From 7ffd5b883764dc13e53ac4ac1157b387145979b5 Mon Sep 17 00:00:00 2001 From: Timo Pagel Date: Sat, 18 Jan 2025 09:44:10 +0100 Subject: [PATCH 01/26] chore: fix heroku install --- .github/workflows/depoy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/depoy.yml b/.github/workflows/depoy.yml index e4f328dae..7f65e8945 100644 --- a/.github/workflows/depoy.yml +++ b/.github/workflows/depoy.yml @@ -19,6 +19,9 @@ jobs: echo "HEROKU_BRANCH=master" >> $GITHUB_ENV fi echo "HEROKU_BRANCH=master" >> $GITHUB_ENV + - name: Install Heroku CLI + run: | + curl https://cli-assets.heroku.com/install.sh | sh - name: "Deploy ${{ github.ref }} to Heroku" uses: akhileshns/heroku-deploy@v3.13.15 with: From 57c3ea533e512301c22cbb3a0d7fad61a3bc88ab Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 19 Jan 2025 13:00:28 +0100 Subject: [PATCH 02/26] Add warning before deleting browser progress --- src/app/app.module.ts | 15 +++- .../circular-heatmap.component.html | 2 +- .../circular-heatmap.component.ts | 37 +++++++- .../modal-message/modal-message.component.css | 14 +++ .../modal-message.component.html | 14 +++ .../modal-message.component.spec.ts | 24 +++++ .../modal-message/modal-message.component.ts | 87 +++++++++++++++++++ 7 files changed, 187 insertions(+), 6 deletions(-) create mode 100644 src/app/component/modal-message/modal-message.component.css create mode 100644 src/app/component/modal-message/modal-message.component.html create mode 100644 src/app/component/modal-message/modal-message.component.spec.ts create mode 100644 src/app/component/modal-message/modal-message.component.ts diff --git a/src/app/app.module.ts b/src/app/app.module.ts index c4911cc82..ecc93f8b4 100644 --- a/src/app/app.module.ts +++ b/src/app/app.module.ts @@ -22,6 +22,12 @@ import { AboutUsComponent } from './component/about-us/about-us.component'; import { DependencyGraphComponent } from './component/dependency-graph/dependency-graph.component'; import { TeamsComponent } from './component/teams/teams.component'; import { ToStringValuePipe } from './pipe/to-string-value.pipe'; +import { ModalMessageComponent } from './component/modal-message/modal-message.component'; +import { + MatDialogModule, + MAT_DIALOG_DATA, + MatDialogRef, +} from '@angular/material/dialog'; @NgModule({ declarations: [ @@ -40,16 +46,23 @@ import { ToStringValuePipe } from './pipe/to-string-value.pipe'; TeamsComponent, ToStringValuePipe, UserdayComponent, + ModalMessageComponent, ], imports: [ BrowserModule, AppRoutingModule, BrowserAnimationsModule, MaterialModule, + MatDialogModule, ReactiveFormsModule, HttpClientModule, ], - providers: [ymlService], + providers: [ + ymlService, + ModalMessageComponent, + { provide: MAT_DIALOG_DATA, useValue: {} }, + { provide: MatDialogRef, useValue: { close: (dialogResult: any) => {} } }, + ], bootstrap: [AppComponent], }) export class AppModule {} diff --git a/src/app/component/circular-heatmap/circular-heatmap.component.html b/src/app/component/circular-heatmap/circular-heatmap.component.html index 6e6347d93..91d98572f 100644 --- a/src/app/component/circular-heatmap/circular-heatmap.component.html +++ b/src/app/component/circular-heatmap/circular-heatmap.component.html @@ -284,7 +284,7 @@

Nothing to show

class="normal-button" mat-raised-button class="resetButtonClass" - (click)="ResetIsImplemented()"> + (click)="deleteLocalTeamsProgress()"> Reset Implemented diff --git a/src/app/component/circular-heatmap/circular-heatmap.component.ts b/src/app/component/circular-heatmap/circular-heatmap.component.ts index 9a747b519..fa5e33da0 100644 --- a/src/app/component/circular-heatmap/circular-heatmap.component.ts +++ b/src/app/component/circular-heatmap/circular-heatmap.component.ts @@ -11,6 +11,10 @@ import * as yaml from 'js-yaml'; import { Router } from '@angular/router'; import { MatChip } from '@angular/material/chips'; import * as md from 'markdown-it'; +import { + ModalMessageComponent, + DialogInfo, +} from '../modal-message/modal-message.component'; export interface activitySchema { uuid: string; @@ -62,7 +66,7 @@ export class CircularHeatmapComponent implements OnInit { constructor( private yaml: ymlService, private router: Router, - private changeDetector: ChangeDetectorRef + public modal: ModalMessageComponent ) { this.showOverlay = false; } @@ -83,6 +87,14 @@ export class