90-Day DevSecOps Plan (Template)

Oct 14, 2025

Goals

  • Ship RCs with zero High/Critical.
  • Admission enforces safe defaults + verified images.
  • Evidence ZIPs and KPIs published monthly.

Timeline (edit owners/dates)

Weeks 1–2

  • Enable secrets block (verified); add pre-commit hook (Owner: Dev)
  • Curate Semgrep rules; block High/Critical (Owner: Sec)
  • Run IaC scan; decide fail set (Owner: Sec + Ops)
  • Publish Blocking Policy One-Pager (Owner: Sec)

Weeks 3–4

  • SCA gate: block Critical (+ High if fix) (Owner: Sec)
  • Build golden base image; pin digests (Owner: Ops)
  • Add SBOM to RC; set license WARN (Owner: Sec)

Weeks 5–6

  • Apply Kyverno deny bad + safe defaults (Owner: Ops)
  • Add verifyImages w/ cosign.pub (Owner: Ops)
  • Roll default-deny NetPol + DNS egress (Owner: Ops)

Weeks 7–8

  • Turn license gate to ENFORCE (Owner: Sec)
  • Add RBAC least-privilege & can-i evidence (Owner: Ops)

Weeks 9–10

  • ZAP baseline in CI (Owner: Sec)
  • Evidence ZIPs archived; KPIs start weekly (Owner: Ops)

Weeks 11–12

  • Exception review & cleanup (Owner: Sec)
  • Retrospective; set Q2 backlog (Owner: Leads)

Sign-off: Security ___ · Ops ___ · Eng ___ · Date ___