devsecopsmaturitymodel/DevSecOps-MaturityModelPublic

NotificationsYou must be signed in to change notification settings
Fork315
Star530

License

GPL-3.0 license

530 stars 315 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,221 Commits
.github		.github
src		src
.eslintrc.json		.eslintrc.json
.gitignore		.gitignore
.phptidy-config.php		.phptidy-config.php
.prettierignore		.prettierignore
.prettierrc.json		.prettierrc.json
.releaserc.json		.releaserc.json
CHANGELOG.md		CHANGELOG.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
Caddyfile		Caddyfile
Development.md		Development.md
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
angular.json		angular.json
karma.conf.js		karma.conf.js
package-lock.json		package-lock.json
package.json		package.json
tsconfig.app.json		tsconfig.app.json
tsconfig.json		tsconfig.json
tsconfig.spec.json		tsconfig.spec.json

Repository files navigation

Introduction

From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.

The OWASP DevSecOps Maturity Model provides opportunities to harden DevOps strategies and shows how these can be prioritized.

With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities.

Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.

Usage

Go tohttps://dsomm.owasp.org.

matrix shows the dimensions, subdimensions and activities are described.
Implementation Levels can be used to show the current implementation level by clicking on the specific activities which have been performed (it is recommended to use a gitops-like flow)
Mappings Shows mappings to other standards and provides the ability to download an excel sheet
Usage describes how to use DSOMM

In thisvideo Timo Pagel describes different strategic approaches for your secure DevOps strategy. The use OWASP DSOMM in combination withOWASP SAMM is explained.

In case you have evidence or review questions to gather evidence, you can add the attribute "evidence" to an activity which will be attached to an activity to provide it to your CISO or your customer's CISO.You can switch on to show open TODO's for evidence by changing IS_SHOW_EVIDENCE_TODO to true 'bib.php'define(IS_SHOW_EVIDENCE_TODO, true);

This page uses the Browser's localStorage to store the state of the circular headmap.

Changes

Changes to the application are displayed at the release page ofDevSecOps-MaturityModel.

Changes to the maturity model content are displayed at the release page ofDevSecOps-MaturityModel-data.

Community

Join #dsomm inOWASP Slack.Create issues or even better Pull Requests ingithub.

Slides and talks

Video: OWASP (DevSecOps) Projects, 2021-04-28, OWASP Stammtisch Frankfurt
Video: DSOMM Enhancement Workshop at Open Security Summit, 2021-04-16
Video: Strategic Usage of the OWASP Software Assurance Maturity Model and the OWASP DevSecOps Maturity Model, OWASP Jakarta
Slides: DSOMM Overview
Video: GitHub practical DSOMM snippet on twitch
Blog: GitHub on DSOMM 2020
Video: Benutzung vom OWASP DevSecOps Maturity Model (German)
Online: OWASP DevSecOps Maturity Model - Culture (German) 2020-08-25
Video: Usage of the OWASP DevSecOps Maturity Model,OWASP Ottawa Chapter, 2020-08-17
Continuous Application Security Testing for Enterprise, DevOps Meetup Hamburg, 2019-09-26
DevSecOps Maturity Model, Open Security Summit, near London, 2018
Security in DevOps-Strategies, 28.09.2017, Hamburg, Germany
DevSecOps Maturity Model, 2017

Assessment

In case you would like to perform a DevSecOps assessment, the following tools are available:

Usage of the applicaton in acontainer.
Development of an export toOWASP Maturity Models (recommended for assessments with a lot of teams)
Creation of your excel sheet (not recommended, you want to use DevOps, don't even try!)

Container

InstallDocker
Rundocker pull wurstbrot/dsomm:latest && docker run --rm -p 8080:8080 wurstbrot/dsomm:latest
Browse tohttp://localhost:8080 (on macOS and Windows browse tohttp://192.168.99.100:8080 if you are using docker-machine insteadof the native docker installation)

For customized DSOMM, take a look athttps://github.com/wurstbrot/DevSecOps-MaturityModel-custom.

You can download your current state from the circular heatmap and mount it again via

wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml# or go to /circular-heatmap and download edited yaml (bottom right)docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest

This approach also allows teams to perform self assessment with changes tracked in a repository.

Amazon EC2 Instance

In theEC2 sidenav selectInstances and clickLaunch Instance
InStep 1: Choose an Amazon Machine Image (AMI) choose anAmazonLinux AMI orAmazon Linux 2 AMI
InStep 3: Configure Instance Details unfoldAdvanced Details andcopy the script below intoUser Data
InStep 6: Configure Security Group add aRule that opens port 80for HTTP
Launch your instance
Browse to your instance's public DNS

#!/bin/bashservice docker startdocker run -d -p 80:8080 wurstbrot/dsomm:latest

Generating the`generated.yaml` File

Thegenerated.yaml file is dynamically created during the build process. If you don’t see this file after setup, follow these steps to generate it:

1. Clone the Required Repository:Thegenerated.yaml file is built via the DevSecOps-MaturityModel-data repository. Make sure you have cloned and set it up correctly.

2. Run the Build Command:Navigate to the project directory and run the following command:

Using npm:

npm run build

Using yarn:

yarn build

If the file is missing, ensure all dependencies are installed and that you have the correct access to theDevSecOps-MaturityModel-data repository.

Activity Definitions

The definition of the activities are in thedata-repository.

Teams and Groups

To customize these teams, you can create your ownmeta.yaml file with your unique team definitions.

Assessments within the framework can be based on either a team or a specific application, which can be referred to as the context. Depending on how you define the context or teams, you may want to group them together.

Here are a couple of examples to illustrate this, in breakers the DSOMM word:

Multiple applications (teams) can belong to a single overarching team (application).
Multiple teams (teams) can belong to a larger department (group).

Feel free to create your ownmeta.yaml file to tailor the framework to your specific needs and mount it in your environment (e.g. kubernetes or docker).Here is an example to start docker with customized meta.yaml:

# Customized meta.yamlcp src/assets/YAML/meta.yaml .docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -p 8080:8080 wurstbrot/dsomm# Customized meta.yaml and generated.yamlcp src/assets/YAML/meta.yaml .cp $(pwd)/src/assets/YAML/generated/generated.yaml .docker run -v  $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -v $(pwd)/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm

In the correspondingdimension YAMLs, use:

[...]      teamsImplemented:        Default: false        B: true        C: true      teamsEvidence:        B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11.         C: |          The pentest report from 2025 has been split into Jira tasks under          [TODO-123](https://jira.example.com/issues/TODO-123).                    _2025-04-01:_ All fixes of **critical** findings are deployed to production.

The| is yaml syntax to indicate that the evidence spans multiple lines. Markdownsyntax can be used. The evidence is currently visible on the activity from the Matrix page.

Back link

Your help is needed to perform

Adding a manual on how to use DSOMM
Integration of Incident Response
DevSecOps Toolchain Categorization
App Sec Maturity Models Mapping
CAMS Categorization
Adding assessment questions

Multilanguage support

Multilanguage support is not given currently and not planned.

Donations

If you are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at theOWASP Project Wiki Page. Donations might be used for the design of logos/images/design or travels.