89 | 90 | 🚧 [TEST-004 Penetration Testing](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-004-Penetration-Testing.md) 91 | 92 | 🚧 [TEST-005 Security Test Coverage](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-005-Security-Test-Coverage.md) 93 | 94 | ### Release/Deploy Phase 95 | 96 | 🚧 [REL-001 Artifact Signing](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-001-Artifact-Signing.md) 97 | 98 | 🚧 [REL-002 Secure Artifact Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-002-Secure-Artifact-Management.md) 99 | 100 | 🚧 [REL-003 Secret Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-003-Secret-Management.md) 101 | 102 | 🚧 [REL-004 Secure Configuration](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-004-Secure-Configuration.md) 103 | 104 | 🚧 [REL-005 Security Policy Enforcement](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-005-Security-Policy-Enforcement.md) 105 | 106 | 🚧 [REL-006 Infrastructure-as-Code (IaC) Secure Deployment](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-006-Infrastructure-as-Code-Secure-Deployment.md) 107 | 108 | 🚧 [REL-007 Compliance Scanning](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-007-Compliance-Scanning.md) 109 | 110 | 🚧 [REL-008 Secure Release Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-008-Secure-Release-Management.md) 111 | 112 | ### Operate/Monitor Phase 113 | 114 | 🚧 [OPR-001 Environment Hardening](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-001-Environment-Hardening.md) 115 | 116 | 🚧 [OPR-002 Application Hardening](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-002-Application-Hardening.md) 117 | 118 | 🚧 [OPR-003 Environment Security Logging](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-003-Environment-Security-Logging.md) 119 | 120 | 🚧 [OPR-004 Application Security Logging](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-004-Application-Security-Logging.md) 121 | 122 | ✅ [OPR-005 Vulnerability Disclosure](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-005-Responsible-Disclosure.md) 123 | 124 | 🚧 [OPR-006 Certificate Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-006-Certificate-Management.md) 125 | 126 | 🚧 [OPR-007 Attack Surface Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-007-Attack-Surface-Management.md) 127 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: "owasp/www--site-theme@main" 2 | plugins: 3 | - jekyll-include-cache-0.2.0 -------------------------------------------------------------------------------- /assets/images/README.md: -------------------------------------------------------------------------------- 1 | # placeholder 2 | 3 | Put images you wish to link to in this folder 4 | 5 | link would be in form /assets/images/ 6 | -------------------------------------------------------------------------------- /document/CODE-001-Secure-Development-Environment.md: -------------------------------------------------------------------------------- 1 | # Secure Development Environment 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-001 | 6 | 7 | ## Summary 8 | 9 | It is important for developers to use a secure development environment in order to ensure the integrity of their code and avoid the risk of source-code theft. 10 | 11 | By using an environment that is secure and isolated from other networks, developers can be sure that their code remains safe and secure. 12 | 13 | Additionally, as development environments can be monitored and audited, it can help identify any potential vulnerabilities or malicious activity. 14 | 15 | This provides an extra level of security, as developers can be sure that no one is accessing their code without permission. 16 | 17 | Using a secure development environment also helps to reduce the risk of source-code theft, as the code is stored in a secure location and is not accessible to anyone outside of the development team. 18 | 19 | ## Level 0 - No security hardening standards for development environments 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 1 - Verify hardening standards or security checklist for development environment 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 2 - Verify implementation of harden template for development environment 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## Level 3 - Verify that the security policies are enforced to align with in the development environment hardening standards 32 | 33 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 34 | 35 | ## References -------------------------------------------------------------------------------- /document/CODE-002-Hardcoded-Secrets-Detection.md: -------------------------------------------------------------------------------- 1 | # Hardcoded Secrets Detection 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-002 | 6 | 7 | ## Summary 8 | 9 | Hardcoded secrets scanning is a security process used in DevSecOps that involves scanning code for hardcoded passwords, tokens, and other identifying information. 10 | 11 | The goal of hardcoded secrets scanning is to identify and replace any insecurely stored credentials or secrets, as these can be exploited by malicious actors. 12 | 13 | The process typically involves scanning source code, configuration files, and other related artifacts for secrets, which are then checked against appropriate levels of access control. 14 | 15 | Any secrets that are deemed insecure are then reported to the relevant parties and can be replaced with more secure alternatives. 16 | 17 | ## Level 0 - No tool to perform hardcoded secret scanning 18 | 19 | At this level of security maturity, there are no tools available to perform secret scanning. 20 | 21 | ## Level 1 - Verify use of tool to perform on-demand scan to identify hardcoded secrets in the source code 22 | 23 | At this stage, a secrets detection tool is present but the scanning is performed on a case-by-case basis. It is not automated and the results may not be reported or recorded. 24 | 25 | ## Level 2 - Verify the implementation of the hardcoded secrets scanning tool into the build pipeline to perform automated scans and report status to the build 26 | 27 | Here, secrets scanning is implemented into the software build pipeline. This means that whenever a build is executed, an automated secrets scan will be triggered and the results will be reported. 28 | 29 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 30 | 31 | Level 3 of secrets scannnig is the same as level 2, with the addition of all identified security vulnerabilities being recorded in a centralised issue tracking system and periodically reviewed to evaluate the effectiveness of the secrets detection tool. This means that the same type of automated scans are being performed, but the results are being collected, tracked and analysed for future use and improvement. 32 | 33 | # Notable Tools 34 | 35 | ⚠️ **Disclaimer** 36 | 37 | Apart from official OWASP Projects, the tools in this section have been chosen on the basis of their proven capabilities alone and there is no other relationship between the DSOVS project leaders and the creators or vendors who maintain them. 38 | 39 | If you have a suggestion for a notable tool please [💡 Suggest a Tool](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) 40 | 41 | ## [Gitleaks](https://github.com/awslabs/git-secrets) 42 | 43 | Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. 44 | 45 | GitHub Actions 46 | 47 | ``` 48 | name: gitleaks 49 | on: 50 | pull_request: 51 | push: 52 | workflow_dispatch: 53 | schedule: 54 | - cron: "0 4 * * *" # run once a day at 4 AM 55 | jobs: 56 | scan: 57 | name: gitleaks 58 | runs-on: ubuntu-latest 59 | steps: 60 | - uses: actions/checkout@v3 61 | with: 62 | fetch-depth: 0 63 | - uses: gitleaks/gitleaks-action@v2 64 | env: 65 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 66 | GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only requir 67 | ``` 68 | 69 | GitLab CI 70 | 71 | ``` 72 | stages: 73 | - secrets-detection 74 | 75 | gitleaks: 76 | stage: secrets-detection 77 | image: 78 | name: "zricethezav/gitleaks" 79 | entrypoint: [""] 80 | script: gitleaks -v --pretty --repo-path . --commit-from=$CI_COMMIT_SHA --commit-to=$CI_COMMIT_BEFORE_SHA --branch=$CI_COMMIT_BRANCH 81 | ``` 82 | 83 | Azure DevOps 84 | 85 | ``` 86 | name: '2.0$(rev:.r)' 87 | 88 | trigger: 89 | - main 90 | - feature/* 91 | - features/* 92 | - bugfix/* 93 | 94 | pool: 95 | vmImage: 'ubuntu-latest' 96 | 97 | stages: 98 | - stage: 'Build' 99 | displayName: 'Build' 100 | jobs: 101 | - job: 102 | steps: 103 | - task: NodeTool@0 104 | inputs: 105 | versionSpec: '16.x' 106 | displayName: 'Install Node.js' 107 | 108 | - template: build-and-test.yml 109 | parameters: 110 | path: task/v2 111 | name: Gitleaks V2 112 | 113 | - task: TfxInstaller@3 114 | displayName: 'Use Node CLI for Azure DevOps' 115 | inputs: 116 | version: '0.9.x' 117 | checkLatest: true 118 | 119 | - task: PackageAzureDevOpsExtension@3 120 | displayName: 'Package Extension: $(Build.SourcesDirectory)' 121 | name: 'packageStep' 122 | inputs: 123 | rootFolder: '$(Build.SourcesDirectory)' 124 | outputPath: '$(Build.ArtifactStagingDirectory)/foxholenl-gitleaks.vsix' 125 | publisherId: 'foxholenl' 126 | extensionId: 'Gitleaks' 127 | extensionName: 'Gitleaks' 128 | extensionTag: '-build' 129 | extensionVersion: '$(Build.BuildNumber)' 130 | extensionVisibility: private 131 | 132 | - task: PublishPipelineArtifact@1 133 | displayName: 'Publish vsix' 134 | inputs: 135 | publishLocation: pipeline 136 | targetPath: '$(packageStep.Extension.OutputPath)' 137 | artifact: 'vsix' 138 | condition: succeededOrFailed() 139 | 140 | - stage: Test 141 | displayName: 'Publish to Marketplace (private)' 142 | condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest')) 143 | dependsOn: 'Build' 144 | jobs: 145 | - deployment: 146 | environment: Test 147 | strategy: 148 | runOnce: 149 | deploy: 150 | steps: 151 | 152 | - task: TfxInstaller@3 153 | displayName: 'Use Node CLI for Azure DevOps' 154 | inputs: 155 | version: '0.9.x' 156 | checkLatest: true 157 | 158 | - task: PublishAzureDevOpsExtension@3 159 | name: 'PublishTest' 160 | inputs: 161 | connectTo: 'VsTeam' 162 | connectedServiceName: 'Marketplace' 163 | fileType: 'vsix' 164 | vsixFile: '$(Pipeline.Workspace)/vsix/foxholenl-gitleaks.vsix' 165 | publisherId: 'foxholenl' 166 | extensionId: 'Gitleaks' 167 | extensionTag: '-dev' 168 | updateTasksVersion: false 169 | extensionVisibility: 'privatepreview' 170 | shareWith: 'foxholenl' 171 | noWaitValidation: true 172 | 173 | - stage: Production 174 | displayName: 'Publish to Marketplace (Public)' 175 | condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main')) 176 | dependsOn: 'Test' 177 | jobs: 178 | - deployment: 179 | environment: Production 180 | strategy: 181 | runOnce: 182 | deploy: 183 | steps: 184 | - task: TfxInstaller@3 185 | displayName: 'Use Node CLI for Azure DevOps' 186 | inputs: 187 | version: '0.9.x' 188 | checkLatest: true 189 | 190 | - task: PublishAzureDevOpsExtension@3 191 | name: 'PublishProd' 192 | inputs: 193 | connectTo: 'VsTeam' 194 | connectedServiceName: 'Marketplace' 195 | fileType: 'vsix' 196 | vsixFile: '$(Pipeline.Workspace)/vsix/foxholenl-gitleaks.vsix' 197 | publisherId: 'foxholenl' 198 | extensionId: 'Gitleaks' 199 | updateTasksVersion: false 200 | extensionVisibility: 'public' 201 | noWaitValidation: true 202 | ``` 203 | 204 | ## 🙏 Credits 205 | 206 | We could not do this without the amazing contributions made to the community so we'd like to take the time to show our appreciation to any external inspiration used. 207 | 208 | * [Joost Voskuil](https://github.com/JoostVoskuil) 209 | * [Chandrapal Badshah](https://www.linkedin.com/in/bnchandrapal/?originalSubdomain=in) -------------------------------------------------------------------------------- /document/CODE-003-Manual-Secure-Code-Review.md: -------------------------------------------------------------------------------- 1 | # Manual Secure Code Review 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-003 | 6 | 7 | ## Summary 8 | 9 | In addition to automated source-code review, manual source-code review is an important part of a secure software development lifecycle. 10 | 11 | By manually reviewing the code, developers can identify any potential security vulnerabilities that may have been overlooked. 12 | 13 | This helps to ensure that any weaknesses are addressed and that the code is secure. 14 | 15 | Additionally, manual source code review helps to ensure that there are no hidden backdoors or malicious code present in the source code. 16 | 17 | This further helps to protect users from any potential attacks, and also helps maintain user trust in the software. 