Skip to content

Commit a4f4793

Browse files
authored
docs: restructure guideline and expand content for 2025/2026 (#104)
1 parent 9a499db commit a4f4793

96 files changed

Lines changed: 7301 additions & 700 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.claude/settings.local.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{
2+
"permissions": {
3+
"allow": [
4+
"WebSearch",
5+
"Bash(set -e)",
6+
"Bash(git mv *)",
7+
"Bash(mkdir -p current-version/0-Intro current-version/1-People/1-1-Shape-the-team current-version/1-People/1-2-Training current-version/2-Process/2-1-Design current-version/2-Process/2-2-Develop/2-2-1-Pre-commit current-version/2-Process/2-3-Build/2-3-1-Static-Analysis current-version/2-Process/2-3-Build/2-3-2-Software-Composition-Analysis current-version/2-Process/2-3-Build/2-3-3-Container-Security current-version/2-Process/2-3-Build/2-3-4-Infrastructure-as-Code-Security current-version/2-Process/2-3-Build/2-3-6-Supply-Chain-Security current-version/2-Process/2-4-Test current-version/2-Process/2-5-Release current-version/2-Process/2-6-Deploy current-version/2-Process/2-7-Operate current-version/3-Governance/3-1-Compliance-Auditing current-version/3-Governance/3-3-Reporting)",
8+
"Bash(cp -R \"old-versions/V0.3/assets\" \"current-version/assets\")",
9+
"Bash(python3 doc-utilities/scripts/toc-generator.py)"
10+
]
11+
}
12+
}

README.md

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,13 +25,15 @@ At first, we consider implementing the following steps in a basic pipeline:
2525
- SCA (Software Composition Analysis)
2626
- SAST (Static Application Security Test)
2727
- IaC Scanning (Scanning Terraform, HelmChart code to find misconfiguration)
28+
- Software supply-chain security (SBOM, artifact signing and provenance, CI/CD pipeline security)
2829
- IAST (Interactive Application Security Testing)
2930
- API Security
3031
- DAST (Dynamic Application Security Test)
3132
- CNAPP (Cloud Native Application Protection)
3233
- Infrastructure scanning
3334
- Continuous Scanning from other tools
3435
- Compliance check
36+
- AI/LLM security and AI governance (securing AI-assisted development and AI-powered features)
3537