CircularHeatmapComponent implements OnInit { @ViewChildren(MatChip) chips!: QueryList; matChipsArray: MatChip[] = []; + displayMessage(dialogInfo: DialogInfo) { + // Remove focus from the button that becomes aria unavailable (avoids ugly console error message) + const buttonElement = document.activeElement as HTMLElement; + buttonElement.blur(); + + this.modal.openDialog(dialogInfo); + } + private LoadMaturityDataFromGeneratedYaml() { return new Promise((resolve, reject) => { console.log(`${this.perfNow()}s: LoadMaturityData Fetch`); @@ -843,9 +855,26 @@ export class CircularHeatmapComponent implements OnInit { this.noActivitytoGrey(); } - ResetIsImplemented() { - localStorage.removeItem('dataset'); - this.loadDataset(); + deleteLocalTeamsProgress() { + // Remove focus from the button that becomes aria unavailable (avoids ugly console error message) + const buttonElement = document.activeElement as HTMLElement; + buttonElement.blur(); + + let title: string = 'Delete local browser data'; + let message: string = + 'Do you want to delete all progress for each team?' + + '\n\nThis deletes all progress stored in your local browser, but does ' + + 'not change any progress stored in the yaml file on the server.'; + let buttons: string[] = ['Cancel', 'Delete']; + this.modal + .openDialog({ title, message, buttons, template: '' }) + .afterClosed() + .subscribe(data => { + if (data === 'Delete') { + localStorage.removeItem('dataset'); + location.reload(); // Make sure all load routines are initialized + } + }); } saveDataset() { diff --git a/src/app/component/modal-message/modal-message.component.css b/src/app/component/modal-message/modal-message.component.css new file mode 100644 index 000000000..375caf548 --- /dev/null +++ b/src/app/component/modal-message/modal-message.component.css @@ -0,0 +1,14 @@ +.dialog { + margin: 0.5em; + padding: 1em; +} + +.dialog-buttons { + display: flex; + justify-content: flex-end; +} + +button { + min-width: 5rem; + margin: 0 1rem; +} \ No newline at end of file diff --git a/src/app/component/modal-message/modal-message.component.html b/src/app/component/modal-message/modal-message.component.html new file mode 100644 index 000000000..f1ff005f7 --- /dev/null +++ b/src/app/component/modal-message/modal-message.component.html @@ -0,0 +1,14 @@ +
+

{{ data.title }}

+

+
+
+ +
diff --git a/src/app/component/modal-message/modal-message.component.spec.ts b/src/app/component/modal-message/modal-message.component.spec.ts new file mode 100644 index 000000000..73c248e91 --- /dev/null +++ b/src/app/component/modal-message/modal-message.component.spec.ts @@ -0,0 +1,24 @@ +import { ComponentFixture, TestBed } from '@angular/core/testing'; + +import { ModalMessageComponent } from './modal-message.component'; + +describe('ModalMessageComponent', () => { + let component: ModalMessageComponent; + let fixture: ComponentFixture; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + declarations: [ModalMessageComponent], + }).compileComponents(); + }); + + beforeEach(() => { + fixture = TestBed.createComponent(ModalMessageComponent); + component = fixture.componentInstance; + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); +}); diff --git a/src/app/component/modal-message/modal-message.component.ts b/src/app/component/modal-message/modal-message.component.ts new file mode 100644 index 000000000..2dbb00469 --- /dev/null +++ b/src/app/component/modal-message/modal-message.component.ts @@ -0,0 +1,87 @@ +import { Inject, Component, OnInit } from '@angular/core'; +import { + MAT_DIALOG_DATA, + MatDialogRef, + MatDialog, + MatDialogConfig, +} from '@angular/material/dialog'; +import * as md from 'markdown-it'; + +@Component({ + selector: 'app-modal-message', + templateUrl: './modal-message.component.html', + styleUrls: ['./modal-message.component.css'], +}) +export class ModalMessageComponent implements OnInit { + data: DialogInfo; + markdown: md = md(); + + DSOMM_host: string = 'https://github.com/devsecopsmaturitymodel'; + DSOMM_url: string = `${this.DSOMM_host}/DevSecOps-MaturityModel-data`; + meassageTemplates: Record = { + generated_yaml: new DialogInfo( + `{message}\n\n` + + `Please download the activity template \`generated.yaml\` ` + + `from [DSOMM-data](${this.DSOMM_url}) on GitHub.