18 | 19 | Manual source-code reviews also help to detect any irregularities or errors in the code, which can then be addressed quickly and effectively to ensure that the software remains secure. 20 | 21 | ## Level 0 - No security coding standards 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 1 - Verify that security checklist is part of coding standards 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 2 - Verify that security coding standards is being used for peer review 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## Level 3 - Verify that periodic review schedule is defined to review the security coding standard 34 | 35 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 36 | 37 | ## References -------------------------------------------------------------------------------- /document/CODE-004-Static-Application-Security-Testing-SAST.md: -------------------------------------------------------------------------------- 1 | # Static Application Security Testing (SAST) 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-004 | 6 | 7 | ## Summary 8 | 9 | Static application security testing (SAST), also known as static code analysis, is a form of automated security testing that looks for security vulnerabilities in the source code of an application. 10 | 11 | It is an important part of DevSecOps because it can detect potential security issues early in the development process. 12 | 13 | By uncovering any vulnerabilities in the source code, developers can be sure that the application is secure before it is deployed. 14 | 15 | Additionally, SAST can help identify any coding errors or irregularities that may have been overlooked during development, helping to ensure that the application works as expected. 16 | 17 | This can help reduce the time and effort needed to manually check the code and ensure that any security issues are addressed before the application goes live. 18 | 19 | ## Level 0 - No tool to perform static code security analysis 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 1 - Verify use of tool to perform on-demand scan to identify insecure code 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 2 - Verify the implementation of the security static code analysis scanning tool into the build pipeline to perform automated scans and report status to the build 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 32 | 33 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 34 | 35 | ## References -------------------------------------------------------------------------------- /document/CODE-005-Software-Composition-Analysis-SCA.md: -------------------------------------------------------------------------------- 1 | # Software Composition Analysis (SCA) 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-005 | 6 | 7 | ## Summary 8 | 9 | Source composition analysis (SCA) is a security technology which scans source code and identifies libraries, dependencies, and other third-party components being used in an application. 10 | 11 | It is an important part of DevSecOps because it helps to ensure that all components of the application are secure and up-to-date. 12 | 13 | By detecting any known vulnerabilities or outdated versions of code, SCA can help ensure that applications remain secure, even when third-party components are used. 14 | 15 | Additionally, SCA can help alert developers to new versions of code, so that they can update their applications accordingly. 16 | 17 | This helps to ensure that the latest security patches and updates are applied, helping to further increase the security of the application. 18 | 19 | ## Level 0 - No tool to perform third-party dependency analysis 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 1 - Verify use of tool to perform on-demand scan for out of date or insecure third-party components used by the application 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 2 - Verify the implementation of the third-party components vulnerability scanning tool into the build pipeline to perform automated scans and report status to the build 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 32 | 33 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 34 | 35 | ## References -------------------------------------------------------------------------------- /document/CODE-006-Software-License-Compliance.md: -------------------------------------------------------------------------------- 1 | # Software License Compliance 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-006 | 6 | 7 | ## Summary 8 | 9 | Software license compliance is the process of ensuring that software applications are being used in accordance with the terms of their license agreements. 10 | 11 | It is an important part of DevSecOps because it helps ensure that developers are using software in a legal and ethical manner, while also preventing any potential copyright or trademark infringements. 12 | 13 | By monitoring software license compliance, developers can be sure that they are not putting their application at risk of legal action, while also making sure that any third-party components are legally obtained and properly credited. 14 | 15 | Additionally, software license compliance can help identify any security vulnerabilities that may be associated with certain components, helping to ensure that applications remain secure. 16 | 17 | ## Level 0 - No tool to perform open-source software license compliance analysis 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify use of tool to perform on-demand scan for license violations when using third-party components in the application 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify the implementation of the third-party software licence scanning tool into the build pipeline to perform automated scans and report status to the build 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/CODE-007-Inline-IDE-Secure-Code-Analysis.md: -------------------------------------------------------------------------------- 1 | # Inline IDE Secure Code Analysis 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-007 | 6 | 7 | ## Summary 8 | 9 | IDE powered code scanning is the process of automatically scanning source code for potential security vulnerabilities, using an integrated development environment (IDE) as a platform. 10 | 11 | It is an important part of DevSecOps because it helps developers identify any potential security issues before the application is deployed. 12 | 13 | By scanning code for vulnerabilities in the IDE, developers can be sure that applications remain secure and help protect users from potential threats. 14 | 15 | Additionally, many IDEs come with built-in security scanning tools which can help speed up the process of identifying and addressing any potential vulnerabilities. 16 | 17 | This helps to ensure that applications are secure and that any security issues are addressed quickly and effectively. 18 | 19 | ## Level 0 - No tool to assist developer with inline code analysis 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 1 - Verify the use of integrated development environment (IDE) plugin to perform inline secure code or hardcoded secrets analysis with locally defined rules 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 2 - Verify implementation of centralised managed rules for integrated development environment (IDE) plugin 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## Level 3 - Verify a mechanism to prevent insecure changes to be stored to source code repository 32 | 33 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 34 | 35 | ## References -------------------------------------------------------------------------------- /document/CODE-008-Container-Security-Scanning.md: -------------------------------------------------------------------------------- 1 | # Container Security Scanning 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-008 | 6 | 7 | ## Summary 8 | 9 | Container security scanning is a process of analysing the contents of containers to detect any vulnerable components, configuration issues, and malicious code. 10 | 11 | This process is important in DevSecOps as it allows developers to quickly identify any security risks in their container environment, allowing them to take steps to fix them before they become an issue. 12 | 13 | By scanning containers on a regular basis, organisations are able to keep their environments secure and compliant with industry best practices while also allowing them to take advantage of the agility and cost advantages offered by containers. 14 | 15 | ## Level 0 - No tool to perform container vulnerability analysis 16 | 17 | At this level, there is no scanning tool in place, and vulnerabilities may go undetected until it is too late. Organizations operating at this level are more susceptible to cyber attacks, and may struggle to achieve compliance with industry standards. 18 | 19 | ## Level 1 - Verify tool is used to perform on-demand scan for container vulnerability analysis 20 | 21 | Using a tool for on-demand scanning provides some level of security, but requires manual intervention and may cause delays in detecting vulnerabilities. This level can help organizations to quickly identify and address security issues, but may not be sufficient to provide continuous protection. 22 | 23 | 24 | ## Level 2 - Verify the implementation of container vulnerability analysis tool into the build pipeline to perform automated scans and report status to the build 25 | 26 | By integrating a container scanning tool into the build pipeline, security checks become automated and vulnerabilities can be detected earlier in the development process. This level enables organizations to scale their DevSecOps practices and ensures that security is incorporated into the software development life cycle. 27 | 28 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 29 | 30 | At this level, the container scanning process is not only automated but also integrated with a central issue tracker system, allowing for greater visibility and easier tracking of security issues. Periodic reviews of the effectiveness of the scanning tool can help organizations continuously improve their security posture and stay ahead of emerging threats. 31 | 32 | 33 | # Notable Tools 34 | 35 | ⚠️ **Disclaimer** 36 | 37 | Apart from official OWASP Projects, the tools in this section have been chosen on the basis of their proven capabilities alone and there is no other relationship between the DSOVS project leaders and the creators or vendors who maintain them. 38 | 39 | If you have a suggestion for a notable tool please [💡 Suggest a Tool](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) 40 | 41 | ## [Trivy](https://github.com/aquasecurity/trivy) 42 | 43 | Trivy is a container scanning tool that finds vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more. 44 | 45 | GitHub Actions 46 | 47 | ``` 48 | name: build 49 | on: 50 | push: 51 | branches: 52 | - master 53 | pull_request: 54 | jobs: 55 | build: 56 | name: Build 57 | runs-on: ubuntu-20.04 58 | steps: 59 | - name: Checkout code 60 | uses: actions/checkout@v2 61 | - name: Build an image from Dockerfile 62 | run: | 63 | docker build -t docker.io/my-organization/my-app:${{ github.sha }} . 64 | - name: Run Trivy vulnerability scanner 65 | uses: aquasecurity/trivy-action@master 66 | with: 67 | image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' 68 | format: 'table' 69 | exit-code: '1' 70 | ignore-unfixed: true 71 | vuln-type: 'os,library' 72 | severity: 'CRITICAL,HIGH' 73 | ``` 74 | 75 | GitLab CI 76 | 77 | ``` 78 | Trivy_container_scanning: 79 | stage: test 80 | image: 81 | name: alpine:3.11 82 | variables: 83 | # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml` 84 | # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template 85 | # for details 86 | GIT_STRATEGY: none 87 | IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" 88 | allow_failure: true 89 | before_script: 90 | - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2} 91 | - apk add --no-cache curl docker-cli 92 | - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY 93 | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION} 94 | - curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl 95 | script: 96 | - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE 97 | cache: 98 | paths: 99 | - .trivycache/ 100 | artifacts: 101 | reports: 102 | container_scanning: gl-container-scanning-report.json 103 | dependencies: [] 104 | only: 105 | refs: 106 | - branches 107 | ``` 108 | 109 | Azure DevOps 110 | 111 | ``` 112 | trigger: 113 | - master 114 | 115 | pool: 116 | vmImage: ubuntu-latest 117 | 118 | parameters: 119 | - name: imageName 120 | displayName: Docker Image Name 121 | 122 | steps: 123 | - script: | 124 | sudo apt-get install wget apt-transport-https gnupg lsb-release 125 | wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - 126 | echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list 127 | sudo apt-get update 128 | sudo apt-get install trivy 129 | trivy image -f json --output '$(Build.ArtifactStagingDirectory)/trivy-result.json' ${{ parameters.imageName }} 130 | displayName: "Run Trivy" 131 | ``` 132 | 133 | ## 🙏 Credits 134 | 135 | We could not do this without the amazing contributions made to the community so we'd like to take the time to show our appreciation to any external inspiration used. 136 | 137 | * [Simar Singh](https://github.com/simar7) 138 | * [Teppei Fukuda](https://github.com/knqyf263) 139 | * [Yudhi Yudhistira](https://github.com/devsecurityops) 140 | -------------------------------------------------------------------------------- /document/CODE-009-Secure-Dependency-Management.md: -------------------------------------------------------------------------------- 1 | # Secure Dependency Management 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-CODE-009 | 6 | 7 | ## Summary 8 | 9 | Secure Dependency Management is the process of identifying, managing, and tracking all software dependencies when building, deploying, and managing applications. 