alt text

The Secure Pipeline Verification Standard (SPVS) is a comprehensive, security-focused framework designed to assess, enhance, and standardize the security maturity of software delivery pipelines across the full lifecycle: Plan, Develop, Integrate, Release, and Operate.

SPVS delivers structured, actionable controls to help manage and mitigate risks tied to code, artifacts, and operational environments, embedding security from inception through continuous operations. It promotes a proactive, security-first culture that aligns with compliance requirements, ensures artifact integrity, and reinforces operational resilience within modern DevSecOps ecosystems.

Built on a multi-tiered maturity model, SPVS allows teams to start with baseline security practices and progress toward advanced, secure-by-design pipelines. It is both scalable and adaptable, supporting diverse cloud, hybrid, and on-premises environments and aligning with methodologies like Agile, DevOps, and Engineering.

By embedding security at every phase and continuously validating controls, SPVS transforms traditional software pipelines into secure, resilient, and compliant systems. It provides a standardized, measurable approach for organizations to design, implement, and sustain secure pipelines, serving as a critical enabler of long-term DevSecOps success.

• SPVS Official OWASP Web Page
• Join us on Slack @ #owasp-spvs

Why was the SPVS so calm during an incident? -> It had multi-factor resilience.

Why did the CI job take a coffee break? -> Too many Java exceptions!

• Release 1.5 - AI Security - Community Feedback
• How To Use SPVS
• Check out 1.0 Controls/Requirements
• Check out Legend and Columns Overview
• How to Contribute to the SPVS
• How to Join the SPVS Team

To provide a robust suite of controls and best practices that:

• Reduces the risk of attacks and vulnerabilities across software pipelines.
• Improves artifact integrity, build environment protection, and release assurance.
• Automates security validation and compliance within software pipeline processes.
• Elevates security maturity progressively through the SPVS stages.

Ultimately, SPVS empowers organizations to deliver secure, reliable, and compliant software — efficiently and at scale.

The Secure Pipeline Verification Standard (SPVS) provides a structured, adaptable, and actionable framework that integrates security across all stages of the software pipeline — Plan, Develop, Integrate, Release, and Operate.

SPVS introduces a tiered control structure that aligns with organizational maturity levels.

• Each control maps to specific pipeline stages and corresponding security objectives.
• Enables teams to adopt baseline controls early and progress toward advanced practices as maturity increases.
• Supports alignment with frameworks such as CIS Benchmarks, OWASP ASVS, and cloud provider Well-Architected Frameworks.

Provides a stage-by-stage roadmap for building secure pipelines.

• Guides teams from foundational security principles in Plan and Develop, to advanced controls in Integrate, Release, and Operate.
• Encourages continuous improvement, allowing incremental security adoption without disrupting delivery velocity.
• Embeds feedback loops and threat-informed iteration for sustained enhancement.

Delivers flexible, environment-agnostic controls tailored to diverse software delivery ecosystems.

• Supports multi-cloud, hybrid, and on-premises architectures.
• Adaptable to varied methodologies — Agile, DevOps, DevSecOps, and Platform Engineering.
• Ensures context-aware security integration across tooling (e.g., GitHub Actions, GitLab software pipeline, Jenkins, Azure DevOps).

Covers the end-to-end software lifecycle, embedding security throughout.

• Focus areas include secure code management, artifact integrity, build environment protection, and automated validation within software pipeline.
• Integrates compliance monitoring, change control, incident response, and operational resilience.
• Reinforces visibility and traceability across all SPVS stages to ensure accountability and auditability.

Acts as a living framework designed for continuous evolution and measurable improvement.

• Offers clear, actionable controls that drive tangible security outcomes.
• Promotes automation, real-time assessment, and data-driven decision-making for pipeline hardening.
• Enables organizations of all sizes to evaluate, benchmark, and elevate their software pipeline security posture.

The SPVS serves as a critical enabler for organizations aiming to strengthen their software pipeline security. It transforms traditional DevOps pipelines into secure-by-design, continuously validated systems, providing a scalable, adaptable, and measurable path toward sustained security maturity.

The Secure Pipeline Verification Standard (SPVS) establishes a comprehensive framework for embedding and verifying security across all stages of the software delivery pipeline — from planning and development to integration, release, and operations.

Its scope includes the implementation and validation of multilayered security controls that address risks associated with code, artifacts, and build environments throughout the entire pipeline lifecycle. The framework introduces a tiered control model, enabling organizations to progressively mature their security posture — from foundational safeguards to advanced, automated protections.

