Code Monkey home page Code Monkey logo

devsecops-maturitymodel's Introduction

Introduction

From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.

The OWASP DevSecOps Maturity Model provides opportunities to harden DevOps strategies and shows how these can be prioritized.

With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities.

Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.

Usage

Go to https://dsomm.timo-pagel.de or clone this repository and run startDocker.bash.

  • matrix shows the dimensions, subdimensions and activities are described.
  • Implementation Levels can be used to measure the current implementation level by clicking on the specific activities which have been performed.
  • Ease and Value of Implementation is used for the maturity model development to see the ease and value of each activity to be able to compare it with activities within the subdimension and activities from other subdimensions.
  • Dependenies shows the dependencies between activities
  • Full Report prints all activities to be able to print it

In this video Timo Pagel describes different strategic approaches for your secure DevOps strategy. The use OWASP DSOMM in combination with OWASP SAMM is explained.

In case you have evidence or review questions to gather evidence, you can add the attribute "evidence" to an activity which will be attached to an activity to provide it to your CISO or your customer's CISO. You can switch on to show open TODO's for evidence by changing IS_SHOW_EVIDENCE_TODO to true 'bib.php' define(IS_SHOW_EVIDENCE_TODO, true);

Community

Join #dsomm in OWASP Slack. Create issues or even better Pull Requests in github.

Slides and talks

Assessment

In case you would like to perform a DevSecOps assessment, the following tools are available:

  • Usage of the applicaton in a container.
  • Development of an export to OWASP Maturity Models (recommended for assessments with a lot of teams)
  • Creation of your excel sheet (not recommended, you want to use DevOps, don't even try!)

Container

  1. Install Docker
  2. Run `docker run --rm -p 8080:80 wurstbrot/dsomm:latest
  3. Browse to http://localhost:8080 (on macOS and Windows browse to http://192.168.99.100:8080 if you are using docker-machine instead of the native docker installation)

In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team. In case the application should be visible, but the "Implementation Level" shouldn't be changeable, consider the following code:

#!/bin/bash
set -xe

IMAGE_NAME="<YOUR ORGANIZATION>/dsomm:latest"

rm -Rf DevSecOps-MaturityModel || true
git clone [email protected]:wurstbrot/DevSecOps-MaturityModel.git
cp  data/* DevSecOps-MaturityModel/data
cp -a selectedData.csv DevSecOps-MaturityModel/selectedData.csv

cd DevSecOps-MaturityModel
docker build -t $IMAGE_NAME .
docker push $IMAGE_NAME

This approach also allows teams to perform self assessment with changes tracked in a repository.

Amazon EC2 Instance

  1. In the EC2 sidenav select Instances and click Launch Instance
  2. In Step 1: Choose an Amazon Machine Image (AMI) choose an Amazon Linux AMI or Amazon Linux 2 AMI
  3. In Step 3: Configure Instance Details unfold Advanced Details and copy the script below into User Data
  4. In Step 6: Configure Security Group add a Rule that opens port 80 for HTTP
  5. Launch your instance
  6. Browse to your instance's public DNS
#!/bin/bash
yum update -y
yum install -y docker
service docker start
docker run -d -p 80:80 wurstbrot/dsomm:latest

Credits

  • The dimension Test and Verifiacation is based on Christian Schneiders Security DevOps Maturity Model (SDOMM). Application tests and Infrastructure tests are added by Timo Pagel. Also, the sub-dimension Static depth has been evaluated by security experts at OWASP Stammtisch Hamburg.
  • The sub-dimension Process has been added after a discussion with Francois Raynaud that reactive activities are missing.
  • Enhancement of my basic translation is performed by Claud Camerino.
  • Adding ISO 27001:2017 mapping, Andre Baumeier.
  • Providing a documentation of how to use docker in the Juice Shop for simple copy&paste, Björn Kimminich.

Back link

Your help is needed to perform

  • Adding a manual on how to use DSOMM
  • Integration of Incident Response
  • DevSecOps Toolchain Categorization
  • App Sec Maturity Models Mapping
  • CAMS Categorization
  • Addinng of evidence

Sponsors

Timo Pagel IT-Consulting (Time, Logo, Icons)

Donations

You are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at the OWASP Project Wiki Page. Donations might be used for the design of logos/images/design or travels.

License

This program is free software: you can redistribute it and/or modify it under the terms of the GPL 3 license.

The intellectual property (content in the data folder) is licensed under Attribution-ShareAlike. An example attribution by changing the content:

This work is based on the OWASP DevSecOps Maturity Model.

The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2020.

devsecops-maturitymodel's People

Contributors

alwell-kevin avatar andrebaumeier avatar clazba avatar louwersj avatar wurstbrot avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.