\n\n` + + 'The DSOMM activities are maintained and distributed ' + + 'separately from the software.', + 'DSOMM startup problems' + ), + }; + + constructor( + public dialog: MatDialog, + public dialogRef: MatDialogRef, + @Inject(MAT_DIALOG_DATA) data: DialogInfo + ) { + this.data = data; + } + + // eslint-disable-next-line @angular-eslint/no-empty-lifecycle-method + ngOnInit(): void {} + + openDialog( + dialogInfo: DialogInfo | string + ): MatDialogRef { + if (typeof dialogInfo === 'string') { + dialogInfo = new DialogInfo(dialogInfo); + } + if ( + dialogInfo.template && + this.meassageTemplates.hasOwnProperty(dialogInfo.template) + ) { + let template: DialogInfo = this.meassageTemplates[dialogInfo.template]; + dialogInfo.title = dialogInfo.title || template?.title; + dialogInfo.message = template?.message?.replace( + '{message}', + dialogInfo.message + ); + } + + dialogInfo.message = this.markdown.render(dialogInfo.message); + + const dialogConfig = new MatDialogConfig(); + dialogConfig.id = 'modal-message'; + dialogConfig.disableClose = true; + dialogConfig.data = dialogInfo; + dialogConfig.autoFocus = false; + this.dialogRef = this.dialog.open(ModalMessageComponent, dialogConfig); + return this.dialogRef; + } + + closeDialog(buttonName: string) { + this.dialogRef?.close(buttonName); + } +} + +export class DialogInfo { + title: string = ''; + template: string | null = ''; + message: string = ''; + buttons: string[] = ['OK']; + + constructor(msg: string = '', title: string = '') { + this.message = msg; + this.title = title; + } +} From 39cb156b73d410e52844800d4b8361713ec39b05 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 19 Jan 2025 13:06:06 +0100 Subject: [PATCH 03/26] Renamed button text --- .../component/circular-heatmap/circular-heatmap.component.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app/component/circular-heatmap/circular-heatmap.component.html b/src/app/component/circular-heatmap/circular-heatmap.component.html index 91d98572f..43ba21b35 100644 --- a/src/app/component/circular-heatmap/circular-heatmap.component.html +++ b/src/app/component/circular-heatmap/circular-heatmap.component.html @@ -285,7 +285,7 @@

Nothing to show

mat-raised-button class="resetButtonClass" (click)="deleteLocalTeamsProgress()"> - Reset Implemented + Delete team progress From 8ecd68e50358b773891cd1e9a138beef859ae0ae Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Thu, 23 Jan 2025 22:07:20 +0100 Subject: [PATCH 04/26] Include base install instruction --- Development.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Development.md b/Development.md index 0527c5aae..3e02cf243 100644 --- a/Development.md +++ b/Development.md @@ -2,6 +2,11 @@ ## Development server +The DSOMM is based on [NodeJS](https://nodejs.org/) and [Angular](https://angular.dev/). +- If you have not yet installed NodeJS or Angular command line tools, install them now. First NodeJS: https://nodejs.org/en/download, then Angualr: +``` +npm install -g @angular/cli +``` - Clone the repo ``` git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel.git From 32b28b694390356f773cf81fc0e327f8472cd2a2 Mon Sep 17 00:00:00 2001 From: vbakke Date: Sun, 26 Jan 2025 16:06:34 +0100 Subject: [PATCH 05/26] Update Development.md Better wording from @wurstbrot --- Development.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Development.md b/Development.md index 3e02cf243..41ce4bf64 100644 --- a/Development.md +++ b/Development.md @@ -1,13 +1,12 @@ # DSOMM ## Development server - -The DSOMM is based on [NodeJS](https://nodejs.org/) and [Angular](https://angular.dev/). -- If you have not yet installed NodeJS or Angular command line tools, install them now. First NodeJS: https://nodejs.org/en/download, then Angualr: +The DSOMM is based [Angular](https://angular.dev/) and uses npm for package management. +- If you have not yet installed npm or the Angular command line tools, install them now. First [NodeJS](https://nodejs.org/en/download) (which provides npm), then Angular: ``` npm install -g @angular/cli ``` -- Clone the repo +- Clone the DSOMM repo ``` git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel.git ``` @@ -19,7 +18,7 @@ cd DevSecOps-MaturityModel ``` npm install ``` -- Downloads the generated.yaml and put it in the required folder +- **NB!