add devsecops project

Author: jgadsden

.wordlist.txt

@@ -476,4 +476,5 @@ CISO
 iteratively
 ai
 Serverless
-proscriptive
+proscriptive
+devsecops

_data/draft.yaml

@@ -295,17 +295,20 @@ docs:
 - title: '8.5 Mobile Application Security'
   url: culture_building_and_process_maturing/mobile_application_security
 
-- title: '9. Operation'
+- title: '9. Operations'
   url: operation
 
-- title: '9.1 ModSecurity Core Rule Set'
-  url: operation/modsecurity_core_rule_set
+- title: '9.1 DevSecOps Guideline'
+  url: operations/devsecops_guideline
 
 - title: '9.2 Coraza Web Application Firewall'
-  url: operation/coraza_waf
+  url: operations/coraza_waf
 
 - title: '9.3 ModSecurity Web Application Firewall'
-  url: operation/modsecurity_waf/
+  url: operations/modsecurity_waf/
+
+- title: '9.4 ModSecurity Core Rule Set'
+  url: operations/modsecurity_core_rule_set
 
 - title: '10. Metrics'
   url: metrics

_data/release.yaml

@@ -295,17 +295,20 @@ docs:
 - title: '8.5 Mobile Application Security'
   url: culture_building_and_process_maturing/mobile_application_security
 
-- title: '9. Operation'
+- title: '9. Operations'
   url: operation
 
-- title: '9.1 ModSecurity Core Rule Set'
-  url: operation/modsecurity_core_rule_set
+- title: '9.1 DevSecOps Guideline'
+  url: operations/devsecops_guideline
 
 - title: '9.2 Coraza Web Application Firewall'
-  url: operation/coraza_waf
+  url: operations/coraza_waf
 
 - title: '9.3 ModSecurity Web Application Firewall'
-  url: operation/modsecurity_waf/
+  url: operations/modsecurity_waf/
+
+- title: '9.4 ModSecurity Core Rule Set'
+  url: operations/modsecurity_core_rule_set
 
 - title: '10. Metrics'
   url: metrics

contributing.md

@@ -105,12 +105,31 @@ Follow instructions to install the command line [lychee][lychee-install] and [pa
 To install `markdownlint-cli2` use npm: `npm install markdownlint-cli2 --global`,
 and to install `pyspelling` use pip: `pip install pyspelling`
 
+## Release process
+
+The release process is automatic, and triggers when the repo is tagged with a version number.
+To trigger the release this process from within a cloned repo:
+
+1. tag the release, for example: `git tag 4.1.0`
+2. push to the repo, for example: `git push origin 4.1.0`
+
+The github release workflow then creates the pull request
+with modifications to the release area promoted from the draft area.
+Review the changes and, if all are correct, merge the pull request.
+This will also automatically update the public web document and PDF/e-book versions.
+
+It is good practice to bundle the PDF and ePub files into the [release area][release],
+using the wording from the previous releases as a guide to the release notes.
+
+----
+
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/
 [conduct]: code_of_conduct.md
 [dashboard]: https://github.com/orgs/OWASP/projects/14/views/1
 [issues]: https://github.com/OWASP/www-project-developer-guide/issues/new/choose
 [lychee-install]: https://lychee.cli.rs/
 [pandoc-install]: https://pandoc.org/installing.html
+[release]: https://github.com/OWASP/www-project-developer-guide/releases
 [request]: https://github.com/OWASP/www-project-developer-guide/pulls
 [wiki]: https://github.com/OWASP/www-project-developer-guide/wiki
 [wstg]: https://owasp.org/www-project-web-security-testing-guide/

draft/02-toc.md

@@ -120,10 +120,11 @@ permalink:
 8.4 [Application Security Verification Standard](#application-security-verification-standard)  
 8.5 [Mobile Application Security](#mobile-application-security)  
 
-9 **[Operation](#operation)**  
-9.1 [ModSecurity Core Rule Set](#modSecurity-core-rule-set)  
+9 **[Operations](#operations)**  
+9.1 [DevSecOps Guideline](#devsecops-guideline)  
 9.2 [Coraza Web Application Firewall](#coraza-web-application-firewall)  
 9.3 [ModSecurity Web Application Firewall](#modsecurity-web-application-firewall)  
+9.4 [ModSecurity Core Rule Set](#modSecurity-core-rule-set)  
 
 10 **[Metrics](#metrics)**  
 

draft/04-foundations/02-secure-development.md

@@ -97,10 +97,10 @@ There are many OWASP tools and resources to help build security into the SDLC.
    within the development teams - ideally every team should have a security champion that has
    a special interest in security and has received further training, enabling the team to build security in.
 
