The structure folder uses the OWASP DevSecOps Verification Standard (DSOVS) (https://github.com/OWASP/www-project-devsecops-verification-standard) to simplify and standardize the areas for each phase of DevSecOps. I noticed the OWASP DSOMM (https://dsomm.owasp.org/about), but I think OWASP DSOVS is much simpler IMO.
Organisation Phase 🚧 ORG-001 Risk Assessment
🚧 ORG-002 Security Training
🚧 ORG-003 Security Champion
🚧 ORG-004 Security Reporting
Requirements Phase 🚧 REQ-001 Security Policy and Regulatory Compliance
🚧 REQ-002 Security Requirements and Standards
🚧 REQ-003 Security User Stories and Acceptance Criterias
🚧 REQ-004 Security Issues Tracking Design
🚧 DES-001 Security Architecture Design Reviews
🚧 DES-002 Threat Modelling
Code/Build Phase 🚧 CODE-001 Secure Development Environment
✅ CODE-002 Hardcoded Secrets Detection
🚧 CODE-003 Manual Secure Code Review
🚧 CODE-004 Static Application Security Testing (SAST)
🚧 CODE-005 Software Composition Analysis (SCA)
🚧 CODE-006 Software License Compliance
🚧 CODE-007 Inline IDE Secure Code Analysis
🚧CODE-008 Container Security Scanning
🚧 CODE-009 Secure Dependency Management
Test Phase 🚧 TEST-001 Security Test Management
✅ TEST-002 Dynamic Application Security Testing (DAST)
🚧 TEST-003 Interactive Application Security Testing (IAST)
🚧 TEST-004 Penetration Testing
🚧 TEST-005 Security Test Coverage
Release/Deploy Phase 🚧 REL-001 Artifact Signing
🚧 REL-002 Secure Artifact Management
🚧 REL-003 Secret Management
🚧 REL-004 Secure Configuration
🚧 REL-005 Security Policy Enforcement
🚧 REL-006 Infrastructure-as-Code (IaC) Secure Deployment
🚧 REL-007 Compliance Scanning
🚧 REL-008 Secure Release Management
Operate/Monitor Phase 🚧 OPR-001 Environment Hardening
🚧 OPR-002 Application Hardening
🚧 OPR-003 Environment Security Logging
🚧 OPR-004 Application Security Logging
✅ OPR-005 Vulnerability Disclosure
🚧 OPR-006 Certificate Management
🚧 OPR-007 Attack Surface Management
https://github.com/6mile/DevSecOps-Playbook
This playbook will help you introduce effective DevSecOps practices in your company, regardless of size. We provide explicit guidance and actionable steps to introduce security controls, measure their effectiveness, and demonstrate value for money to your business leaders. Following this playbook will help teams build materially more secure applications, and that in the end, is the intent.
https://owasp.org/www-project-devsecops-guideline/latest
https://github.com/OWASP/DevSecOpsGuideline/tree/master/current-version
The 'How' of Practical DevSecOps Tools Implementation
https://gitlab.com/whitespots-public/pipelines
End-to-end gitlab-ci security template siap pakai, integrasi dengan DefectDojo vulnerability management tool.
https://github.com/appsecengineer/devsecops-gitlab-ci
https://github.com/orgs/appsecengineer/repositories?q=gh-actions
Various gh-actions-* template for using as github action security pipelines.
https://medium.com/cloud-native-daily/walk-into-devsecops-2da7ead540d2
Comprehensive resource for integrating security into the software development lifecycle.