🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
ConceptsDevSecOpsUnderstanding OWASP DevSecOps Pipeline

Understanding the OWASP DevSecOps Pipeline

DevGuard aims to accompany developers in implementing the OWASP-DevSecOps pipeline in the best way possible, without requiring extensive cybersecurity knowledge. We plan provide a wrapper CLI with a curated list of scanners for different stages and seamless integration with the management backend (SARIF-Reports), ensuring that security is integrated smoothly into the development workflow.

The OWASP DevSecOps pipeline integrates security practices into the DevOps process, ensuring that security is an integral part of the software development lifecycle. The pipeline includes the following key stages and practices:

Secret Scanning

  • Detects and manages sensitive information such as API keys and passwords that may be accidentally committed to the codebase.
  • Helps prevent security breaches by identifying secrets early in the development process.

Software Composition Analysis (SCA)

  • Utilizes Software Bill of Materials (SBOMs) to conduct thorough software composition analysis.
  • Helps in identifying and managing dependencies and their associated vulnerabilities.
  • Prioritizes CVEs using various threat intelligence sources such as EPSS and ExploitDB.
  • Focuses on the real risk posed by vulnerabilities, converting “—fail-on-critical” to “—fail-on-real-risk-critical”.
  • Syncs with the National Vulnerability Database (NVD) to ensure up-to-date information on vulnerabilities.

Crowdsourced Vulnerability Management

  • Supports a crowdsourced approach to vulnerability management.
  • If a dependency (A) has another dependency (B) with a CVE, users can consult A to determine the relevance of B’s CVE to their project.
  • Allows marking vulnerabilities as false positives, sharing this information across the user community for the same A -> B relationship.

Static Application Security Testing (SAST)

  • Analyzes source code to identify security vulnerabilities early in the development process.
  • Provides developers with actionable insights to fix vulnerabilities before they become critical issues.

Infrastructure as Code (IaC) Scanning

  • Ensures that infrastructure definitions and configurations adhere to security best practices.
  • Detects misconfigurations and vulnerabilities in IaC templates early in the development cycle.

Container Scanning

  • Scans container images for vulnerabilities, ensuring that the containerized applications are secure.
  • Helps maintain the security of containerized environments by identifying and mitigating risks in container images.

Dynamic Application Security Testing (DAST)

  • Tests running applications to identify vulnerabilities that may not be visible in the source code.
  • Simulates real-world attacks to uncover potential security weaknesses in live environments.
OverviewSecret Scanning