** The DSOMM activities are maintained separately. Download the `generated.yaml` and put it in the required folder ``` curl https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml -o src/assets/YAML/generated/generated.yaml ``` From 78a13731ba50d247a7c6cbe8c3772a4bfa462a6d Mon Sep 17 00:00:00 2001 From: Timo Pagel Date: Sun, 26 Jan 2025 18:20:32 +0100 Subject: [PATCH 06/26] chore: fix deploy --- .github/workflows/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 229f5ac5a..349887f40 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -73,11 +73,14 @@ jobs: echo "HEROKU_BRANCH=master" >> $GITHUB_ENV fi echo "HEROKU_BRANCH=master" >> $GITHUB_ENV + - name: Install Heroku CLI + run: | + curl https://cli-assets.heroku.com/install.sh | sh - name: "Deploy ${{ github.ref }} to Heroku" - uses: akhileshns/heroku-deploy@9fd0f9faae4aa93a38d6f5e25b9128589f1371b0 #v3.12.14 + uses: akhileshns/heroku-deploy@v3.13.15 with: heroku_api_key: ${{ secrets.HEROKU_API_KEY }} heroku_app_name: "dsomm" heroku_email: timo.pagel@owasp.org branch: ${{ env.HEROKU_BRANCH }} - usedocker: true \ No newline at end of file + usedocker: true From a9d0ac55cbeeef56b74c6042b4e8f0c3f49be8cf Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 17:26:28 +0100 Subject: [PATCH 07/26] Copy root README.md to assets' markdown files --- src/assets/Markdown Files/README.md | 92 ++++++++++++++++------------- 1 file changed, 51 insertions(+), 41 deletions(-) diff --git a/src/assets/Markdown Files/README.md b/src/assets/Markdown Files/README.md index 678e5c2ef..d474e6ea8 100644 --- a/src/assets/Markdown Files/README.md +++ b/src/assets/Markdown Files/README.md @@ -10,24 +10,26 @@ Attackers are intelligent and creative, equipped with new technologies and purpo # Usage -Go to https://dsomm.timo-pagel.de or clone [this repository](https://github.com/wurstbrot/DevSecOps-MaturityModel/) and run `startDocker.bash`. +Go to https://dsomm.owasp.org. * _matrix_ shows the dimensions, subdimensions and activities are described. -* _Implementation Levels_ can be used to measure the current implementation level by clicking on the specific activities which have been performed. -* _Ease and Value of Implementation_ is used for the maturity model development to see the ease and value of each activity to be able to compare it with activities within the subdimension and activities from other subdimensions. -* _Dependenies_ shows the dependencies between activities -* _Useage_ describes the dimensions -* _Full Report_ prints all activities to be able to print it +* _Implementation Levels_ can be used to show the current implementation level by clicking on the specific activities which have been performed (it is recommended to use a gitops-like flow) +* _Mappings_ Shows mappings to other standards and provides the ability to download an excel sheet +* _Usage_ describes how to use DSOMM In this [video](https://www.youtube.com/watch?v=tX9RHZ_O5NU) Timo Pagel describes different strategic approaches for your secure DevOps strategy. The use OWASP DSOMM in combination with [OWASP SAMM](https//owaspsamm.org) is explained. In case you have evidence or review questions to gather evidence, you can add the attribute "evidence" to an activity which will be attached to an activity to provide it to your CISO or your customer's CISO. You can switch on to show open TODO's for evidence by changing IS_SHOW_EVIDENCE_TODO to true 'bib.php' `define(IS_SHOW_EVIDENCE_TODO, true);` -# Community +This page uses the Browser's localStorage to store the state of the circular headmap. + +# Changes +Changes to the application are displayed at the release page of [DevSecOps-MaturityModel](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/releases). -Code Freeze: Currently, with the Google Summer student Aryan Prasad we develop a new Angular frontend version, therefore, we do not accept any code changes right now. +Changes to the maturity model content are displayed at the release page of [DevSecOps-MaturityModel-data](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/releases). +# Community Join #dsomm in [OWASP Slack](https://owasp.slack.com/join/shared_invite/zt-g398htpy-AZ40HOM1WUOZguJKbblqkw#/). Create issues or even better Pull Requests in [github](https://github.com/wurstbrot/DevSecOps-MaturityModel/). @@ -57,31 +59,22 @@ In case you would like to perform a DevSecOps assessment, the following tools ar ## Container 1. Install [Docker](https://www.docker.com) -2. Run `docker run --rm -p 8080:8080 wurstbrot/dsomm:latest` +2. Run `docker pull wurstbrot/dsomm:latest && docker run --rm -p 8080:8080 wurstbrot/dsomm:latest` 3. Browse to (on macOS and Windows browse to if you are using docker-machine instead of the native docker installation) -In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team. -In case the application should be visible, but the "Implementation Level" shouldn't be changeable, consider the following code: +For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team. -```bash -#!