3638
We can customize the steps of our pipeline according to our Software Development Life Cycle (SDLC) or software architecture and add automation progressively if we are starting.
3739
For instance, we can switch from SAST/DAST to a regular test suite with built-in security controls or add an audit script checking for known vulnerable dependencies.
@@ -46,32 +48,41 @@ However, when using CI/CD tools to provide automation, keep in mind that the too
4648
- [0-Intro](current-version/0-Intro)
4749
- [0-1-Intro](current-version/0-Intro/0-1-Intro.md)
4850
- [0-2-Overview](current-version/0-Intro/0-2-Overview.md)
51+
- [0-3-Frameworks-and-Standards](current-version/0-Intro/0-3-Frameworks-and-Standards.md)
4952
- [1-People](current-version/1-People)
5053
- [1-1-Shape-the-team](current-version/1-People/1-1-Shape-the-team)
5154
- [1-1-1-Security-champions](current-version/1-People/1-1-Shape-the-team/1-1-1-Security-champions.md)
55+
- [1-1-2-Roles-and-Responsibilities](current-version/1-People/1-1-Shape-the-team/1-1-2-Roles-and-Responsibilities.md)
5256
- [1-2-Training](current-version/1-People/1-2-Training)
5357
- [1-2-1-Secure-coding](current-version/1-People/1-2-Training/1-2-1-Secure-coding.md)
5458
- [1-2-2-Security-CICD](current-version/1-People/1-2-Training/1-2-2-Security-CICD.md)
59+
- [1-2-3-Security-culture-and-awareness](current-version/1-People/1-2-Training/1-2-3-Security-culture-and-awareness.md)
5560
- [2-Process](current-version/2-Process)
5661
- [2-1-Design](current-version/2-Process/2-1-Design)
5762
- [2-1-1-Threat-modeling](current-version/2-Process/2-1-Design/2-1-1-Threat-modeling.md)
63+
- [2-1-2-Secure-design-and-requirements](current-version/2-Process/2-1-Design/2-1-2-Secure-design-and-requirements.md)
5864
- [2-2-Develop](current-version/2-Process/2-2-Develop)
5965
- [2-2-1-Pre-commit](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit)
6066
- [2-2-1-1-Pre-commit](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-1-Pre-commit.md)
6167
- [2-2-1-2-Secrets-Management](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-2-Secrets-Management.md)
6268
- [2-2-1-3-Linting-code](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-3-Linting-code.md)
6369
- [2-2-1-4-Repository-Hardening](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-4-Repository-Hardening.md)
70+
- [2-2-2-IDE-and-AI-assisted-development](current-version/2-Process/2-2-Develop/2-2-2-IDE-and-AI-assisted-development.md)
6471
- [2-3-Build](current-version/2-Process/2-3-Build)
65-
- [2-3-5-Security-Gates](current-version/2-Process/2-3-Build/2-3-5-Security-Gates.md)
6672
- [2-3-1-Static-Analysis](current-version/2-Process/2-3-Build/2-3-1-Static-Analysis)
6773
- [2-3-1-1-Static-Application-Security-Testing](current-version/2-Process/2-3-Build/2-3-1-Static-Analysis/2-3-1-1-Static-Application-Security-Testing.md)
68-
- [2-3-2-Software Composition Analysis](current-version/2-Process/2-3-Build/2-3-2-Software Composition Analysis)
69-
- [2-3-2-1-Software-Composition-Analysis](current-version/2-Process/2-3-Build/2-3-2-Software Composition Analysis/2-3-2-1-Software-Composition-Analysis.md)
74+
- [2-3-2-Software-Composition-Analysis](current-version/2-Process/2-3-Build/2-3-2-Software-Composition-Analysis)
75+
- [2-3-2-1-Software-Composition-Analysis](current-version/2-Process/2-3-Build/2-3-2-Software-Composition-Analysis/2-3-2-1-Software-Composition-Analysis.md)
7076
- [2-3-3-Container-Security](current-version/2-Process/2-3-Build/2-3-3-Container-Security)
7177
- [2-3-3-1-Container-Scanning](current-version/2-Process/2-3-Build/2-3-3-Container-Security/2-3-3-1-Container-Scanning.md)
7278
- [2-3-3-2-Container-Hardening](current-version/2-Process/2-3-Build/2-3-3-Container-Security/2-3-3-2-Container-Hardening.md)
73-
- [2-3-4-Infrastructure as Code Security](current-version/2-Process/2-3-Build/2-3-4-Infrastructure as Code Security)
74-
- [2-3-1-3-Infastructure-as-Code-Scanning](current-version/2-Process/2-3-Build/2-3-4-Infrastructure as Code Security/2-3-1-3-Infastructure-as-Code-Scanning.md)
79+
- [2-3-4-Infrastructure-as-Code-Security](current-version/2-Process/2-3-Build/2-3-4-Infrastructure-as-Code-Security)
80+
- [2-3-4-1-Infrastructure-as-Code-Scanning](current-version/2-Process/2-3-Build/2-3-4-Infrastructure-as-Code-Security/2-3-4-1-Infrastructure-as-Code-Scanning.md)
81+
- [2-3-5-Security-Gates](current-version/2-Process/2-3-Build/2-3-5-Security-Gates.md)
82+
- [2-3-6-Supply-Chain-Security](current-version/2-Process/2-3-Build/2-3-6-Supply-Chain-Security)
83+
- [2-3-6-1-SBOM](current-version/2-Process/2-3-Build/2-3-6-Supply-Chain-Security/2-3-6-1-SBOM.md)
84+
- [2-3-6-2-Artifact-Signing-and-Provenance](current-version/2-Process/2-3-Build/2-3-6-Supply-Chain-Security/2-3-6-2-Artifact-Signing-and-Provenance.md)
85+
- [2-3-6-3-CICD-Pipeline-Security](current-version/2-Process/2-3-Build/2-3-6-Supply-Chain-Security/2-3-6-3-CICD-Pipeline-Security.md)
7586
- [2-4-Test](current-version/2-Process/2-4-Test)
7687
- [2-4-1-Interactive-Application-Security-Testing](current-version/2-Process/2-4-Test/2-4-1-Interactive-Application-Security-Testing.md)
7788
- [2-4-2-Dynamic-Application-Security-Testing](current-version/2-Process/2-4-Test/2-4-2-Dynamic-Application-Security-Testing.md)
@@ -87,16 +98,19 @@ However, when using CI/CD tools to provide automation, keep in mind that the too
8798
- [2-7-2-Logging-and-Monitoring](current-version/2-Process/2-7-Operate/2-7-2-Logging-and-Monitoring.md)
8899
- [2-7-3-Pentest](current-version/2-Process/2-7-Operate/2-7-3-Pentest.md)
89100
- [2-7-4-Vulnerability-Management](current-version/2-Process/2-7-Operate/2-7-4-Vulnerability-Management.md)
101+
- [2-7-5-VDP-and-Bug-bounty](current-version/2-Process/2-7-Operate/2-7-5-VDP-and-Bug-bounty.md)
90102
- [2-7-6-Breach-and-attack-simulation](current-version/2-Process/2-7-Operate/2-7-6-Breach-and-attack-simulation.md)
91103
- [3-Governance](current-version/3-Governance)
92-
- [3-2-Data-protection](current-version/3-Governance/3-2-Data-protection.md)
93104
- [3-1-Compliance-Auditing](current-version/3-Governance/3-1-Compliance-Auditing)
94105
- [3-1-1-Compliance-Auditing](current-version/3-Governance/3-1-Compliance-Auditing/3-1-1-Compliance-Auditing.md)
95106
- [3-1-2-Policy-as-code](current-version/3-Governance/3-1-Compliance-Auditing/3-1-2-Policy-as-code.md)
96107
- [3-1-3-Security-benchmarking](current-version/3-Governance/3-1-Compliance-Auditing/3-1-3-Security-benchmarking.md)
108+
- [3-2-Data-protection](current-version/3-Governance/3-2-Data-protection.md)
97109
- [3-3-Reporting](current-version/3-Governance/3-3-Reporting)
98110
- [3-3-1-Tracking-maturities](current-version/3-Governance/3-3-Reporting/3-3-1-Tracking-maturities.md)
99111
- [3-3-2-Central-vulnerability-management-dashboard](current-version/3-Governance/3-3-Reporting/3-3-2-Central-vulnerability-management-dashboard.md)
112+
- [3-3-3-ASPM](current-version/3-Governance/3-3-Reporting/3-3-3-ASPM.md)
113+
- [3-4-AI-Governance-and-Risk](current-version/3-Governance/3-4-AI-Governance-and-Risk.md)
100114