-* **Operation**: the OWASP [DevSecOps Guideline][devsecops] explains how to best implement a secure pipeline,
-    using best practices and introducing automation tools to help 'shift-left'.
+* **Operations**: the OWASP [DevSecOps Guideline][devsecops] explains how to best implement a secure pipeline,
+    using best practices and automation tools to help 'shift-left' security issues.
     Refer to the DevSecOps Guideline for more information on any of the topics within DevSecOps
-    and in particular sections on Operation.
+    and in particular sections on Operations.
 
 * **Supply chain**: attacks that leverage the supply chain can be devastating
     and there have been several high profile of products being successfully exploited.

draft/10-culture-process/01-security-culture.md

@@ -63,8 +63,9 @@ the [Security Champions Playbook][scplaybook].
 
 [Threat modelling][culturetm] is an activity that in itself is important within an organization,
 and it also has the benefit of helping communication between the security teams and development teams.
-[Security testing][culturetest] (such as SAST, DAST and IAST) is another domain where close collaboration
-is required within the organization: management, security, development and pipeline teams will all be involved.
+[Security testing][culturetest] (such as [SAST][dsosast], [DAST][dsodast] and [IAST][dsoiast])
+is another area where close collaboration is required within the organization:
+management, security, development and pipeline teams will all be involved.
 This has the added benefit, as with threat modeling, of promoting a good security culture / awareness
 within the organization - and can be a good indicator of where the security culture is succeeding.
 
@@ -90,6 +91,9 @@ then [submit an issue][issue1001] or [edit on GitHub][edit1001].
 [culturetest]: https://owasp.org/www-project-security-culture/v10/7-Security_Testing/
 [culturetm]: https://owasp.org/www-project-security-culture/v10/6-Threat_Modelling/
 [culturewhy]: https://owasp.org/www-project-security-culture/v10/2-Why_Add_Security_In_Development_Teams/
+[dsodast]: https://owasp.org/www-project-devsecops-guideline/latest/02b-Dynamic-Application-Security-Testing
+[dsoiast]: https://owasp.org/www-project-devsecops-guideline/latest/02c-Interactive-Application-Security-Testing
+[dsosast]: https://owasp.org/www-project-devsecops-guideline/latest/02a-Static-Application-Security-Testing
 [scplaybook]: https://github.com/c0rdis/security-champions-playbook
 
 \newpage

draft/10-culture-process/02-security-champions/01-security-champions-program.md

@@ -89,8 +89,8 @@ increase the effectiveness of the application security team and improve the secu
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue1021] or [edit on GitHub][edit1021].
 
-[issue1021]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2010-culture-process/02-security-champions/01-security-champions
-[edit1021]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/10-culture-process/02-security-champions/01-security-champions.md
+[edit1021]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/10-culture-process/02-security-champions/01-security-champions-program.md
+[issue1021]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2010-culture-process/02-security-champions/01-security-champions-program
 [sammgegoc]: https://owaspsamm.org/model/governance/education-and-guidance/stream-b/
 [scguide]: https://owasp.org/www-project-security-champions-guidebook/
 [scplaybook]: https://github.com/c0rdis/security-champions-playbook

draft/10-culture-process/02-security-champions/toc.md

@@ -55,7 +55,7 @@ Sections:
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue1020] or [edit on GitHub][edit1020].
 
-[edit1020]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/10-culture-process/01-security-champions/toc.md
+[edit1020]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/10-culture-process/02-security-champions/toc.md
 [issue1020]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2010-culture-process/02-security-champions/00-toc
 [sammg]: https://owaspsamm.org/model/governance/
 [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/

draft/10-culture-process/toc.md

@@ -28,13 +28,13 @@ The maturity of security processes and culture is wide ranging, with indicators
 Sections:
 
 8.1 [Security Culture](01-security-culture.md)  
-8.2 [Security Champions](01-security-champions/toc.md)  
-8.2.1 [Security champions program](01-security-champions/01-security-champions-program.md)  
-8.2.2 [Security Champions Guide](01-security-champions/02-security-champions-guide.md)  
-8.2.3 [Security Champions Playbook](01-security-champions/03-security-champions-playbook.md)  
+8.2 [Security Champions](02-security-champions/toc.md)  
+8.2.1 [Security champions program](02-security-champions/01-security-champions-program.md)  
+8.2.2 [Security Champions Guide](02-security-champions/02-security-champions-guide.md)  
+8.2.3 [Security Champions Playbook](02-security-champions/03-security-champions-playbook.md)  
 8.3 [Software Assurance Maturity Model](03-samm.md)  
 8.4 [Application Security Verification Standard](04-asvs.md)  
-8.5 [Mobile Application Security](04-mas.md)  
+8.5 [Mobile Application Security](05-mas.md)  
 
 ----