/bin/bash -set -xe +You can download your current state from the circular headmap and mount it again via -IMAGE_NAME="/dsomm:latest" - -rm -Rf DevSecOps-MaturityModel || true -git clone git@github.com:wurstbrot/DevSecOps-MaturityModel.git -cp data/* DevSecOps-MaturityModel/data -cp -a selectedData.csv DevSecOps-MaturityModel/selectedData.csv - -cd DevSecOps-MaturityModel -docker build -t $IMAGE_NAME . -docker push $IMAGE_NAME +```bash +wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right) +docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest ``` -This approach also allows teams to perform self assessment with changes tracked in a repository. +. +This approach also allows teams to perform self assessment with changes tracked in a repository. ## Amazon EC2 Instance @@ -97,29 +90,44 @@ This approach also allows teams to perform self assessment with changes tracked ```bash #!/bin/bash -yum update -y -yum install -y docker service docker start -docker run -d -p 80:80 wurstbrot/dsomm:latest +docker run -d -p 80:8080 wurstbrot/dsomm:latest ``` -## Tests +## Activity Definitions +The definition of the activities are in the [data-repository](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data). -To run basic tests just +## Teams and Groups +To customize these teams, you can create your own [meta.yaml](src/assets/meta.yaml) file with your unique team definitions. -```bash -docker-compose -f docker-compose.dev.yaml up test-php -``` +Assessments within the framework can be based on either a team or a specific application, which can be referred to as the context. Depending on how you define the context or teams, you may want to group them together. -# Credits +Here are a couple of examples to illustrate this, in breakers the DSOMM word: +- Multiple applications (teams) can belong to a single overarching team (application). +- Multiple teams (teams) can belong to a larger department (group). -* The dimension _Test and Verification_ is based on Christian Schneiders [Security DevOps Maturity Model (SDOMM)](https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html). _Application tests_ and _Infrastructure tests_ are added by Timo Pagel. Also, the sub-dimension _Static depth_ has been evaluated by security experts at [OWASP Stammtisch Hamburg](https://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative/Hamburg). -* The sub-dimension Process has been added after a discussion with [Francois Raynaud](https://www.linkedin.com/in/francoisraynaud/) that reactive activities are missing. -* Enhancement of my basic translation is performed by [Claud Camerino](https://github.com/clazba). -* Adding ISO 27001:2017 mapping, [Andre Baumeier](https://github.com/AndreBaumeier). -* Providing a documentation of how to use `docker` in the Juice Shop for simple copy&paste, [Björn Kimminich](https://github.com/bkimminich/). -* [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md) for providing documentation on different DevSecOps practices which are copied&pasted/ (and adopted) (https://github.com/northdpole, https://github.com/ThunderSon) -* The requirements from [level 0](https://github.com/AppSecure-nrw/security-belts/blob/master/white/) are based on/copied from [AppSecure NRW](https://appsecure.nrw/) +Feel free to create your own [meta.yaml](src/assets/meta.yaml) file to tailor the framework to your specific needs and mount it in your environment (e.g. kubernetes or docker). +Here is an example to start docker with customized meta.yaml: +``` +# Customized meta.yaml +cp src/assets/YAML/meta.yaml . +docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -p 8080:8080 wurstbrot/dsomm + +# Customized meta.yaml and generated.yaml +cp src/assets/YAML/meta.yaml . +cp $(pwd)/src/assets/YAML/generated/generated.yaml . +docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -v $(pwd)/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm +``` + +In the corresponding [dimension YAMLs](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/tree/main/src/assets/YAML/default), use: +``` +[...] + teamsImplemented: + Default: false + C: true + evidence: + B: Showed Jenkinsfile +``` # Back link @@ -145,6 +153,8 @@ Multilanguage support is not given currently and not planned. [![Apprio Inc](https://github.com/wurstbrot/DevSecOps-MaturityModel/raw/master-old/assets/images/Apiiro_black_logo.png)](https://apiiro.com/) +[![Heroku (hosting)](https://github.com/wurstbrot/DevSecOps-MaturityModel/raw/master/src/assets/images/sponsors/heroku.png)](https://www.heroku.com/open-source-credit-program) + # Donations If you are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at the [OWASP Project Wiki Page](https://owasp.org/donate/?reponame=www-project-devsecops-maturity-model&title=OWASP+Devsecops+Maturity+Model). Donations might be used for the design of logos/images/design or travels. From 83f2416c354e79cacf88164a7ed624216ad9fb94 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 20:31:14 +0100 Subject: [PATCH 08/26] Renamed USAGE.md to maturity-level-0.md --- src/assets/Markdown Files/{USAGE.md => maturity-level-0.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/assets/Markdown Files/{USAGE.md => maturity-level-0.md} (100%) diff --git a/src/assets/Markdown Files/USAGE.md b/src/assets/Markdown Files/maturity-level-0.md similarity index 100% rename from src/assets/Markdown Files/USAGE.md rename to src/assets/Markdown Files/maturity-level-0.md From 64be7f517d78ca403aa7cc73a2be40d6d22c0de1 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 20:33:32 +0100 Subject: [PATCH 09/26] Adjust maturity-level-0.md --- src/assets/Markdown Files/maturity-level-0.md | 344 +++--------------- 1 file changed, 50 insertions(+), 294 deletions(-) diff --git a/src/assets/Markdown Files/maturity-level-0.md b/src/assets/Markdown Files/maturity-level-0.md index ff850f9df..f23519aab 100644 --- a/src/assets/Markdown Files/maturity-level-0.md +++ b/src/assets/Markdown Files/maturity-level-0.md @@ -1,24 +1,25 @@ ---- -This article explains the usage of DSOMM, the dimensions and - corresponding sub-dimensions. - # Pre-Requirements -Before you start, there is kind of maturity level 0. +Before you start using DSOMM in your organization, there are a few activities that might help you to implement a better security regime. -The pre-requirements are highly based (mostly copied) on - [AppSecure NRW](https://github.com/AppSecure-nrw/security-belts/tree/master/white). -## Risk management +These pre-requirements are highly based on (mostly copied) + from AppSecure NRW's first level of [security-belts](https://github.com/AppSecure-nrw/security-belts/tree/master/white). -[NIST defines `risk`](https://csrc.nist.gov/glossary/term/risk) as +## Risk management +Understand what the term _risk_ means in this context. +
Definition of risk +NIST defines risk as: -> a measure of the extent to which an entity is threatened by a potential -circumstance or event, and typically is a function of: +> a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: > 1. the adverse impact, or magnitude of harm, that would arise > if the circumstance or event occurs; and > 2. the likelihood of occurrence. +_Source: https://csrc.nist.gov/glossary/term/risk_ +
+ +
Definition of risk in a information security context In information security, risks arise from the loss of: - confidentiality, @@ -40,17 +41,44 @@ A risk then tied to a **threat**, its **probability** and its **impacts**. If you are interested in Risk Management frameworks and strategies, you can start from [FISMA](https://csrc.nist.gov/Projects/risk-management/). +
+ +
Definition of risk appetite +Risk appetite is defined as: + +> The types and amount of risk, on a broad level, [an organization] is willing to accept in its pursuit of value + +_Source: https://csrc.nist.gov/glossary/term/risk_appetite_ + +Organizations have different risk appetite. It is important to understand what risks your organization is willing to accept, and which are not acceptable. Understanding this will + - help you translate application security risks for your management + - help you focus on risks that matters the most for your organization +
