This page should be a reference for individuals wishing to build out a team, mature a team, or validate what controls you currently implement within your organization to empower others to build security into the product. Heavily inspired by Minimum Viable Secure Product, this documentation will include not only the topics required for a minimum viable DevSecOps team but also include documentation on approaches you can take to secure your environment.


Minimum Viable DevSecOps

This should be treated as a minimalist checklist for you to create a minimum viable DevSecOps function within your organization and how you can build security into your product.

1.x Business Controls

Business controls are measures that a company puts in place to ensure that operations are conducted in a manner that is consistent with its policies, goals, and regulatory requirements. These business controls are intended to help the organization protect its assets and ensure the integrity, confidentiality, and availability of its systems and data.

CommunicationChannels are established for engineers to reach out for security expertise
AssessmentsAbility for engineers to assess their own work based on security guidance
Design ReviewsAn established process for engineers to ask for guidance on projects
TrainingTraining must be engaging, educational, and beneficial to the organization
ComplianceUnderstanding business obligations and translating them to actionable items
LoggingCentralized location to store security logs
Defense in DepthIsolation of high risk applications, isolated development environment, and use of production data is restricted

2.x Design controls

Design controls help to ensure that the development, operations, and security aspects of an organization’s systems are properly integrated and working together to effectively secure the organization’s assets.

Identity and Access ManagementSingle Sign-On, avoiding static credentials, fido u2f, password policies, secrets, etc.
Best PracticesBest practices are documented and adhered to such as HTTPs only, security headers, benchmarks, documentation, etc.
Dependency and Vulnerability ManagementFrameworks are leveraged, scans are performed, libraries sanitizing inputs, and escaping outputs
PatchingProcesses and procedures for patching are clear and easily reproducible
Supply ChainReduced supply chain risks through mirroring packages/images and using trusted sources
AlertingEstablished mechanism to alert on high impact findings
MetricsAbility to demonstrate the impact of your work through metrics
EncryptionEncryption standards are configured, principal of least privilege, and keys are rotated
Threat ModelingStandardized approach for modeling threats

3.x Implementation controls

Effective implementation controls that demonstrate value add for security in an iterative process.

Asset inventoriesCentralized location to search infrastructure inventory
Data flowsSecure transport of data and defined handling processes
Capability ModelsDocumenting capabilities on the team to identify improvements
Established SLAsTime to fix based on priorities and impact are established
SDLCIncremental and iterative approach for the products functionality
Infrastructure as CodeIterative infrastructure as code processes
GuardrailsProvide engineers the ability to operate with relative freedom without significant risk
Static AnalysisTooling provided to empower engineering to make the right decisions
Dynamic AnalysisPerform dynamic analysis on infrastructure and code on a regular basis

4.x Operational Controls

These are operational controls in place that should be part of the business processes.

Principal of Least PrivilegeProduction and sensitive data is restricted
VendorsEstablished vendor integration requirements and reviews are performed
Backups and Disaster RecoveryProcedures for backups, disaster recovery, and documentation for BCPDR