The DevSecOps Playbook

SecureStack is committed to open-source projects, that’s the reason we recently open-sourced the “DevSecOps Playbook”.  This playbook, originally written by our CEO Paul McCarty, was an internal automation document that explained how to secure application environments.  Now, after a bit of a re-work, it’s a comprehensive step-by-step guide to implementing a DevSecOps practice for any organization.  So, we thought, why not share this with the world?!

Check out the GitHub project here:


How to use this free open-source Playbook

The Playbook is 50 individual tasks that you can follow to help make your application environments materially better.  Each task has a Priority, which tells you what you should do first, as well as a Difficulty which tells you how hard that task is.  So your teams can start with all the priority 1 tasks and once they’ve crossed all those off the list, they can start with the priority 2 tasks.  It’s really that simple.

If you like the playbook, feel free to star it on GitHub, or fork it for internal use.  If you see something that needs adjusting or if the Playbook is missing something, please create a PR!  We want the Playbook to be a community document!  You can check out our community stargazers here.

If you have a compliance or audit requirement that you need to address, check out the last column in each controls row.  You will see there any mappings that our community has associated with that particular control.  Most tasks have been mapped to at least two frameworks, such as ISO27001, ISO27002, SOC2, CIS, APRA, NIST 800, Australian ISM/Essential 8, or PCI-DSS.


Accelerate your DevSecOps success with SecureStack

Because the Playbook started out as an internal piece of automation, it’s built right into the heart and soul of our solution.  The SecureStack platform will check your applications for all the controls listed on the DevSecOps Playbook and report back if it finds any missing.  Even better, our platform will help you understand how to address any gaps we find with our visibility and automation platform.   We give you real-time continuous compliance reporting on your applications, so you can meet ISO27001, ISO27002, SOC2, CIS, NIST 800, NIST SSDF, Australian ISM, or APRA requirements.  If you have a security questionnaire you need to fill out or are going through an audit and you’re being asked about how secure your software development processes are, then please reach out to us!


Paul McCarty

Founder of SecureStack

DevSecOps evangelist, entrepreneur, father of 3 and snowboarder

Forbes Top 20 Cyber Startups to Watch in 2021!

 Mentioned in KuppingerCole's Leadership Compass for Software Supply Chain Security!