+ +
Definition of risk tolerance +Risk tolerance is highly connected to risk appetite. NIST's definition is almost identical to its own definition for risk appetit. + +[ISACA](https://en.wikipedia.org/wiki/ISACA), however, defines risk tolerance as: + +> the acceptable deviation from the level set by the risk appetite and business objectives. + +Explaining that: + +> Risk appetite and risk tolerance can be viewed as the “two sides of the same coin” as they relate to organizational performance over time. Risk appetite is about “taking risk” and risk tolerance is about “controlling risk.” For risk appetite to be adopted successfully in decision making, it must be integrated with control environment of the organization through risk tolerance -## Onboard Product Owner and other Managers +_Source: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2022/risk-appetite-vs-risk-tolerance-what-is-the-difference_ +
+ +## Onboard Product Owner and other managers To adopt a DSOMM in a product or a project, it is important to identify the person or the team which is responsible to ensure that risk-related considerations reflects the organizational -risk tolerance +risk appetite and tolerance (see [Risk Executive](https://csrc.nist.gov/glossary/term/risk_executive) for a more complete view). -Depending on the project, this "Risk Manager" - which in layman terms +Depending on the project, this "Risk Manager" - which in layman's terms is responsible for judging "risks vs. costs" of the product - can be the `Project Manager`, the `Product Owner` or else: it is important that he has the proper risk management @@ -63,18 +91,20 @@ to minimize risk and build better products. The first steps for deploying DSOMM are then the following: 1. identify the persons in charge for risk decisions -1. make them aware of information security risks, showing the impacts of - threats and their probability. -1. convince them that security requires continuous efforts +1. ask them about their _risk appetite_ +1. make them aware of information security risks + - show the impacts of threats and their probability +1. convince them that security requires _continuous_ efforts ### Benefits - The "Risk Manager" is aware that all software have security vulnerabilities, - and that the related risks should be minimized. + and that the related risks should be minimized +- Knowing the risk appetite XXXXXX - Resources must be allocated to improve security and - to avoid, detect and fix vulnerabilities. + to avoid, detect and fix vulnerabilities - Management can perform well informed risk decisions -- The "Risk Manager" has transparent knowledge on how secure the product is. +- The "Risk Manager" has transparent knowledge on how secure the product is ## Get to Know Security Policies @@ -141,277 +171,3 @@ from the Security Champion Guild to get you started. - Starting to implement security belt activities with guidance is easier. - The team is improving its software security while avoiding previously made mistakes. - -# Dimensions - -This section describes the various dimensions -and the corresponding sub dimension. - -The descriptions are highly based (mostly copied) -on the [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md). - -## Implementation - -This dimension covers topic of "traditional" -hardening of software and infrastructure components. - -There is an abundance of libraries and frameworks implementing -secure defaults. -For frontend development, [ReactJS](https://reactjs.org/) seems to be -the latest favourite in the Javascript world. - -On the database side, there are [ORM](https://sequelize.org/) libraries -and [Query Builders](https://github.com/kayak/pypika) for most languages. - -If you write in Java, -the [ESAPI project](https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/index.html) -offers several methods to securely implement features, -ranging from Cryptography to input escaping and output encoding. - -**Example low maturity scenario:** - -The API was queryable by anyone and GraphQL introspection was enabled since -all components were left in debug configuration. - -Sensitive API paths were not whitelisted. -The team found that the application was attacked when the server showed very -high CPU load. -The response was to bring the system