10 | 11 | It is an important part of DevSecOps because it helps to ensure that all applications built using open source and commercial dependencies are secure and up-to-date. 12 | 13 | By properly managing dependencies, organizations can help mitigate risk from known vulnerabilities in their application stack and keep critical applications updated with the latest security patches. 14 | 15 | ## Level 0 - Direct use of public repositories for third-party dependencies and libraries 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verity implementation of a private repository to manage third-party dependencies and libraries 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify that only verified third-party dependencies and libraries can be used by the application 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify implementation to monitor application uses of third-party dependencies and libraries with process to retire unused or vulnerable dependencies 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## References -------------------------------------------------------------------------------- /document/DES-001-Secure-Architecture-Design-Reviews.md: -------------------------------------------------------------------------------- 1 | # Security Architecture Design Reviews 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-DES-001 | 6 | 7 | ## Summary 8 | 9 | Secure Architecture Design Reviews are a type of security review that focuses on the development of secure architectures. 10 | 11 | They involve analyzing the architecture and design of a software system to ensure that it meets the security goals and objectives of the organization. 12 | 13 | These reviews are important in DevSecOps because they help to identify any weaknesses or potential vulnerabilities in the system, allowing the team to take corrective measures to improve the security posture of the system. 14 | 15 | Secure Architecture Design Reviews can also help to ensure that the system adheres to best practices and industry standards for security. 16 | 17 | ## Level 0 - No security architecture design review performed 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that ad-hoc security architecture design review is performed and action items are created in the development team's backlog 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify that security architecture design review is performed prior to development activity is finalised and action items are created in the development team's backlog 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that all security features have been addressed in the design 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/DES-002-Threat-Modelling.md: -------------------------------------------------------------------------------- 1 | # Threat Modelling 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-DES-002 | 6 | 7 | ## Summary 8 | 9 | Threat Modelling is a process of analyzing threats that can potentially impact the security of an application before it's deployed. 10 | 11 | It helps to identify potential risks, the security controls needed to protect the application, and any potential mitigation strategies. 12 | 13 | Threat Modelling is an important part of DevSecOps because it ensures that security considerations are taken into account throughout the entire development process, enabling organizations to build applications in a secure way from the start and minimize the risk of exploitation. 14 | 15 | ## Level 0 - No threat modelling exercise performed 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verify that ad-hoc threat modelling is performed by security analyst 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify that threat modelling is performed by development team on features 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify that periodic review schedule is defined to keep the threat model artifacts current 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## References -------------------------------------------------------------------------------- /document/OPR-001-Environment-Hardening.md: -------------------------------------------------------------------------------- 1 | # Environment Hardening 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-OPR-001 | 6 | 7 | ## Summary 8 | 9 | Environment hardening is the process of securing a system or environment by reducing its attack surface. 10 | 11 | This is done by removing unnecessary components, services, ports and protocols, as well as applying security patches to existing components. 12 | 13 | It is important part of DevSecOps as it helps to mitigate potential vulnerabilities in the production environment and improve system security. 14 | 15 | By hardening the environment, it can help protect against data breaches and reduce the risk of malicious attacks. 16 | 17 | ## Level 0 - No environment vulnerability scanning tool 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify use of tool to perform on-demand scan to identify environment vulnerabilities in production environment 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify that the vulnerability scanning tool is scheduled to perform automated scans and report status to system owner through a centralised issue tracking system 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify implementation to apply automatic remediation at the time of vulnerability identified 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References 34 | -------------------------------------------------------------------------------- /document/OPR-002-Application-Hardening.md: -------------------------------------------------------------------------------- 1 | # Application Hardening 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-OPR-002 | 6 | 7 | ## Summary 8 | 9 | Application hardening is the process of enhancing the security of an application by reducing its attack surface. 10 | 11 | This typically involves making changes to the source code, modifying system configurations, or implementing new controls such as encryption or authentication. 12 | 13 | Application hardening is an important part of DevSecOps because it ensures applications are protected from potential vulnerabilities and threats, helping to maintain a secure environment for developers and users alike. 14 | 15 | By taking proactive security measures, organizations can ensure that their applications are meeting industry best practices and staying secure against the ever-evolving world of cyber threats. 16 | 17 | ## Level 0 - No application vulnerability scanning tool 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify use of tool to perform on-demand scan to identify application vulnerabilities in production environment 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify that the vulnerability scanning tool is scheduled to perform automated scans and report status to system owner through a centralised issue tracking system 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify implementation to apply automatic remediation at the time of vulnerability identified 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/OPR-003-Environment-Security-Logging.md: -------------------------------------------------------------------------------- 1 | # Environment Security Logging 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-OPR-003 | 6 | 7 | ## Summary 8 | 9 | Environment Security Logging is a method of tracking and logging any changes that are made to an environment's security configurations. 10 | 11 | This includes anything from changing firewall rules to user accounts being created or deleted. 12 | 13 | It is an important part of DevSecOps because it helps identify security vulnerabilities and potential threats in an environment before they can be exploited by malicious actors. 14 | 15 | By having a comprehensive log of system changes, DevSecOps teams can quickly respond to any suspicious activity or anomalies. Additionally, environment security logging helps with compliance requirements, ensuring that all necessary security measures are being taken. 16 | 17 | ## Level 0 - No centralised logging for security events 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that environment security events are logged and monitored in a centralised location 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify implementation of alert and notification to development team for abuse and anomalies 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that development team have ability to monitor and analyse environment security events 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/OPR-004-Application-Security-Logging.md: -------------------------------------------------------------------------------- 1 | # Application Security Logging 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-OPR-004 | 6 | 7 | ## Summary 8 | 9 | Application Security Logging is a process of collecting, analyzing and managing log data related to application security events. 10 | 11 | It helps to detect security breaches, identify unauthorized access attempts, or monitor the performance and effectiveness of application security controls. 12 | 13 | It is an important element of DevSecOps because it provides visibility into the security posture of applications. 14 | 15 | This makes it easier to spot potential threats and respond swiftly in order to minimize damage. 16 | 17 | Additionally, application security logging can also be used to detect and investigate suspicious behavior and quickly take corrective action to mitigate risk. 18 | 19 | ## Level 0 - No centralised logging for security events 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 1 - Verify that application security events are logged and monitored in a centralised location 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 2 - Verify implementation of alert and notification to development team for abuse and anomalies 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## Level 3 - Verify that development team have ability to monitor and analyse application security events 32 | 33 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 34 | 35 | ## References -------------------------------------------------------------------------------- /document/OPR-005-Responsible-Disclosure.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Disclosure 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-OPR-005 | 6 | 7 | ## Summary 8 | 9 | Responsible disclosure is a practice of reporting security vulnerabilities to software vendors in order to give them a chance to address the issue before it is made public. 10 | 11 | This can help ensure that vulnerabilities are addressed quickly and efficiently, preventing potential malicious exploitation of them. 12 | 13 | Responsible disclosure is important for secure software development because it allows developers to be proactive in addressing any security weaknesses before they are exploited. 14 | 15 | It also ensures that users are protected from potential attacks by ensuring that applications remain secure. 16 | 17 | ## Level 0 - No vulnerability disclosure policy 18 | 19 | At this level of security maturity, there are no defined ways to receive security vulnerabilities. 20 | 21 | ## Level 1 - Vulnerability disclosure policy exists 22 | 23 | At level one, the product has a defined responsible disclosure policy with clear instructions on how to send vulnerability reports, as well as a clear definition of scope. 24 | 25 | Typically this will be security e-mail such as (security@company.com) and will processed manually by internal teams. 