101115
---
102116

Lines changed: 81 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,90 @@
1-
# Introduction to the OWASP DevSecOps Guideline
1+
# Introduction
22

3-
The OWASP DevSecOps Guideline explains how we can transition from a traditional approach to achieving security that starts with requirements and ends with security testing to an approach that brings together Development, Security, and Operations throughout the software lifecycle -- a "DevSecOps" approach.
3+
The OWASP DevSecOps Guideline explains how to build and operate a secure software delivery pipeline using best practices and a curated, vendor-neutral set of tools. The aim is to help organizations of any size that run a DevOps pipeline introduce security controls without slowing delivery, and to promote a **shift-left** (and increasingly **shift-everywhere**) security culture across the whole development lifecycle.
44

5-
This project's goal is to help companies of any size to add security to their DevOps pipeline and culture. There is no one **right** way to do DevSecOps, so it's important to stay focused.
5+
The ideal goal of this guideline is simple:
66

7-
DevSecOps strives to **"produce demonstrably secure code"** by:
7+
> **Detect security issues — whether design flaws or application vulnerabilities — as early and as cheaply as possible, and keep detecting them continuously.**
88
9-
- leveraging automation to create short feedback loops to developers
10-
- breaking down the silos between development, security, and operations
11-
- breaking down security work into small pieces to create flow
12-
- making decisions based on threat intelligence from operations
13-
- establishing a culture of security experimentation and learning
9+
DevSecOps is about embedding security *into* DevOps. To keep up with the pace of CI/CD, security cannot be a gate at the end; it has to be injected early into how software is designed, written, built, tested, and operated, and then continuously validated in production.
1410