SPVS is adaptable to diverse development environments and methodologies, including Agile, DevOps, DevSecOps, and Platform Engineering, and applies equally across multi-cloud, hybrid, and on-premises infrastructures. It provides comprehensive coverage of:

• Secure code management and artifact integrity
• Automated security checks and validation within software pipeline pipelines
• Compliance monitoring and governance
• Incident response and operational resilience

By standardizing how organizations integrate and verify security across the Plan, Develop, Integrate, Release, and Operate stages, SPVS serves as an essential resource for improving pipeline security maturity and defending against evolving threats in the software supply chain.

The SPVS is designed for all professionals and leaders responsible for building, managing, and securing software pipelines, including:

• Software Engineers and Developers implementing secure coding practices.
• DevOps and DevSecOps Engineers automating secure build and deployment processes.
• Release and Program Managers overseeing release governance and compliance.
• Security and Compliance Teams conducting continuous validation and monitoring.
• IT Managers, Architects, and Decision-Makers establishing secure-by-design frameworks and risk management strategies.

By providing a structured set of controls, principles, and maturity pathways, SPVS empowers teams to collaborate effectively across disciplines, standardize security practices, and continuously enhance the integrity and resilience of their software delivery pipelines.

1. Security Integration Embed security into every stage of the software lifecycle — from planning to operations — ensuring it is a core design element, not an afterthought.

2. Continuous Improvement Maintain a feedback-driven, iterative approach to enhance security practices, aligning with emerging threats, evolving technologies, and lessons learned.

3. Shared Responsibility and Ownership Foster collaborative accountability across all roles — developers, operators, and security professionals — emphasizing that security is everyone’s job.

4. Transparency and Collaboration Promote open communication and visibility across teams, ensuring that risks, vulnerabilities, and incidents are shared, tracked, and resolved collectively.

5. Proactive Defense Prioritize preventative controls, early detection, and automated mitigation over reactive responses, strengthening defenses before issues escalate.

6. Scalability and Flexibility Design modular and adaptable controls that scale across organizational sizes, maturity levels, and infrastructure types — from startups to enterprises.

7. Education and Awareness Continuously train and upskill all stakeholders to recognize threats, adopt secure practices, and sustain a security-aware culture.

8. Standards Alignment and Compliance Align SPVS practices with recognized standards such as NIST SSDF, OWASP ASVS, CIS Benchmarks, and Cloud Well-Architected Frameworks to ensure compliance and interoperability.

9. Preserve DevOps Agility Ensure that security enhances agility rather than hinders it, integrating seamlessly into Agile and DevOps workflows without impeding delivery velocity.

10. Risk-Based Approach Apply risk prioritization to focus on the most critical threats, optimizing security efforts to protect key assets and business objectives effectively.

The Secure Pipeline Verification Standard (SPVS) serves as a strategic and tactical framework for achieving secure-by-design software delivery. By embedding security within every pipeline stage and promoting collaboration across teams, SPVS empowers organizations to reduce risk, increase compliance, and continuously improve their software supply chain security maturity.

The Secure Pipeline Verification Standard (SPVS) enhances traditional DevSecOps and DevOps practices by embedding security principles into every phase of the software delivery lifecycle.

Define scope, objectives, and security requirements for each iteration.

• Assess risks, establish baselines, and align with business and compliance goals.
• Incorporate feedback loops, postmortems, threat modeling, and lessons learned.
• Ensure continuous improvement in product quality and security posture.

Build security into the code from the start.

• Follow secure coding standards and perform continuous code reviews.
• Integrate automated vulnerability detection tools during development.
• Address issues early to reduce remediation costs and risk.

Securely integrate new code into the main codebase.

• Enforce security checkpoints before deployment.
• Perform automated validation, artifact integrity checks, and environment hardening.
• Use structured, repeatable security tests and compliance-aligned scans to detect vulnerabilities early.

Ensure production-ready, secure, and compliant deployments.

• Conduct final security validations, compliance checks, and approvals.
• Use automated, auditable pipelines for minimal-risk releases.
• Emphasize artifact integrity, change control, and secure rollout strategies.

Maintain and protect production environments.

• Implement continuous monitoring, incident response, and patch management.
• Enforce access control and operational resilience.
• Leverage real-time visibility and anomaly detection to ensure ongoing compliance and reliability.

Why did the SPVS framework start a band? -> It already had great stages!

We ask that all contributors to OWASP projects abide by our Code of Conduct. This code outlines our expectations for behavior within the project community and helps us maintain a welcoming and inclusive environment for all contributors.

Thank you for your interest in contributing to an OWASP project. We appreciate your efforts to help us improve and grow our projects.