26 | 27 | ## Level 2 - Vulnerability disclosures are managed and tracked using software 28 | 29 | Responsible vulnerabity disclosure enables external security researchers to report vulnerabilities that they have discovered in software. 30 | 31 | It is important for these vulnerabilities to be stored and tracked the same way as internally found vulnerabilities, in order to ensure that they do not slip through the gaps. 32 | 33 | This helps ensure that all issues are managed accordingly and that the vulnerabilities reported from external sources make their way into the secure software development lifecycle. 34 | 35 | By properly tracking and managing these issues with issue tracking software, developers can ensure that any potential security threats are addressed quickly and effectively. 36 | 37 | This helps ensure that applications remain secure and that users can trust the software they are using. 38 | 39 | ## Level 3 - A Coordinated Vulnerability Disclosure program exists 40 | 41 | A coordinated vulnerability disclosure program is critical for the maturity of a secure software development lifecycle. 42 | 43 | This program helps ensure that any vulnerabilities discovered in software are addressed quickly and effectively, while also helping to build trust between software users and developers. 44 | 45 | By providing an organized and standardized framework for vulnerability disclosure, firms can demonstrate their commitment to security and provide transparency around the process. 46 | 47 | Additionally, by coordinating with other organizations, firms can benefit from the expertise and knowledge of others. This helps ensure that all vulnerabilities are managed accordingly and that secure software development is the priority. 48 | 49 | # Notable Tools 50 | 51 | ⚠️ **Disclaimer** 52 | 53 | Apart from official OWASP Projects, the tools in this section have been chosen on the basis of their proven capabilities alone and there is no other relationship between the DSOVS project leaders and the creators or vendors who maintain them. 54 | 55 | If you have a suggestion for a notable tool please [💡 Suggest a Tool](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) 56 | 57 | ## [SECURITY.TXT](https://github.com/securitytxt/security-txt) 58 | 59 | security.txt provides a way for websites to define security policies. The security.txt file sets clear guidelines for security researchers on how to report security issues. security.txt is the equivalent of robots.txt, but for security issues. 60 | 61 | 62 | ## 🙏 Credits 63 | 64 | We could not do this without the amazing contributions made to the community so we'd like to take the time to show our appreciation to any external inspiration used. 65 | 66 | * [EdOverflow](https://github.com/EdOverflow) 67 | * [Katie Moussouris](https://twitter.com/k8em0) -------------------------------------------------------------------------------- /document/OPR-006-Certificate-Management.md: -------------------------------------------------------------------------------- 1 | # Certificate Management 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-OPR-006 | 6 | 7 | ## Summary 8 | 9 | Certificate Management is the process of creating, storing, and managing certificates and private keys used in websites, applications, and other systems. 10 | 11 | These digital certificates are what enable secure communication between browsers and websites, with the certificates containing critical information such as public and private keys and digital signatures. 12 | 13 | Certificate Management is an important part of DevSecOps because it ensures secure communication between applications and servers, and prevents malicious activity by verifying the identity of the entity communicating. 14 | 15 | In addition, it provides a secure way to authenticate customers, which helps ensure that only authorized users can access sensitive data. 16 | 17 | ## Level 0 - Nominated role or team outside the development team that performs certificate life-cycle management tasks 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that the full-cycle management of PKI certificates is performed by the development team 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify implementation of automated PKI life-cycle management 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify implementation of end-to-end secure communication 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/OPR-007-Attack-Surface-Management.md: -------------------------------------------------------------------------------- 1 | # Attack Surface Management 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-OPR-007 | 6 | 7 | ## Summary 8 | 9 | Attack surface management (ASM) solutions and tools are used to identify, track, and manage the vulnerabilities present in an organization's digital infrastructure, including software, hardware, and networks. 10 | 11 | The goal of ASM is to reduce the organization's overall attack surface, which is the sum of all the points in its digital infrastructure that could potentially be exploited by cybercriminals. By reducing the attack surface, organizations can better protect themselves from cyber attacks and reduce their risk of a successful breach. 12 | 13 | ASM solutions and tools typically provide a comprehensive view of an organization's digital assets, including those that are hidden or forgotten. They also identify vulnerabilities and misconfigurations in software, systems, and networks, which can be used by attackers to gain unauthorized access or cause damage. 14 | 15 | Some of the benefits of ASM solutions and tools for cybersecurity in organizations include: 16 | 17 | 1. Improved visibility: ASM solutions provide a comprehensive view of an organization's digital assets, which allows for better visibility and understanding of the security risks and vulnerabilities present in the system. 18 | 19 | 2. Proactive approach: ASM solutions enable organizations to take a proactive approach to security by identifying and addressing vulnerabilities before they are exploited by cybercriminals. 20 | 21 | 3. Enhanced threat intelligence: ASM tools can provide valuable threat intelligence by tracking the latest threats and vulnerabilities, allowing organizations to prioritize and address the most critical risks. 22 | 23 | 4. Compliance: ASM solutions can help organizations comply with various regulatory requirements and standards, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). 24 | 25 | 5. Cost savings: ASM solutions can help organizations reduce the costs associated with data breaches and cyber attacks by addressing vulnerabilities and reducing the likelihood of a successful attack. 26 | 27 | Overall, ASM solutions and tools are essential for maintaining strong cybersecurity posture in organizations, providing better visibility, proactive approach, enhanced threat intelligence, compliance, and cost savings. 28 | 29 | ## Level 0 - No tool to perform real-time discovery, classify, assess and monitor the security organisation's IT assets 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## Level 1 - Verify use of tool to perform continous discovery, classify, assess and monitor the security of organisation's IT assets 34 | 35 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 36 | 37 | ## Level 2 - Verify that discovered organisation's IT assets are properly classified and any identified possible attack vectors are automatically prioritised 38 | 39 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 40 | 41 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 42 | 43 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 44 | 45 | ## References 46 | -------------------------------------------------------------------------------- /document/ORG-001-Risk-Assessment.md: -------------------------------------------------------------------------------- 1 | # Risk Assessment 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-ORG-001 | 6 | 7 | ## Summary 8 | 9 | Risk assessment is a process of analyzing the risks associated with an organization, project, system or business process that could have an impact on its success. 10 | 11 | It is an important part of DevSecOps because it helps identify any potential vulnerabilities or threats that may affect the security and performance of the system or process. 12 | 13 | Risk assessment enables organizations to develop better security practices, prioritize remediation efforts, and proactively address potential risks before they become problems. 14 | 15 | ## Level 0 - No risk assessment activities performed 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verify that risk assessment exercise is performed on request 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify that security subject matter expert within software development team performs risk assessment on each feature 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify that periodic review schedule is defined for the development team to review the risk profile. 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## Further reading 32 | 33 | ### Risk assessment tools 34 | - https://evaluator.tidyrisk.org/ 35 | 36 | ### Risk assessment resources 37 | - **NIST - Secure Software Development Framework (SSDF)** 38 | The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as [BSA](https://www.bsa.org/), [OWASP](https://owasp.org/), and [SAFECode](https://safecode.org/). Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation. 39 | - https://csrc.nist.gov/Projects/ssdf 40 | 41 | - **Synopsys** 42 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 43 | - https://www.synopsys.com/blogs/software-security/software-risk-analysis/ 44 | 45 | - **OWASP Risk Rating Methodology** 46 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 47 | - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology -------------------------------------------------------------------------------- /document/ORG-002-Security-Training.md: -------------------------------------------------------------------------------- 1 | # Security Training 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-ORG-002 | 6 | 7 | ## Summary 8 | 9 | The security training capability is focused on establishing a plan that can be measured and scale as the software project teams grow. The main objective is to foster continuous learning culture in which organisation will require invest personnel time to attend the training. The effectiveness of the training must be measurable and tailored to specific role of the personnel involved in the software lifecycle. 10 | 11 | ## Level 0 - No security training plan 12 | 13 | There is no evident of formal training plan in the organisation for application security. The organisation does not provide sufficient investment in both personnel’s time and training materials, either through instructor-led sessions or computer-based modules. 14 | 15 | ## Level 1 - Verify at ad-hoc security training is conducted for all roles associated to development team members, operational support and end-users 16 | 17 | There are some irregular application security training run within the organisation for the software project team. Although the training delivery can be instructor-led sessions or computer-based modules, there is no evident that training modules is tailored to personnel's role nor measured as individual KPI. 18 | 19 | ## Level 2 - Verify that scheduled repeatable role specific security training is conducted for development team members, operational support, and end-users 20 | 21 | There is planned time schedule for personnel training that tailored to personnel specific roles. Although the training is run in regular set time basis there is no evident that the application security training is measured towards KPI or individual training goals. 22 | 23 | ## Level 3 - Verify that security training is scheduled and measured as part of individual training plan or KPI 24 | 25 | The application security training is tailored to personnel's role and measured towards individual KPI within the organisation. The training effectiveness is continuously measured and improved by organisation to align with organisation's risk appetite, application vulnerabilities and personnel career goals. 26 | 27 | ## Further reading 28 | - https://owaspsamm.org/model/governance/education-and-guidance/ -------------------------------------------------------------------------------- /document/ORG-003-Security-Champion.md: -------------------------------------------------------------------------------- 1 | # Security Champion 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-ORG-003 | 6 | 7 | ## Summary 8 | 9 | A security champion is a person or team whose role within an organization is to promote and implement security practices. 