DEVSECOPS STANDARD

PURPOSE & SCOPE

Purpose. This standard provides direction for addressing cybersecurity requirements as part
of agile software development projects that employ continuous integration and continuous
delivery (CI/CD) processes.
Scope. This standard applies to all VSP CI/CD software development projects. It does not apply
to software development projects that follow waterfall, spiral, extreme programming or other
software development methodologies. It applies to all VSP employees and the contingent
workforce.

STANDARD

1.0 Standard.

This standard uses the DevSecOps lifecycle shown in Figure 1. It recognizes that the success of
a DevSecOps project depends on the extent to which security can be automated and
integrated into the CI/CD pipeline to remove roadblocks and enable the timely movement of
artifacts between lifecycle phases and support secure delivery to our customers.
This standard defines the requirements for the training, tooling, and automation support
needed by DevSecOps teams to act in a trusted, autonomous and secure manner.
Figure 1. DevSecOps Lifecycle.

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

The following table identifies the security requirements for VSP DevSecOps
application development projects. It is organized by the DevSecOps lifecycle
phase and activity.

Phase Domain Requirement

Pre-Startup Security Training  OIS must develop and maintain

DevSecOps training paths for
DevSecOps teams in
accordance with the Security
Education, Training and
Awareness Standard.
 DevSecOps team must
integrate the security training
paths into the development
plans for DevSecOps personnel.

Security Champions  Each DevSecOps team must

identify a security champion
who is responsible for driving
security throughout each
assigned development project.
Security champions may
support multiple teams and
multiple projects, but every
development team must have
an identified security champion.

Risk Identification  Each DevSecOps application

development project must
identify its inherent risk rank
following the guidance provided
in section 3.1.1 of the OIS Risk
Management Plan.

Configuration  Each application must be

Identification assigned an owner and the
details of the application’s
configuration and
dependencies must be entered
into the VSP configuration
management database in
accordance with the
Configuration Management
Standard.

Plan Threat Modeling  OIS must provide a simple and

accessible tool for performing
threat modeling.
 Threat models must be created

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

 Phase Domain Requirement

and updated in the planning

phase of each DevSecOps
project.

Security Architecture  Enterprise Architecture must

and Design develop solution building blocks
(SBBs) for the development of
secure application
architectures.
 OIS must develop secure design
guidelines for common
application services.
 DevSecOps teams must factor
the SBBs and secure design
guidelines into their design
process based on the identified
risk.

Standard security  OIS must provide a standard

components Web Application Firewall (WAF)
solution for use with external-
facing web applications. OIS
must also provide guidance on
configuring the WAF for
application-specific security
needs.
 OIS must provide a standard
Runtime Application Self-
Protection (RASP) solution for
high-risk applications.

Standards Selection  OIS must develop secure coding

standards.
 DevSecOps teams must adapt
the secure coding standards for
use in their projects.

Tool Selection  OIS must identify security tools

to be used throughout the
DevSecOps lifecycle and
provide training on the use of
the security tools in a lab
environment.

Pipeline Automation  DevSecOps teams must

integrate selected security tools
within their CI/CD pipelines.
 OIS must maintain a repository

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

 Phase Domain Requirement

of security automation
solutions for reuse by
development teams.

Code Linting  DevSecOps teams must

integrate linting tools into their
pipelines to ensure readability
and compliance with coding
standards.

Hardcoded Secrets  All code must be automatically

scanned for hardcoded secrets
prior to and after being
committed to shared
repositories.

Insecure Patterns  Source code must be

automatically inspected for
insecure design patterns.

Insecure 3rd Party  3rd party libraries must be

Libraries automatically scanned using
Software Composition Analysis
(SCA) tools for known
vulnerabilities.
 SCA scans must be updated
each development cycle to
identify newly discovered
vulnerabilities.

SAST  Static code analysis tools must

automatically check for
common vulnerabilities, such as
buffer overflows, injection
flaws, etc.

Build Configuration Errors  Automated security

configuration checks must be
integrated into the build
process.

Security Hardening  Container security hardening

tools must be integrated into
the build process when
applications are deployed using
containers.

Test DAST  DAST tools must be used to

identify common vulnerabilities,

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

 Phase Domain Requirement

such as XSS and SQL injection.

Fuzzing  Fuzzing tools must be

integrated into the CI pipeline
to test the software’s response
to unexpected and malformed
data.

Vulnerability Scanning  Vulnerability scanning tools

must be run against developed
software during operations.

Release Compliance Checks  Automated compliance

checking must take place as
part of the release process.

Integrity Checks  Released software must be

signed to support integrity
checking during deployment.

Deploy Secure Transfer  Deployed code must be

securely moved from the
development environment to
the production environment
and its integrity must be
verified.

Secure Update  Operational systems must be

updated with new software
releases in a manner that
preserves the security of
operational processes.

Operate & Monitor Event Collection &  Security events generated by

Analysis operational software must be
collected and analyzed for
potential security threats.

Automated Response  Automated responses to

predicted security threats must
be implemented.

GLOSSARY

Term Definition

Access Control A security technique that regulates who or what can

view or use resources in a computing environment.