15-
There are tools to support security processes across the software development lifecycle. Every company should have processes in place to ensure:
11+
## Why DevSecOps — the cost of waiting
1612

17-
- **Custom Code Security** - your custom code has the right defenses and is free from vulnerabilities, including applications, APIs, serverless, mobile, infrastructure as code, etc...
18-
- **Supply Chain Security** - your platform, framework, libraries, containers, and other components
19-
- **Runtime Protection** - you detect attacks on your software and prevent them from being exploited
13+
The earlier a vulnerability is found, the cheaper it is to fix. IBM's Systems Science Institute research consistently shows that a defect found in the design phase costs roughly 6× less to fix than one found in implementation, and 100× less than one found in production. These ratios are not exact — they depend on the defect type and system — but the directional truth holds across the industry: late discovery is expensive.
2014

21-
If you do these three processes well, you will be in relatively good shape in terms of application security. In this document, we will explore a variety of automated solutions that can help you implement these three processes.
15+
But there is a second, harder cost that the numbers do not fully capture: a vulnerability in production that is *exploited* does not just carry a remediation cost — it carries breach costs, regulatory penalties, reputational damage, customer harm, and executive accountability. The 2020 SolarWinds supply-chain attack, the 2021 Log4Shell disclosure affecting millions of systems, and the 2019 Capital One breach (via a misconfigured WAF/SSRF) all share a common thread: the exploit path existed because security was not a continuous concern throughout delivery.
2216

23-
The goal is not to use all of the tools in your pipeline. The goal is to ensure secure code emerges from your pipeline. You need to pick and choose the tools that are effective with your organization's people, process, technology, and culture. You will very likely want to use each tool for what it is best at, rather than repeating all tests with all tools. Of course, every software development organization is different and you are free to select tools and the exact location where you want to implement the tools.
17+
Traditional security — a penetration test weeks before release, a security team that reviews code on request — cannot keep up with teams that ship multiple times a day. DevSecOps resolves this by automating what can be automated, making security feedback immediate, and building shared ownership so risk decisions happen at the right level.
2418