10 | 11 | They are responsible for ensuring that security is considered throughout the development and deployment process of products, services and applications. 12 | 13 | Security champions play an important role in DevSecOps as they work to ensure that security is integrated into DevOps processes and tools, helping organizations achieve their security goals. 14 | 15 | They also serve as a bridge between security and DevOps teams, communicating the importance of security and advocating for its inclusion. 16 | 17 | Security champions help ensure that an organization’s DevSecOps initiatives are effective, driving real results. 18 | 19 | ## Level 0 - No application security capability in the organisation 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 1 - Verify that the centralised application security function or capability exists to provide subject matter expertise 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 2 - Verify that a dedicated security champion appointed to work within each development team 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## Level 3 - Verify that the multiple security subject matter experts can be the champion within the development team 32 | 33 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 34 | 35 | ## Further reading -------------------------------------------------------------------------------- /document/ORG-004-Security-Reporting.md: -------------------------------------------------------------------------------- 1 | # Security Reporting 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-ORG-004 | 6 | 7 | ## Summary 8 | 9 | Security reporting is the ongoing process of collecting and analyzing data regarding security-related activities within an organization. 10 | 11 | It's an important part of DevSecOps because it provides organizations with key insights into their security posture, enables decision makers to more accurately identify and assess existing and potential threats, and helps organizations respond to cybersecurity incidents quickly and appropriately. 12 | 13 | Security reporting also helps organizations develop better security policies, practices and procedures, as well as ensure compliance with data protection and other legal and regulatory requirements. 14 | 15 | ## Level 0 - Security findings is segregated in many systems and tools 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verify that security findings from multiple sources are manually collated to a single report 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify that security findings from multiple sources are periodically populated to a centralised dashboard 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify that the centralised dashboard represents real-time data capture and representation 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## References -------------------------------------------------------------------------------- /document/REL-001-Artifact-Signing.md: -------------------------------------------------------------------------------- 1 | # Artifact Signing 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-001 | 6 | 7 | ## Summary 8 | 9 | Artifact signing is a security process that ensures the integrity of an artifact/binary that is released by a developer. 10 | 11 | This is done by using cryptographic and digital signing techniques to ensure that the artifact has not been tampered with and no malicious code has been inserted into it 12 | 13 | Artifact signing is important for DevSecOps because it allows organizations to quickly and easily verify the authenticity of their software or applications before allowing them to be deployed into production environments. More recently, Code Signing has gained in popularity due to Supply Chain Security attacks, and used as one method in the application of security to build pipelines. 14 | 15 | It also provides a measure of assurance that their applications are secure and trustworthy, helping to build customer trust and loyalty. 16 | 17 | ## Level 0 - No package/code signing process defined 18 | 19 | At this level, software deliverables are not digitally signed, leaving them vulnerable to unauthorized code access. There is no auditability or integrity assurance behind the software. Organizations operating at this level face significant security risks and lack the means to verify the authenticity of their code. 20 | 21 | ## Level 1 - Basic code signing with self managed keys 22 | 23 | In this stage, software deliverables are signed, but the tools and processes are fragmented. Developers may handle their own private keys without centralized control, which can lead to key misuse or compromise. While some level of security is introduced, it falls short of ensuring comprehensive code integrity, authenticity, non-falsifiability and is not tamper proof. 24 | 25 | ## Level 2 - Centralized code signing with enhanced key security 26 | 27 | Level 2 involves the use of a centralized platform for code signing policy, workflow, and auditability. It also emphasizes the protection of sensitive signing keys in a secure Hardware Security Module (HSM). However, at this stage, code signing is not yet fully integrated with CI/CD processes or workflows, and not all use cases are covered. While this level offers improved security, it still lacks the full automation and integration required for DevSecOps. Typically at this level, organisations leverage key manage solutions such as AWS KMS, HashiCorp Vault, etc. 28 | 29 | ## Level 3 - Fully CI/CD integrated code signing and governance 30 | 31 | At the highest level of this code signing maturity model, organizations have achieved full integration of code signing into their CI/CD processes. This means that all containers, artifacts, and software deliverables are signed. The implementation is seamlessly integrated with native signing tools and workflows, ensuring full auditability and governance over all signing processes. This level provides the highest level of security, code integrity, and authenticity, meeting the demands of modern DevSecOps practices. Typically at this level, organisations adopt keyless signing (a newer signing technique where you do not handle long-lived signing keys). 32 | 33 | # Notable Tools 34 | 35 | ⚠️ **Disclaimer** 36 | 37 | Apart from official OWASP Projects, the tools in this section have been chosen on the basis of their proven capabilities alone and there is no other relationship between the DSOVS project leaders and the creators or vendors who maintain them. 38 | 39 | If you have a suggestion for a notable tool please [💡 Suggest a Tool](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) 40 | 41 | ## [cosign](https://github.com/sigstore/cosign) 42 | 43 | cosign is an open source CLI utility for signing softwae artifacts, such as container images or blob files (i.e. bundled AWS Lambda code in a .zip file, or any type of software artifact) 44 | 45 | 46 | GitLab CI 47 | 48 | ``` 49 | container_scan: 50 | stage: devsecops 51 | script: 52 | - trivy image --scanners vuln $IMAGE_NAME --format cyclonedx > trivy-output-$DATE-cyclonedx.json 53 | artifacts: 54 | when: always 55 | paths: 56 | - trivy-output-$DATE-cyclonedx.json 57 | 58 | generate_sbom: 59 | stage: devsecops 60 | script: 61 | - syft $IMAGE_NAME -o cyclonedx-json > sbom-$DATE.syft.json 62 | artifacts: 63 | when: always 64 | paths: 65 | - sbom-$DATE.syft.json 66 | 67 | signing_and_attestation: 68 | stage: publish 69 | id_tokens: 70 | SIGSTORE_ID_TOKEN: 71 | aud: sigstore 72 | variables: 73 | RUNNER_GENERATE_ARTIFACTS_METADATA: "true" 74 | script: 75 | - IMAGE_DIGEST=`docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME` # Grab image digest, rather than image tag 76 | - cosign sign $IMAGE_DIGEST --key $COSIGN_KEY_NAME # Sign the container image 77 | - cosign attest --key $COSIGN_KEY_NAME --type vuln --predicate trivy-output-$DATE-cyclonedx.json $OCI_IMAGE_DIGEST # Sign and create an attestation for our Trivy scan 78 | - cosign attest --key $COSIGN_KEY_NAME --type cyclonedx --predicate sbom-$DATE.syft.json $OCI_IMAGE_DIGEST # Sign and create an attestation for our SBOM 79 | needs: 80 | - devsecops 81 | artifacts: 82 | when: always 83 | paths: 84 | - "artifacts*.json" 85 | ``` 86 | 87 | GitHub Actions 88 | 89 | ``` 90 | jobs: 91 | build-image: 92 | runs-on: ubuntu-latest 93 | 94 | permissions: 95 | contents: read 96 | packages: write 97 | id-token: write # needed for signing the images with GitHub OIDC Token 98 | 99 | name: build-image 100 | steps: 101 | - uses: actions/checkout@v3.5.2 102 | with: 103 | fetch-depth: 1 104 | 105 | - name: Install Cosign 106 | uses: sigstore/cosign-installer@v3.1.1 107 | 108 | - name: Set up QEMU 109 | uses: docker/setup-qemu-action@v2.1.0 110 | 111 | - name: Set up Docker Buildx 112 | uses: docker/setup-buildx-action@v2.5.0 113 | 114 | - name: Login to GitHub Container Registry 115 | uses: docker/login-action@v2.1.0 116 | with: 117 | registry: ghcr.io 118 | username: ${{ github.actor }} 119 | password: ${{ secrets.GITHUB_TOKEN }} 120 | 121 | - id: docker_meta 122 | uses: docker/metadata-action@v4.4.0 123 | with: 124 | images: ghcr.io/sigstore/sample-honk 125 | tags: type=sha,format=long 126 | 127 | - name: Build and Push container images 128 | uses: docker/build-push-action@v4.0.0 129 | id: build-and-push 130 | with: 131 | platforms: linux/amd64,linux/arm/v7,linux/arm64 132 | push: true 133 | tags: ${{ steps.docker_meta.outputs.tags }} 134 | 135 | # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable 136 | - name: Sign image with a key 137 | run: | 138 | cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}" 139 | env: 140 | TAGS: ${{ steps.docker_meta.outputs.tags }} 141 | COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} 142 | COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} 143 | DIGEST: ${{ steps.build-and-push.outputs.digest }} 144 | 145 | - name: Sign the images with GitHub OIDC Token 146 | env: 147 | DIGEST: ${{ steps.build-and-push.outputs.digest }} 148 | TAGS: ${{ steps.docker_meta.outputs.tags }} 149 | run: cosign sign --yes "${TAGS}@${DIGEST}" 150 | 151 | ``` 152 | 153 | ## References 154 | 155 | - GHA from: https://github.com/marketplace/actions/cosign-installer 156 | -------------------------------------------------------------------------------- /document/REL-002-Secure-Artifact-Management.md: -------------------------------------------------------------------------------- 1 | # Secure Artifact Management 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-002 | 6 | 7 | ## Summary 8 | 9 | Secure Artifact Management is a process of securing the artifacts generated during the software development lifecycle. 10 | 11 | It is important for organizations to have secure artifact management in place in order to ensure that the software being released is secure, reliable, and up to date with the latest security standards. 12 | 13 | With Secure Artifact Management, organizations can detect, control, and protect their software from malicious activity. This helps ensure that software releases are as secure as possible and prevents any unauthorized changes to code that could lead to security vulnerabilities. 14 | 15 | Secure Artifact Management also ensures that the organizations are compliant with industry regulations and standards. 16 | 17 | ## Level 0 - No package management tool used for releases 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify implementation of a centralised single storage location for release artifacts 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify implementation of artifact integrity check before release to any environment 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify implementation to archiving process for artifacts 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/REL-003-Secret-Management.md: -------------------------------------------------------------------------------- 1 | # Secret Management 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-003 | 6 | 7 | ## Summary 8 | 9 | Secret Management is a process used to securely store and centrally manage sensitive data such as passwords, credentials, and encryption keys. 10 | 11 | It is an important part of DevSecOps (DevOps Security) since it enables the secure storing, tracking, and retrieval of sensitive information that could be vulnerable to malicious actors if not properly managed. 12 | 13 | Additionally, Secret Management allows for secure sharing of credentials across teams and reduces manual processes around password resetting, enabling faster and more secure development and deployment cycles. 