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

 Term Definition

Application Owner The person responsible for the development and

operation of a software application.
Application Programming A set of software service functions that are made
Interface available for application development.
Authentication Verifying the identity of a user, process, or device,
often as a prerequisite to allowing access to
resources in an information system.  
Business Critical Application An application that is essential to the operation of a
business.
Change Control The process used to ensure that changes to a
product or system are introduced in a controlled
and coordinated manner.
Code Signing The process of using digital signatures to protect the
integrity of software.
Contingent Workforce The non-employee workforce.
Continuous Delivery (CD) A software engineering approach in which teams
produce software in short cycles, ensuring that the
software can be reliably released at any time and,
when releasing the software, without doing so
manually.
Continuous Integration (CI) The practice of merging all developers' working
copies to a shared mainline several times a day.
Credential Information used to authenticate an individual,
process or device.
Data at Rest Data that is being stored.
Data in Transit Data that is being communicated.
Data Owner The senior officer in a line of business or global
division or service who is responsible for protecting
the data within the business area.
Development Environment An environment that is used for the development of
software applications or systems.
DevSecOps The integration of development, security, and
operations functions.
Dynamic Application Security A security testing approach that is performed
Test (DAST) against an executing application.
File Integrity Monitoring An internal control or process that performs the act
of validating the integrity of operating system and
application files.   
Freeware Software that is distributed without monetary cost
or license restriction.

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

 Term Definition

Identification The process of determining the identity of a user or

other entity that is accessing a computer service or
resource.
Interactive Application Security A security testing approach in which the tester
Test (IAST) interacts with the application being tested.
Master Baseline Code or Master A final set of code that has been approved for
Image production operation.
Open-Source Software Software with source code that anyone can inspect,
modify, and enhance.  
Operational Environment A computer environment that is authorized for the
execution of production services.
Penetration Test The practice of testing a computer system, network,
or web application to find security vulnerabilities
that an attacker could exploit.
Platform as a Service (PaaS) A cloud computing model in which a third-party
provider delivers hardware and software tools --
usually those needed for application development -
to users over the internet.  
Privilege Management The management of user access privileges.
Risk An estimate of expected damage or loss.
Risk Assessment The process of evaluating the state of risk of an
organization. Risk assessment is often initiated
through taking an inventory of all assets, assigning
each asset a value, and then considering any
potential threats against each asset. 
Runtime Application Self- A security technology that uses runtime
Protection (RASP) instrumentation to detect and block computer
attacks by taking advantage of information from
inside the running software.
Security Event An observed condition that has a bearing on the
security of an organization or system.
Security Hardening The process of implementing security best practices
to eliminate or reduce the vulnerability of a system,
component, or device.
Session Management The process of securely handling multiple requests
to a web-based application or service from a single
user or entity.
Software Composition Analysis An automated process that identifies the open-
(SCA) source software in a codebase.

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

 Term Definition

Software Development Lifecycle A framework defining tasks performed at each step

(SDLC) in the software development process.  
Software Solution A software system or application.

Static Application Security A type of security testing that involves the review of
Testing (SAST) code separate from its execution.
System Owner The person responsible for the development and
operation of a system.
Threat Any circumstance or event with the potential to
adversely impact organizational operations
(including mission, functions, image, or reputation),
organizational assets, individuals, or other
organizations through an information system via
unauthorized access, destruction, disclosure, or
modification of information, and/or denial of
service.  
Threat Modeling The process of identifying and prioritizing threats
with respect to a specific context or application.
Vulnerability Weakness in an information system, system security
procedures, internal controls, or implementation
that could be exploited by a threat source.  
Vulnerability Scan The automated checking of an information asset for
security vulnerabilities.
Web Application Firewall (WAF) An application firewall for HTTP applications. It
applies a set of rules to an HTTP conversation.
Generally, these rules cover common attacks such as
cross-site scripting (XSS) and SQL injection.  

RESPONSIBILITIES

2.0 Responsibilities. The following roles and responsibilities apply to this standard.

Roles Responsibilities
 Provide DevSecOps teams with the training, tools, and automation support needed to
OIS
ensure their success.
DevSecOps  Learn to integrate security tools and best practices into their development and
Team Members operations processes.
Security  Take and pass OIS DevSecOps security training.
Champions  Evangelize security for their team.


VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page

NONCOMPLIANCE

Violations of this standard may result in verbal counseling, written warning, suspension, and
termination in accordance with VSP’s HR Progressive Discipline policy. Outside personnel who
fail to comply with this standard, or its requirements are subject to the immediate termination
of their engagement, contract, proposal, or other agreement.

Non-compliance to this standard for any reason may increase the companies’ information risk
exposure. To understand the information risk and impacts, appropriate lines of business
personnel are required to request a Risk Assessment. To initiate a formal Risk Assessment,
click here.

RELATED DOCUMENTS

Policies. Secure Development Policy and Security Assurance Policy.

Standards. Configuration Management Standard , Security Education, Training, and
Awareness Standard, Secure Development Standard and Secure Coding Standard.
Procedures. OIS-ISMS-006 Risk Management Plan.

DOCUMENT CONTROL

Control Information

Document Name DevSecOps STANDARD

Intended Audience Form Num. OIS-Form-019
Documented By Jamie Jaworski Classification [CLASSIFICATION]
Stakeholder Review Document. Num.
Document Owner Sean Walls Effective Date

Approval

Roin Z. Nance
Vice President & Chief Information Security Officer, VSP Global

Change Control

Date Version Modified By Description

5/11/202
0.1 Jamie Jaworski Initial draft
1
1/18/202
0.2 Jamie Jaworski Minor updates.
2

VSP GLOBAL [CLASSIFICATION] Printed Copies are Uncontrolled Page