DevSecOps Index

Purpose

This index is the root entry point for the DevSecOps branch of the cybersecurity vault.

Use it to: - connect secure development, CI/CD, dependency risk, secrets handling, and container delivery - reason about software risk before runtime - map security controls into the developer workflow instead of bolting them on later - turn secure-by-design ideas into engineering practices

Use Reference Registry — DevSecOps as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches.

Before this branch: - Foundations (Phase 0). - Web Security and Cryptography — build-pipeline threats inherit both.

Recommended learning order

Phase 1 — Secure development foundations

Phase 2 — Supply chain and dependencies

Phase 3 — Pipeline and release controls

Phase 4 — Container and build delivery

Core DevSecOps cluster

Foundations

Supply chain

Pipelines and releases

Containers and delivery

Cross-links to other branches

API security

Web security

Attack surface mapping

Cloud security

Security playbooks

Suggested future notes

iac-security
policy-as-code
build-isolation
signed-releases
dependency-confusion
secret-scanning
runtime-vs-build-time-controls

Possible future playbooks

leak-secrets-from-ci
inspect-ci-secrets-exposure
review-container-hardening
inspect-release-provenance
test-dependency-risk-hotspots

Branch maintenance notes

Keep CI/CD, dependency, build, release, and software-delivery controls in this branch.
Keep cloud provider identity, network, storage, metadata, logging, and lab-infrastructure controls in Cloud Security.

References

Foundational: NIST SP 800-218 SSDF — https://csrc.nist.gov/pubs/sp/800/218/final
Foundational: CISA Secure by Design — https://www.cisa.gov/resources-tools/resources/secure-by-design
Foundational: OWASP ASVS — https://owasp.org/www-project-application-security-verification-standard/

Reference system