14 | 15 | ## Level 0 - No secret store or vault used 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verity implementation of a centralised secure storage for credentials and secrets 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify periodic review and rotation schedule of secrets 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify implementation of dynamic secrets or secretless process to avoid secrets to be stored within the application 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## References -------------------------------------------------------------------------------- /document/REL-004-Secure-Configuration.md: -------------------------------------------------------------------------------- 1 | # Secure Configuration 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-004 | 6 | 7 | ## Summary 8 | 9 | Secure configuration is a set of best practices for configuring systems and applications in order to maintain security and data integrity. 10 | 11 | It is important in DevSecOps as it helps ensure that all environments, including development, test, and production, are configured in a secure manner. 12 | 13 | This is especially important in a DevSecOps environment, since changes are quickly implemented and deployed, making it more likely that mistakes in configuration can result in security breaches. 14 | 15 | Secure configuration can help reduce the risk of such errors, by providing a standard approach to configuring devices and applications. 16 | 17 | ## Level 0 - No security hardening standards, secure configuration standards or baseline 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that the hardening standards for environment and secure configuration baseline exist and up to date 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify that the periodic review schedule for secure configuration baseline is in place and rebuild environment every application release using the latest configuration 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify implementation to detect outdated configuration and prevent any configuration drift 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/REL-005-Security-Policy-Enforcement.md: -------------------------------------------------------------------------------- 1 | # Security Policy Enforcement 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-005 | 6 | 7 | ## Summary 8 | 9 | Security Policy Enforcement (SPE) is a process that enables organizations to ensure that their security policies are adhered to. 10 | 11 | It involves monitoring activities, systems, and users within the organization to ensure that they comply with the organization's established security policies. 12 | 13 | SPE is an important part of DevSecOps because it helps organizations to detect and respond to security threats in a timely manner, protect sensitive data and resources, and ensure compliance with relevant laws and regulations. 14 | 15 | Additionally, by enforcing security policies, organizations can reduce their risk profile and guard against legal consequences. 16 | 17 | ## Level 0 - No security policy defined 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify the security policies defined for guardrails and security gates 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify implementation of guardrails and gates to enforce security policies 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify the chain of authorisation is implemented as part of the process of infrastructure changes deployment 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/REL-006-Infrastructure-as-Code-Secure-Deployment.md: -------------------------------------------------------------------------------- 1 | # Infrastructure-as-Code (IaC) Secure Deployment 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-006 | 6 | 7 | ## Summary 8 | 9 | Infrastructure-as-Code (IaC) scanning is a process by which security scans are conducted on source code written for cloud infrastructure. 10 | 11 | It is used to detect any potential vulnerabilities or weaknesses in the code that could be exploited by malicious actors. The scans are conducted using automated tools that look for common issues such as unsecured credentials, insecure configurations and other security misconfigurations. 12 | 13 | This is an important part of DevSecOps because it helps to ensure that the code is secure before it is deployed, allowing organizations to minimize the risks associated with their cloud infrastructures. 14 | 15 | ## Level 0 - Manual infrastructure provisioning or without version control 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verify that the infrastructure configuration files are version controlled and release automation process is in place 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify that least privilege principle is implemented for deployment of infrastructure changes 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify the chain of authorisation is implemented as part of the process of infrastructure changes deployment 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## References -------------------------------------------------------------------------------- /document/REL-007-Compliance-Scanning.md: -------------------------------------------------------------------------------- 1 | # Compliance Scanning 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-007 | 6 | 7 | ## Summary 8 | 9 | Compliance Scanning is a process of scanning system software and application to ensure that they are compliant with specific standards or regulations. It is an important part of DevSecOps as it enables the developers to quickly identify any potential compliance issues in their code and address them before they become a problem. 10 | 11 | Through compliance scanning, developers can also examine their code for potential security vulnerabilities that could be exploited by attackers. 12 | 13 | Compliance Scanning ultimately helps increase the overall security and reliability of applications and systems during development, testing and production stages. 14 | 15 | ## Level 0 - No tool to perform compliance check 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verify use of tool to perform on-demand scan to perform security compliance check 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify that the compliance scanning tool is scheduled to perform automated scans and report status to system owner through a centralised issue tracking system 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify that the mechanism to apply automatic remediation automatically exists at the time of vulnerability identified 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## References -------------------------------------------------------------------------------- /document/REL-008-Secure-Release-Management.md: -------------------------------------------------------------------------------- 1 | # Secure Release Management 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REL-008 | 6 | 7 | ## Summary 8 | 9 | Secure Release Management is the process of controlling and managing system and application releases in a secure manner. This includes ensuring that the release meets organization security standards and is free of any vulnerabilities. 10 | 11 | It also ensures that the released code is properly tested, validated, and approved before deployment. 12 | 13 | Secure Release Management enables organizations to maintain high levels of trust in their systems and applications as it helps ensure that all software changes are properly implemented and tracked. 14 | 15 | ## Level 0 - No security checklist used in release management 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 1 - Verify that the security checklist in enforced in all release management with exception process in place 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 2 - Verify implementation of security checklist in non-production stage releases 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## Level 3 - Verify that periodic review schedule is defined to review the security checklist 28 | 29 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 30 | 31 | ## References -------------------------------------------------------------------------------- /document/REQ-001-Security-Policy-and-Regulatory-Compliance.md: -------------------------------------------------------------------------------- 1 | # Security Policy and Regulatory Compliance 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REQ-001 | 6 | 7 | ## Summary 8 | 9 | Security Policy and Regulatory Compliance is a set of technical, operational, and organizational measures that establish a baseline for security best practices within an organization. 10 | 11 | It is important to ensure compliance with relevant regulations and protect against any potential security threats. 12 | 13 | DevSecOps is a approach to software development which incorporates security into the design and development process, while also enabling automation and efficient maintenance. 14 | 15 | This makes security policy and regulatory compliance an integral part of DevSecOps, as it helps organizations ensure they are meeting industry regulations while taking proactive steps to protect their own systems. 16 | 17 | ## Level 0 - No periodic compliance verification activities performed 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that periodic compliance audit is performed and documented 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify implementation of real-time compliance verification and the findings are automatically recorded to a centralised issue tracker system 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that compliance status is enforced and periodic review schedule is defined 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References 34 | - https://owaspsamm.org/model/governance/policy-and-compliance/ -------------------------------------------------------------------------------- /document/REQ-002-Security-Requirements-and-Standards.md: -------------------------------------------------------------------------------- 1 | # Security Requirements and Standards 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REQ-002 | 6 | 7 | ## Summary 8 | 9 | Application Security Requirements and Standards is a set of protocols and processes for ensuring the security of an application or system. 10 | 11 | It involves the implementation of secure software development principles and best practices, as well as the deployment of access control measures to ensure user authentication, application security, data encryption, and other security controls. 12 | 13 | Application Security Requirements and Standards ensures that applications are secure and resilient against attack, and also helps ensure compliance with legal and regulatory requirements. 14 | 15 | In a DevSecOps environment, application security requirements and standards play an important role by helping to ensure that applications are developed securely, deployed safely and remain secure over time. 16 | 17 | ## Level 0 - No periodic audit to ensure alignment to industry security standards and technology best-practices 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that periodic audit to ensure alignment to industry security standards and technology best-practices is performed 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify that real-time verification to industry security standards and technology best-practices is performed 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that applicable standards and best practices are enforced and periodic review schedule is defined 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/REQ-003-Security-User-Stories-and-Acceptance-Criteria.md: -------------------------------------------------------------------------------- 1 | # Security User Stories and Acceptance Criterias 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REQ-003 | 6 | 7 | ## Summary 8 | 9 | Security user stories and acceptance criteria are a way of making sure that security is built into the software development process. 10 | 11 | Security user stories help developers to understand what security measures need to be included in their applications, while acceptance criteria provide testers with a basis for testing the security of the application. 12 | 13 | By using Security user stories and acceptance criteria, developers can be sure that their application meets minimum security standards and that any security flaws are identified and fixed before the application is released to the public. 14 | 15 | This is an important part of DevSecOps as it ensures that applications are secure and meeting regulatory compliance requirements. 