- Summary: The NIST Secure Software Development Framework (SSDF) offers a set of practices to help organizations develop secure software. The framework emphasizes integrating security throughout the software lifecycle, from planning to response. It is structured into four key phases:
- Prepare the Organization
- Protect the Software
- Produce the Software
- Respond to Security Vulnerabilities
https://csrc.nist.gov/projects/ssdf
- Summary: NIST SP 800-160 provides guidelines for secure system engineering, focusing on risk management, security requirements, and control frameworks. It aims to create systems resilient to attacks by integrating security throughout system design, development, and testing phases.
https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final
- Summary: The NCCoE DevSecOps project focuses on integrating security into DevOps environments. It demonstrates how to automate vulnerability management, maintain security controls, and comply with industry standards in DevSecOps pipelines.
https://www.nccoe.nist.gov/sites/default/files/2022-11/dev-sec-ops-project-description-final.pdf
- Summary: This guidebook provides the DoD with recommendations on how to integrate security into DevOps processes. It offers tools and methodologies to automate security checks, vulnerability management, and code analysis, helping to align security practices with DoD mission goals.
https://dodcio.defense.gov/Portals/0/Documents/Library/DevSecOpsTools-ActivitiesGuidebook.pdf
- Summary: MITRE’s guide outlines best practices for embedding security into DevSecOps workflows, including continuous monitoring, automation, and proactive threat management. It emphasizes integrating security controls in fast-paced development environments.
https://saf.mitre.org/DevSecOps_Best_Practices_Guide.pdf
- Summary: The OWASP DevSecOps Verification Standard aims to create a set of standards for verifying the security of DevSecOps practices. It offers benchmarks for evaluating the security of DevSecOps pipelines and provides tools and techniques for assessing security risks in these environments.
https://github.com/OWASP/www-project-devsecops-verification-standard
- Summary: OWASP SAMM is a model for assessing and improving software security practices. It provides a framework with measurable maturity levels in domains like governance, construction, verification, and deployment, helping organizations improve their security processes over time.
https://owaspsamm.org/about/
- Summary: The OWASP DevSecOps Maturity Model provides a structured approach for evaluating the maturity of security integration in DevOps workflows. It offers five levels of maturity, from ad hoc practices to fully automated and integrated systems, helping organizations improve their DevSecOps processes.
https://owasp.org/www-project-devsecops-maturity-model/ https://dsomm.owasp.org/
- Summary: The OWASP DevSecOps Guidelines provide comprehensive guidance on integrating security into DevSecOps practices. It covers secure coding, automated testing, threat modeling, and continuous monitoring as core elements of a secure development pipeline.
https://owasp.org/www-project-devsecops-guideline/latest/
-
Summary: The Microsoft Engineering Playbook provides detailed guidance for incorporating security into Continuous Integration/Continuous Deployment (CI/CD) pipelines through a DevSecOps approach. It emphasizes the importance of integrating security practices early in the software development lifecycle. The playbook covers key topics such as automated security testing, threat modeling, code scanning, and secure deployment processes. By embedding security into the CI/CD pipeline, the playbook helps teams ensure that vulnerabilities are detected and addressed at every stage of development, making security an integral part of the delivery pipeline rather than an afterthought.
https://microsoft.github.io/code-with-engineering-playbook/CI-CD/dev-sec-ops/
-
Summary: DevSecOpsGuides is an open-source, expert-driven framework hosted on GitHub and wiki.devsecopsguides.com, designed to integrate security seamlessly into the software development lifecycle through a shift-left methodology. It aligns with established standards like NIST, OWASP, and CIS by offering practical, tool-agnostic guidance on secure coding to prevent vulnerabilities such as SQL injection and XSS, threat modeling for risk prioritization, security testing via pen tests and scans in CI/CD, infrastructure hardening for servers and networks, compliance with regulations like GDPR and HIPAA, and streamlined incident response playbooks. Aimed at developers, security pros, and ops teams from novice to expert levels, it emphasizes collaborative culture to foster resilient, audit-ready applications efficiently.