From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.
The OWASP DevSecOps Maturity Model provides opportunities to harden DevOps strategies and shows how these can be prioritized.
With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities.
Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.
Go to https://dsomm.owasp.org.
In this video Timo Pagel describes different strategic approaches for your secure DevOps strategy. The use OWASP DSOMM in combination with OWASP SAMM is explained.
In case you have evidence or review questions to gather evidence, you can add the attribute "evidence" to an activity which will be attached to an activity to provide it to your CISO or your customer's CISO.
You can switch on to show open TODO's for evidence by changing IS_SHOW_EVIDENCE_TODO to true 'bib.php' define(IS_SHOW_EVIDENCE_TODO, true);
This page uses the Browser's localStorage to store the state of the circular headmap.
Join #dsomm in OWASP Slack. Create issues or even better Pull Requests in github.
In case you would like to perform a DevSecOps assessment, the following tools are available:
container
.docker pull wurstbrot/dsomm:latest && docker run --rm -p 8080:8080 wurstbrot/dsomm:latest
For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team.
You can download your current state from the circular headmap and mount it again via
wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right)
docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest
.
This approach also allows teams to perform self assessment with changes tracked in a repository.
#!/bin/bash
service docker start
docker run -d -p 80:8080 wurstbrot/dsomm:latest
The definition of the activities are in the data-repository.
To customize these teams, you can create your own meta.yaml file with your unique team definitions.
Assessments within the framework can be based on either a team or a specific application, which can be referred to as the context. Depending on how you define the context or teams, you may want to group them together.
Here are a couple of examples to illustrate this, in breakers the DSOMM word:
Feel free to create your own meta.yaml file to tailor the framework to your specific needs and mount it in your environment (e.g. kubernetes or docker). Here is an example to start docker with customized meta.yaml:
# Customized meta.yaml
cp src/assets/YAML/meta.yaml .
docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -p 8080:8080 wurstbrot/dsomm
# Customized meta.yaml and generated.yaml
cp src/assets/YAML/meta.yaml .
cp $(pwd)/src/assets/YAML/generated/generated.yaml .
docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -v $(pwd)/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
In the corresponding dimension YAMLs, use:
[...]
teamsImplemented:
Default: false
C: true
evidence:
B: Showed Jenkinsfile
docker
in the Juice Shop for simple copy&paste, Björn Kimminich.Multilanguage support is not given currently and not planned.
If you are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at the OWASP Project Wiki Page. Donations might be used for the design of logos/images/design or travels.
This program is free software: you can redistribute it and/or modify it under the terms of the GPL 3 license.
The intellectual property (content in the data folder) is licensed under Attribution-ShareAlike. An example attribution by changing the content:
This work is based on the OWASP DevSecOps Maturity Model.
The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2022.