25-
![Secure Pipeline](/current-version/assets/images/Pipeline-view.png)
19+
## How this guideline is organized
20+
21+
This version is structured around the three core pillars of DevSecOps:
22+
23+
- **People** — the teams, roles, culture, and training that make secure delivery possible.
24+
- **Process** — the security activities woven into every stage of the software development lifecycle.
25+
- **Governance** — the oversight, compliance, measurement, and reporting that keep the program accountable and improving.
26+
27+
Under **Process**, the product development lifecycle is divided into seven stages, with security controls mapped to each:
28+
29+
- **Design** — threat modeling, secure-by-design, security requirements.
30+
- **Develop** — pre-commit hooks, secrets management, linting, repository hardening, securing the AI-assisted inner loop.
31+
- **Build** — SAST, SCA, container security, IaC scanning, security gates, and software supply-chain security (SBOM, signing/provenance, pipeline security).
32+
- **Test** — IAST, DAST, mobile app testing, API security, misconfiguration checks.
33+
- **Release** — final sign-off, signed and attested artifacts.
34+
- **Deploy** — admission control, GitOps, progressive delivery.
35+
- **Operate** — cloud-native runtime security, logging and monitoring, pentesting, vulnerability management, disclosure programs, and breach-and-attack simulation.
36+
37+
You can customize these stages to match your own SDLC and architecture, and add automation progressively as your maturity grows.
38+
39+
## What DevSecOps is NOT
40+
41+
Understanding the common misconceptions is as important as knowing the definition:
42+
43+
- **DevSecOps is not "security team in the pipeline"** — adding security engineers to approve every PR does not scale. The goal is to give developers the tools, training, and context to make security decisions themselves, with the security team acting as an enabler and escalation path, not a gatekeeper.
44+
- **DevSecOps is not tool procurement** — buying a SAST, SCA, and DAST tool without a triage process, clear ownership, and remediation SLAs creates alert fatigue and false confidence. Tools are enablers; process and culture are the program.
45+
- **DevSecOps is not a one-time project** — there is no "done." The threat landscape, your architecture, your dependencies, and your regulatory obligations all change continuously. DevSecOps is a continuous practice, not a migration.
46+
- **DevSecOps is not compliance** — passing an audit is a floor, not a ceiling. Compliance frameworks describe minimum bars against known risks; a real-world adversary does not follow the framework. Design for adversaries, not just auditors.
47+
- **DevSecOps is not just CI/CD** — the pipeline is important, but threat modeling happens at design, culture happens in teams, runtime security happens in production, and vulnerability disclosure happens at the boundary with the outside world. The pipeline is one layer of a much broader system.
48+
49+
## A note on the pipeline itself
50+
51+
CI/CD is a powerful entry point for security automation, but the build and automation tooling is also part of your attack surface. Compromised pipelines, leaked tokens, and poisoned dependencies are now among the most damaging attack vectors — the SolarWinds, Codecov, and XZ Utils incidents all illustrate how the build and supply chain can be abused to reach production at scale. This guideline therefore treats **securing the pipeline** as a first-class concern alongside securing the application.
52+
53+
## How to use this guideline
54+
55+
Different audiences will find different entry points most useful:
56+
57+
**If you are a developer or engineer:**
58+
Start with the [Develop](../2-Process/2-2-Develop) stage, specifically pre-commit hooks and secrets management — the controls you can implement in your own workflow today. Then read the [Build](../2-Process/2-3-Build) stage for what your CI pipeline should enforce. Use the [Threat Modeling](../2-Process/2-1-Design/2-1-1-Threat-modeling.md) page when you are designing a new feature or service.
59+
60+
**If you are a security engineer or AppSec lead:**
61+
Start with the [Overview](0-2-Overview.md) for a full pipeline view, then use the [Frameworks and Standards](0-3-Frameworks-and-Standards.md) page to map this guideline to your regulatory or maturity framework requirements. Use the [Governance](../3-Governance) section to build a reporting and measurement program.
62+
63+
**If you are an engineering manager or CISO:**
64+
Start with the [Maturity levels](#maturity-levels--where-to-start) table below and the [Tracking Maturities](../3-Governance/3-3-Reporting/3-3-1-Tracking-maturities.md) page. The [People](../1-People) section covers the organizational structures (security champions, roles) that make the program sustainable.
65+
66+
## Common anti-patterns to avoid
67+
68+
- **Security as a gate at the end** — running a pentest or DAST scan as the sole security activity before release does not scale, finds issues too late, and creates a bottleneck. Gates are necessary but not sufficient.
69+
- **Tool sprawl without process** — buying or deploying many scanners without a clear triage, ownership, and remediation process generates noise and alert fatigue that causes teams to ignore findings entirely.
70+
- **Centralized security ownership** — a small security team that "owns" security and must review everything becomes a bottleneck and a single point of failure. Shared ownership, supported by tooling and champions, is the goal.
71+
- **Treating compliance as security** — passing an audit is not the same as being secure. Compliance is a floor, not a ceiling; design for real-world adversaries, not just checkbox controls.
72+
- **Ignoring developer experience** — security tooling that is slow, noisy, or hard to use gets disabled or routed around. Developer experience is a security concern.
73+
74+
## Maturity levels — where to start
75+
76+
| Stage | What to focus on |
77+
|---|---|
78+
| Starting out | Secrets scanning in CI, SCA for known CVEs, basic branch protection, OWASP Top 10 awareness training |
79+
| Developing | SAST in pull requests, IaC scanning, security gates on high/critical findings, security champions program |
80+
| Maturing | Container hardening, SBOM generation, threat modeling, DAST, vulnerability management SLAs |
81+
| Advanced | Supply-chain signing and provenance (SLSA), ASPM, BAS, runtime detection-as-code, AI/ML security |
82+
83+
## Where to start
84+
85+
- [OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) lists the top security controls every developer should implement while coding.
86+
- [OWASP Software Assurance Maturity Model (SAMM)](https://owaspsamm.org/model/) helps you decide what to prioritize according to your maturity level.
87+
- The [Frameworks and Standards](0-3-Frameworks-and-Standards.md) page maps how SSDF, SAMM, DSOMM, and SLSA fit together with this guideline.
88+
- The [Overview](0-2-Overview.md) page lists a recommended progression of controls to introduce into a pipeline.
89+
90+
If you need earlier editions, see the [old-versions](../../old-versions/) directory.

0 commit comments

Comments
 (0)