Some context: I’m working with our head of DevOps on securing the global DevOps program. So, I’m focused on creating a custom framework for securing the “production line” of software developed in-house. I’m looking at OWASP’s DevSecOps maturity framework plus Gartner’s content (I have a sub). Both aren’t exactly what I’m looking for.
My question: I’m interested to know which frameworks and controls companies are considering for securing repositories for source code, artifacts and containers, commits and CI/CD pipelines. We’re standardising on GitHub, including GH Advanced Security, and are looking at tools like Cycode and Legit Security.
As the OWASP guy I’m glad to see you are looking at the OWASP DSOMM project, it’s a good place to start. I assume you want something more specific than OWASP SAMM as well? A good starting point would be the OWASP Top 10 CI/CD, but I strongly suspect you’ve looked at that given the tooling you are looking at.
Your tool choices look pretty good. I can speak for GitHub (+ GH AS) from personal experience and if you haven’t looked at SLSA yet you definitely should! It’s an OpenSSF project from our friends in the Linux Foundation. I suspect that Cycode and Legit Security are going to help you implement many of the standards and controls they recommend.