green lines background image
Case Study No. 001

The New Security Pipeline Standard:
OWASP SPVS 1.0 just released

AuthorKarol Lech
Reading Time6 min read

Securing your codebase is only one part of the security you need on production. If your app code is well-protected but the entire Software Development Lifecycle (SDLC) isn't hardened, an attack is still possible through the delivery of your code into production.

Take a guess: how secure is a 100% secure Angular app if secrets can leak from an unprotected developer workstation or someone can inject malicious code during the build?

To protect the whole SDLC, you can implement the controls of the Secure Pipeline Verification Standard (SPVS) 1.0, which was just released by OWASP.

What is SPVS?

The Secure Pipeline Verification Standard (SPVS) is a framework created by OWASP to assess and standardize the security level of software delivery pipelines. Standards like ASVS focus on the application itself, but SPVS is comprehensive and focuses on the build, deployment, and operational automation.

It covers the entire lifecycle, divided into 5 clear stages:

  • Plan
  • Develop
  • Integrate
  • Release
  • Operate

Every control of SPVS is mapped to standards like NIST 800-53, CWE, and the OWASP Top 10 for CI/CD.

The 3 Levels of SPVS

You don't have to harden the whole pipeline like an enterprise if you're, e.g., solo-founder, and you just started and have a simple app. SPVS has 3 levels, so you can adjust security based on your risk profile.

Level 1: Foundational

The baseline for any team (e.g., a startup). It focuses on hygiene and simple controls like:

  • Mandatory MFA for all pipeline access
  • Basic IAM (Identity and Access Management)
  • Source control hardening and secret management

Level 2: Standard

For teams managing regulated workloads. It adds automation and evidence:

  • Automated secret scanning
  • Policy-as-code enforcement
  • Signed builds and mandatory release reviews

Level 3: Advanced

The highest level for high-risk environments (Fintech, Healthcare). It requires continuous verification:

  • Automated gating and third-party attestations
  • Full audit logging
  • Reproducible builds and verified provenance

"The level of your pipeline has to be adjusted to your app. If you have a Level 3 app, you need the Level 3 pipeline."

What’s Next?

This was just an introduction to SPVS. You have to understand the baseline of the standard to implement its controls. In the next post, I’ll show you all the 5 Stages of SPVS and how to harden a real-life pipeline using its controls.

Links: