# DevSecOps Lifecycle

![DevSecOps Lifecycle](/files/LYp3jMXbPlw4wKkVgO85)

## DevSecOps Lifecycle

> **Section focus:** DevSecOps Lifecycle.\
> **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\
> **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing.

### Start with these pages

| Page                                                                                                                                                                                                   | Why open it first                                                                             |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------- |
| [🛠️ Develop Phase — Practical DevSecOps Controls](/devsecops-cicd-and-supply-chain/index/develop.md)                                                                                                  | High-value page inside **DevSecOps Lifecycle**.                                               |
| [🧪 Test Phase — Fast Gates, Deep Tests, and What Still Belongs Out of Band](/devsecops-cicd-and-supply-chain/index/test.md)                                                                           | High-value page inside **DevSecOps Lifecycle**.                                               |
| [🗺️ DevSecOps Toolchain — Practical Map, Legacy vs Current](/devsecops-cicd-and-supply-chain/index/devsecops-toolchain-practical-map-legacy-vs-current.md)                                            | High-value page inside **DevSecOps Lifecycle**.                                               |
| [🧭 DevOpsSec Foundations — Shift Left, Small Batches, and Compliance as Code](/devsecops-cicd-and-supply-chain/index/devopssec-foundations-shift-left-and-compliance-as-code.md)                      | High-value page inside **DevSecOps Lifecycle**.                                               |
| [🧭 DevSecOps Stage Map and Modern Pipeline Patterns](/devsecops-cicd-and-supply-chain/index/devsecops-stage-map-and-modern-pipeline-patterns.md)                                                      | Best next step when you want stage-based theory translated into 2026-ready pipeline controls. |
| [🗺️ DevSecOps Playbook Domains, Priority, Difficulty, and Adoption Roadmap](/devsecops-cicd-and-supply-chain/index/devsecops-playbook-domains-priority-difficulty-and-adoption-roadmap.md)            | High-value page inside **DevSecOps Lifecycle**.                                               |
| [🧭 DevSecOps Assessment Framework (DAF) and DSOMM — Practical Positioning](/metrics-audit-risk-evidence-and-compliance/index-3/devsecops-assessment-framework-daf-and-dsomm-practical-positioning.md) | Best next step when you need a maturity workshop or assessment overlay.                       |

### Related sections

* [Governance, Roles, Metrics, and OKR](/metrics-audit-risk-evidence-and-compliance/index.md)
* [Threat Modeling](/application-security-and-secure-sdlc/index.md)
* [Compliance and Assurance](/metrics-audit-risk-evidence-and-compliance/index-1.md)
* [Security Maturity Models](/metrics-audit-risk-evidence-and-compliance/index-3.md)

***

> **Intro:** This section connects the **prepare → develop → build → test → deploy → operate** model to practical Product Security work. It is intentionally tool-aware and workflow-aware: what belongs in fast developer feedback, what belongs in CI, what still belongs out of band, and how older DevSecOps patterns map to current 2026 practice.
>
> **What this page includes**
>
> * practical controls for the **develop** phase;
> * a modern **stage map** that translates older public DevSecOps guidance into current CI/CD, OIDC, artifact-trust, and evidence patterns;
> * realistic security testing lanes for the **test** phase;
> * a **legacy vs current toolchain map** so older books and trainings remain useful without freezing the KB in 2018;
> * cross-links into API, CI/CD, cloud, container, and detection sections.

### Section map

* [Develop Phase — Practical DevSecOps Controls](/devsecops-cicd-and-supply-chain/index/develop.md)
* [Test Phase — Fast Gates, Deep Tests, and What Still Belongs Out of Band](/devsecops-cicd-and-supply-chain/index/test.md)
* [DevSecOps Toolchain — Practical Map, Legacy vs Current](/devsecops-cicd-and-supply-chain/index/devsecops-toolchain-practical-map-legacy-vs-current.md)
* [DevOpsSec Foundations — Shift Left, Small Batches, and Compliance as Code](/devsecops-cicd-and-supply-chain/index/devopssec-foundations-shift-left-and-compliance-as-code.md)
* [DevSecOps Stage Map and Modern Pipeline Patterns](/devsecops-cicd-and-supply-chain/index/devsecops-stage-map-and-modern-pipeline-patterns.md)
* [DevSecOps Playbook Domains, Priority, Difficulty, and Adoption Roadmap](/devsecops-cicd-and-supply-chain/index/devsecops-playbook-domains-priority-difficulty-and-adoption-roadmap.md)
* [DevSecOps Assessment Framework (DAF) and DSOMM — Practical Positioning](/metrics-audit-risk-evidence-and-compliance/index-3/devsecops-assessment-framework-daf-and-dsomm-practical-positioning.md)

### How to use this section

1. start with **Develop Phase** if you need better fast feedback and pre-commit hygiene;
2. read **Test Phase** if you need to place DAST, IAST, fuzzing, and pen testing into the right lanes;
3. use **Toolchain Practical Map** when old courses, old books, or vendor screenshots mention products that have been renamed, retired, or replaced;
4. use **DevSecOps Stage Map and Modern Pipeline Patterns** when you need a clean stage-by-stage control model for GitHub Actions, GitLab, and modern release evidence;
5. use **DevSecOps Playbook Domains** when you need to turn theory into an implementation backlog;
6. use **DAF / DSOMM** when you need to assess where the pipeline and platform currently sit on a maturity curve.

### Best cross-links

* [API Design and Contract Security](/architecture-api-crypto-and-identity/index/api-design-and-contract-security.md)
* [CI/CD and Software Supply Chain Security](/devsecops-cicd-and-supply-chain/index-1.md)
* [Cloud Auditing by API and Configuration State](/cloud-kubernetes-and-infrastructure-security/index/cloud-auditing-by-api-and-configuration-state.md)
* [Falco Runtime Detection Practical Guide](/attack-paths-testing-detection-and-hardening/index/falco-runtime-detection-practical-guide.md)

***

*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*

### Workflow visualization

* [🧰 Mature Product Security Workflows, Stage Gates, and Operating Loops](/metrics-audit-risk-evidence-and-compliance/index/mature-product-security-workflows-stage-gates-and-operating-loops.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/devsecops-cicd-and-supply-chain/index.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.