16 | 17 | ## Level 0 - No security user stories or abuse stories template defined 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that security user stories and abuse stories template are defined and used 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify that security use or misuse cases are defined as feature's acceptance criteria 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that periodic review schedule is defined for the development team to review the security user stories template and scope of the acceptance criteria 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/REQ-004-Security-Issues-Tracking.md: -------------------------------------------------------------------------------- 1 | # Security Issues Tracking 2 | 3 | | ID | 4 | | ------------- | 5 | | DSOVS-REQ-004 | 6 | 7 | ## Summary 8 | 9 | Security issues tracking capability is focused on lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 10 | 11 | ## Level 0 - Security issues are reported separately from functional backlog 12 | 13 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 14 | 15 | ## Level 1 - Verify that security issues are tracked in a centralised location and prioritised in the planning session 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 2 - Verify that the pre-allocated time is dedicated to development team work on security remediation or improvements 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 3 - Verify that the security remediation or improvement efforts and speed are continuously monitored and measured 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## References -------------------------------------------------------------------------------- /document/TEST-001-Security-Test-Management.md: -------------------------------------------------------------------------------- 1 | # Security Test Management 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-TEST-001 | 6 | 7 | ## Summary 8 | 9 | Security test management capability is focused on lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 10 | 11 | ## Level 0 - Test environment is different from prod and test data is not prepared 12 | 13 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 14 | 15 | ## Level 1 - Verify that the environment used for testing is different from production environment and test data is prepared 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 2 - Verify that the test environment is maintained and configured to align with changes to production environment and test data is prepared 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 3 - Verify that the test environment is identical to production and test data is created on-demands 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## References -------------------------------------------------------------------------------- /document/TEST-002-Dynamic-Application-Security-Testing-DAST.md: -------------------------------------------------------------------------------- 1 | # Dynamic Application Security Testing (DAST) 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-TEST-002 | 6 | 7 | ## Summary 8 | 9 | Dynamic Application Security Testing (DAST) involves analyzing an application's security while it is running in order to detect any vulnerabilities. 10 | 11 | It focuses on assessing an application and examining the behavior of the application to identify potential issues without requiring a deep understanding of the source code. 12 | 13 | This type of testing is operational and behavioral, as testers look for problems that occur in use and trace them back to their origins in the software design. DAST is useful for basic security on evolving projects and for meeting industry-standard compliance. 14 | 15 | ## Level 0 - No tool to perform dynamic application security testing 16 | 17 | At this level of security maturity, there are no tools available to perform Dynamic Application Security (DAST) scanning. 18 | 19 | ## Level 1 - Verify use of tool to perform on-demand scan to identify application vulnerabilities in its running state 20 | 21 | At this stage, a DAST tool is present but the scanning is performed on a case-by-case basis. It is not automated and the results may not be reported or recorded. 22 | 23 | ```mermaid 24 | graph LR; Start-- DAST Scan -->Target-Application; 25 | ``` 26 | 27 | ## Level 2 - Verify the implementation of the dynamic application security testing tool into the build pipeline to perform automated scans and report status to the build 28 | 29 | Here, DAST scanning is implemented into the software build pipeline. This means that whenever a build is executed, an automated DAST scan will be triggered and the results will be reported. 30 | 31 | ```mermaid 32 | graph LR; 33 | Start-- code push -->CICD-Pipeline-- DAST Scan -->Target-Application--DAST Results -->CICD-Pipeline; Target-Application-- Code Deployment -->Finish 34 | ``` 35 | 36 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 37 | 38 | Level 3 of Dynamic Application Security (DAST) is the same as level 2, with the addition of all identified security vulnerabilities being recorded in a centralised issue tracking system and periodically reviewed to evaluate the effectiveness of the DAST tool. This means that the same type of automated scans are being performed, but the results are being collected, tracked and analysed for future use and improvement. 39 | 40 | Additionally, more mature organisations with DAST implementations often 41 | provide teams simplified configuration guidance, such as example CI/CD templates and common configuration options that are organisation specific, such as proxy configuration or fetching an OpenAPI Specification (OAS) file - making adoption of DAST amongst teams easier. 42 | 43 | ```mermaid 44 | graph LR; 45 | Start-- code push -->CICD-Pipeline-- DAST Scan -->Target-Application--DAST Results -->Centralised-Issue-Tracker; Target-Application-- Code Deployment -->Finish 46 | ``` 47 | 48 | # Notable Tools 49 | 50 | ⚠️ **Disclaimer** 51 | 52 | Apart from official OWASP Projects, the tools in this section have been chosen on the basis of their proven capabilities alone and there is no other relationship between the DSOVS project leaders and the creators or vendors who maintain them. 53 | 54 | If you have a suggestion for a notable tool please [💡 Suggest a Tool](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) 55 | 56 | ## [OWASP ZAP](https://github.com/zaproxy/zaproxy) 57 | 58 | The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. 59 | 60 | GitHub Actions 61 | 62 | ``` 63 | on: [push] 64 | 65 | jobs: 66 | zap_scan: 67 | runs-on: ubuntu-latest 68 | name: Scan the webapplication 69 | steps: 70 | - name: Checkout 71 | uses: actions/checkout@v2 72 | with: 73 | ref: master 74 | - name: ZAP Scan 75 | uses: zaproxy/action-baseline@v0.7.0 76 | with: 77 | token: ${{ secrets.GITHUB_TOKEN }} 78 | docker_name: 'owasp/zap2docker-stable' 79 | target: 'https://www.zaproxy.org' 80 | rules_file_name: '.zap/rules.tsv' 81 | cmd_options: '-a' 82 | ``` 83 | 84 | GitLab CI 85 | 86 | 87 | ``` 88 | dast: 89 | image: registry.gitlab.com/gitlab-org/security-products/zaproxy 90 | variables: 91 | website: "https://example.com" 92 | script: 93 | - mkdir /zap/wrk/ 94 | - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true 95 | - cp /zap/wrk/gl-dast-report.json . 96 | artifacts: 97 | paths: [gl-dast-report.json] 98 | 99 | ``` 100 | 101 | Azure DevOps 102 | 103 | ``` 104 | resources: 105 | repositories: 106 | - repository: 107 | type: git 108 | name: / 109 | ref: refs/heads/master 110 | 111 | trigger: none 112 | 113 | stages: 114 | - stage: 'buildstage' 115 | jobs: 116 | - job: 'buildjob' 117 | pool: 118 | vmImage: 'ubuntu-latest' 119 | steps: 120 | - checkout: self 121 | - checkout: 122 | 123 | - bash: docker run -d -p : 124 | displayName: 'App Container' 125 | 126 | - bash: | 127 | chmod -R 777 ./ 128 | docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t http://$(ip -f inet -o addr show docker0 | awk '{print $4}' | cut -d '/' -f 1): -x 129 | xml_report.xml 130 | true 131 | displayName: 'Owasp Container Scan' 132 | 133 | - powershell: | 134 | $XslPath = "/xml_to_nunit.xslt" 135 | $XmlInputPath = "xml_report.xml" 136 | $XmlOutputPath = "converted_report.xml" 137 | $XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform 138 | $XslTransform.Load($XslPath) 139 | $XslTransform.Transform($XmlInputPath, $XmlOutputPath) 140 | displayName: 'PowerShell Script' 141 | - task: PublishTestResults@2 142 | displayName: 'Publish Test Results' 143 | inputs: 144 | testResultsFormat: 'NUnit' 145 | testResultsFiles: 'converted_report.xml' 146 | ``` 147 | 148 | ## [Nuclei](https://github.com/projectdiscovery/nuclei) 149 | 150 | Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless etc. With powerful and flexible templating, Nuclei can be used to model all kinds of security checks. 151 | 152 | GitHub Actions 153 | 154 | ``` 155 | name: Nuclei - Vulnerability Scan 156 | 157 | on: 158 | schedule: 159 | - cron: '0 0 * * *' 160 | workflow_dispatch: 161 | 162 | jobs: 163 | nuclei-scan: 164 | runs-on: ubuntu-latest 165 | steps: 166 | - uses: actions/checkout@v2 167 | 168 | - name: Nuclei - Vulnerability Scan 169 | uses: projectdiscovery/nuclei-action@main 170 | with: 171 | target: https://example.com 172 | 173 | - name: GitHub Workflow artifacts 174 | uses: actions/upload-artifact@v2 175 | with: 176 | name: nuclei.log 177 | path: nuclei.log 178 | 179 | - name: GitHub Security Dashboard Alerts update 180 | uses: github/codeql-action/upload-sarif@v2 181 | with: 182 | sarif_file: nuclei.sarif 183 | ``` 184 | 185 | ## 🙏 Credits 186 | 187 | We could not do this without the amazing contributions made to the community so we'd like to take the time to show our appreciation to any external inspiration used. 188 | 189 | * [Manas Peçenek](https://www.linkedin.com/in/manas-pecenek-1812pr/) 190 | -------------------------------------------------------------------------------- /document/TEST-003-Interactive-Application-Security-Testing-IAST.md: -------------------------------------------------------------------------------- 1 | # Interactive Application Security Testing (IAST) 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-TEST-003 | 6 | 7 | ## Summary 8 | 9 | IAST (Interactive Application Security Testing) is an important part of DevSecOps because it provides real-time security monitoring and analysis of web applications. 10 | 11 | By integrating IAST into the development process, developers and security teams can identify and address application security vulnerabilities quickly and efficiently. 12 | 13 | It helps to identify vulnerabilities earlier in the development cycle and provides testing for both known and unknown vulnerabilities across the entire application stack. 14 | 15 | IAST also helps to prioritize and resolve application security issues by providing detailed vulnerability reports. 16 | 17 | ## Level 0 - No tool to perform interactive application security testing 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify use of tool to perform on-demand scan to identify insecure code when the running application is being functionally tested 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify the implementation of the interactive application security testing tool into the build pipeline to perform automated scans and report status to the build 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that the findings are automatically recorded to a centralised issue tracker system and periodically review tool's effectiveness 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/TEST-004-Penetration-Testing.md: -------------------------------------------------------------------------------- 1 | # Penetration Testing 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-TEST-004 | 6 | 7 | ## Summary 8 | 9 | Penetration testing is an important part of DevSecOps because it helps identify vulnerabilities in systems and applications before they can be exploited. 10 | 11 | It is a vital step in ensuring that the software and systems are as secure as possible from malicious attackers. 12 | 13 | Penetration testing provides insight into the security posture of a system, which can help organizations make informed decisions about the best way to protect their systems and data. 14 | 15 | Additionally, it provides visibility into potential risks and allows organizations to create and implement strategies to prevent security incidents. 16 | 17 | ## Level 0 - Penetration testing activity is ad-hoc and not scheduled 18 | 19 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 20 | 21 | ## Level 1 - Verify that annual penetration testing activity is performed 22 | 23 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 24 | 25 | ## Level 2 - Verify that penetration testing is performed per release or per feature 26 | 27 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 28 | 29 | ## Level 3 - Verify that penetration testing is performed per feature regardless of release cycle and findings are recorded to a centralised issue tracker system 30 | 31 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 32 | 33 | ## References -------------------------------------------------------------------------------- /document/TEST-005-Security-Test-Coverage.md: -------------------------------------------------------------------------------- 1 | # Security Test Coverage 2 | 3 | | ID | 4 | | -------------- | 5 | | DSOVS-TEST-005 | 6 | 7 | ## Summary 8 | 9 | Security test coverage capability is focused on lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 10 | 11 | ## Level 0 - No security testing scope 12 | 13 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 14 | 15 | ## Level 1 - Verify that the security testing scope and out-of-scope are defined 16 | 17 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 18 | 19 | ## Level 2 - Verify implementation of security regression testing 20 | 21 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 22 | 23 | ## Level 3 - Verify that security test coverage is continuously monitored and increased 24 | 25 | lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum 26 | 27 | ## References -------------------------------------------------------------------------------- /document/images/azure.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 19 | 21 | 44 | 46 | 47 | 49 | image/svg+xml 50 | 52 | 53 | 54 | 55 | 56 | 61 | 65 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /document/images/github.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /document/images/gitlab.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /document/images/linkedin.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /document/images/logo.svg: -------------------------------------------------------------------------------- 1 | 2 | image/svg+xml 61 | -------------------------------------------------------------------------------- /document/images/slack_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-devsecops-verification-standard/210330e05a53b628c9cc25a059448c38a275f03c/document/images/slack_logo.png -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: col-sidebar 3 | title: OWASP DevSecOps Verification Standard 4 | tags: DSOVS 5 | level: 2 6 | type: documentation 7 | pitch: The DSOVS is a framework to identify gaps in implementing security within software development lifecyle 8 | --- 9 | 10 | # OWASP DevSecOps Verification Standard 11 | 12 | 13 | 14 | The OWASP DevSecOps Verification Standard (DSOVS) is an open source framework that defines baseline requirements for any software project or organisation. You can use the DSOVS for: 15 | 16 | - 🧐 **Gap Analysis** 17 | 18 | - DSOVS can be used to identify gaps that exist within a single or multiple software projects by providing internal or external analysts' with a clearly defined standard that cover all areas of the secure software development lifecycle. 19 | 20 | - 🗺️ **Maturity Roadmap** 21 | 22 | - DSOVS can be used by developers, architects, security people and anyone else to identify existing DevSecOps maturity levels whilst mapping a clear path to work towards heightened maturity. 23 | 24 | - ⚠️ **During Third-party Risk Asessments** 25 | - DSOVS can be used to audit the software development lifecycle (SDLC) maturity of third-parties which is important as it ensures that their software development processes are resilient and helps identify any potential vulnerabilities that exist due to people, processes or software. 26 | 27 | ## 💬 Connect with Us 28 | 29 |
  • #project-devsecops-verification-standard
    • 30 |
  • @realjvo (Jamieson Vincenti O'Reilly, Project Lead)
  • @yudhiy (Yudhi Yudhistira, Project Lead)
    • 31 | 32 | ## 🎉 Get Involved 33 | 34 | Your contribution will help the DSOVS evolve as processes and technologies are ever changing. 35 | 36 | We welcome any kind of contribution and feedback to help make the DSOVS an even better open source project. 37 | 38 | Join our community today and be part of the journey 39 | 40 | - 🐞 [Report errors (typos, grammar)](https://github.com/OWASP/www-project-devsecops-verification-standard/issues) 41 | - 🛠️ [Fix errors or propose changes using a Pull Request](https://github.com/OWASP/www-project-devsecops-verification-standard/pulls) 42 | - 🙋 [Ask Questions](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/q-a) 43 | - 💡 [New Ideas](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) 44 | 45 | For each phase, there are streams that the DSOVS assesses:## 📖 Table-of-Contents 46 | 47 | ### Organisation Phase 48 | 49 | 🚧 [ORG-001 Risk Assessment](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-001-Risk-Assessment.md) 50 | 51 | 🚧 [ORG-002 Security Training](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-002-Security-Training.md) 52 | 53 | 🚧 [ORG-003 Security Champion](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-003-Security-Champion.md) 54 | 55 | 🚧 [ORG-004 Security Reporting](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/ORG-004-Security-Reporting.md) 56 | 57 | ### Requirements Phase 58 | 59 | 🚧 [REQ-001 Security Policy and Regulatory Compliance](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-001-Security-Policy-and-Regulatory-Compliance.md) 60 | 61 | 🚧 [REQ-002 Security Requirements and Standards](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-002-Security-Requirements-and-Standards.md) 62 | 63 | 🚧 [REQ-003 Security User Stories and Acceptance Criterias](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-003-Security-User-Stories-and-Acceptance-Criteria.md) 64 | 65 | 🚧 [REQ-004 Security Issues Tracking Design](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REQ-004-Security-Issues-Tracking.md) 66 | 67 | 🚧 [DES-001 Security Architecture Design Reviews](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/DES-001-Secure-Architecture-Design-Reviews.md) 68 | 69 | 🚧 [DES-002 Threat Modelling](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/DES-002-Threat-Modelling.md) 70 | 71 | ### Code/Build Phase 72 | 73 | 🚧 [CODE-001 Secure Development Environment](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-001-Secure-Development-Environment.md) 74 | 75 | ✅ [CODE-002 Hardcoded Secrets Detection](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-002-Hardcoded-Secrets-Detection.md) 76 | 77 | 🚧 [CODE-003 Manual Secure Code Review](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-003-Manual-Secure-Code-Review.md) 78 | 79 | 🚧 [CODE-004 Static Application Security Testing (SAST)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-004-Static-Application-Security-Testing-SAST.md) 80 | 81 | 🚧 [CODE-005 Software Composition Analysis (SCA)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-005-Software-Composition-Analysis-SCA.md) 82 | 83 | 🚧 [CODE-006 Software License Compliance](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-006-Software-License-Compliance.md) 84 | 85 | 🚧 [CODE-007 Inline IDE Secure Code Analysis](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-007-Inline-IDE-Secure-Code-Analysis.md) 86 | 87 | 🚧[CODE-008 Container Security Scanning](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-008-Container-Security-Scanning.md) 88 | 89 | 🚧 [CODE-009 Secure Dependency Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/CODE-009-Secure-Dependency-Management.md) 90 | 91 | ### Test Phase 92 | 93 | 🚧 [TEST-001 Security Test Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-001-Security-Test-Management.md) 94 | 95 | ✅ [TEST-002 Dynamic Application Security Testing (DAST)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-002-Dynamic-Application-Security-Testing-DAST.md) 96 | 97 | 🚧 [TEST-003 Interactive Application Security Testing (IAST)](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-003-Interactive-Application-Security-Testing-IAST.md) 98 | 99 | 🚧 [TEST-004 Penetration Testing](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-004-Penetration-Testing.md) 100 | 101 | 🚧 [TEST-005 Security Test Coverage](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/TEST-005-Security-Test-Coverage.md) 102 | 103 | ### Release/Deploy Phase 104 | 105 | 🚧 [REL-001 Artifact Signing](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-001-Artifact-Signing.md) 106 | 107 | 🚧 [REL-002 Secure Artifact Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-002-Secure-Artifact-Management.md) 108 | 109 | 🚧 [REL-003 Secret Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-003-Secret-Management.md) 110 | 111 | 🚧 [REL-004 Secure Configuration](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-004-Secure-Configuration.md) 112 | 113 | 🚧 [REL-005 Security Policy Enforcement](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-005-Security-Policy-Enforcement.md) 114 | 115 | 🚧 [REL-006 Infrastructure-as-Code (IaC) Secure Deployment](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-006-Infrastructure-as-Code-Secure-Deployment.md) 116 | 117 | 🚧 [REL-007 Compliance Scanning](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-007-Compliance-Scanning.md) 118 | 119 | 🚧 [REL-008 Secure Release Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/REL-008-Secure-Release-Management.md) 120 | 121 | ### Operate/Monitor Phase 122 | 123 | 🚧 [OPR-001 Environment Hardening](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-001-Environment-Hardening.md) 124 | 125 | 🚧 [OPR-002 Application Hardening](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-002-Application-Hardening.md) 126 | 127 | 🚧 [OPR-003 Environment Security Logging](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-003-Environment-Security-Logging.md) 128 | 129 | 🚧 [OPR-004 Application Security Logging](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-004-Application-Security-Logging.md) 130 | 131 | ✅ [OPR-005 Vulnerability Disclosure](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-005-Responsible-Disclosure.md) 132 | 133 | 🚧 [OPR-006 Certificate Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-006-Certificate-Management.md) 134 | 135 | 🚧 [OPR-007 Attack Surface Management](https://github.com/OWASP/www-project-devsecops-verification-standard/blob/main/document/OPR-007-Attack-Surface-Management.md) 136 | -------------------------------------------------------------------------------- /info.md: -------------------------------------------------------------------------------- 1 | ### DevSecOps Verification Standard Information 2 | * [Documentation](#) 3 | * [Current Version 1.1.0](https://github.com/OWASP/www-project-devsecops-verification-standard/raw/main/v1.1/DevSecOps-VerificationStandard-v1.1.xlsx) 4 | * [Builder](#) 5 | * [Defender](#) 6 | 7 | ### Code Repository 8 | * [repo](https://github.com/OWASP/www-project-devsecops-verification-standard) 9 | 10 | ### Change Log 11 | * [changes](https://github.com/OWASP/www-project-devsecops-verification-standard/releases) 12 | 13 | -------------------------------------------------------------------------------- /leaders.md: -------------------------------------------------------------------------------- 1 | ### Leaders 2 | * [Jamieson O'Reilly](mailto:jamieson.oreilly@owasp.org) 3 | * [Yudhi Yudhistira](mailto:yudhi.yudhistira@owasp.org) 4 | -------------------------------------------------------------------------------- /tab_contributing.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Contributing 3 | layout: null 4 | tab: true 5 | order: 1 6 | tags: DSOVS 7 | --- 8 | 9 | ## Get Involved 10 | 11 | Your contribution will help the DSOVS evolve as processes and technologies are ever changing. Please propose your changes by creating a new pull request in our [GitHub Project](https://github.com/OWASP/www-project-devsecops-verification-standard/pulls). 12 | 13 | ## Feedback 14 | 15 | Please use the [Github Issues](https://github.com/OWASP/www-project-devsecops-verification-standard/issues) for feedbacks: 16 | 17 | * What do you like? 18 | * What don't you like? 19 | * How can we make DSOVS easier to use? 20 | * How could DSOVS be improved? 21 | -------------------------------------------------------------------------------- /v1.1/DevSecOps-VerificationStandard-v1.1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-devsecops-verification-standard/210330e05a53b628c9cc25a059448c38a275f03c/v1.1/DevSecOps-VerificationStandard-v1.1.xlsx -------------------------------------------------------------------------------- /v1/DevSecOps-VerificationStandard-v1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-devsecops-verification-standard/210330e05a53b628c9cc25a059448c38a275f03c/v1/DevSecOps-VerificationStandard-v1.xlsx --------------------------------------------------------------------------------