down, very little information about -the attack was found apart from the fact that someone -was mining cryptocurrencies on the server. - -**Example Low Maturity Scenario:** - -The team attempted to build the requested features using vanilla NodeJS, -connectivity to backend systems is validated by firing an internal request -to `/healthcheck?remoteHost=` which attempts to run a ping -command against the IP specified. -All secrets are hard coded. -The team uses off the shelf GraphQL libraries but versions -are not checked using [NPM Audit](https://docs.npmjs.com/cli/audit). -Development is performed by pushing to master which triggers a webhook that -uses FTP to copy latest master to the development server which will become production once development is finished. - -**Example High Maturity Scenario:** - -Team members have access to comprehensive documentation -and a library of code snippets they can use to accelerate development. - -Linters are bundled with pre-commit hooks -and no code reaches master without peer review. - -Pre-merge tests are executed before merging code into master. -Tests run a comprehensive suite of tests covering unit tests, -service acceptance tests, -unit tests as well as regression tests. - -Once a day a pipeline of specially configured -static code analysis tools runs against -the features merged that day, the results are -triaged by a trained security team and fed to engineering. - -There is a cronjob executing Dynamic Analysis tools against Staging -with a similar process. - -Pentests are conducted against features released on every release -and also periodically against the whole software stack. - -# Culture and Organization - -This section covers topics related to culture and organization like -processes, education and the design phase. - -Once requirements are gathered and analysis is performed, -implementation specifics need to be defined. -The outcome of this stage is usually a diagram outlining data flows -and a general system architecture. -This presents an opportunity for both threat modeling -and attaching security considerations -to every ticket and epic that is the outcome of this stage. - -### Design - -There is some great advice on threat modeling out there -*e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) -article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. - -A bite sized primer by Adam Shostack himself can be found -[here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). - -OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) -on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). -Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). - -There's a few projects that can help with creating Threat Models -at this stage, [PyTM](https://github.com/izar/pytm) is one, -[ThreatSpec](https://github.com/threatspec/threatspec) is another. - -> Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. -An example can be found below._ - -![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") - -Last, if the organisation maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. - -![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") - -This practice has the side effect that it trains non-security specialists to think like attackers. - -The outcomes of this stage should help lay the foundation of secure design and considerations. - -**Example Low Maturity Scenario:** - -Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. - -Remote data store access secrets are hardcoded in the configuration files. -All communication between backend systems is plaintext. - -Frontend serves data over GraphQL as a thin layer between caching system and end user. - -GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. -Access to data is protected with basic auth set to _1234:1234_ for development purposes. - -**Example High Maturity Scenario:** - -Based on a detailed threat model defined and updated through code, the team decides the following: - -* Local encrypted caches need to expire and auto-purged. -* Communication channels encrypted and authenticated. -* All secrets persisted in shared secrets store. -* Frontend designed with permissions model integration. -* Permissions matrix defined. -* Input is escaped output is encoded appropriately using well established libraries. - -### Education and Guidence - -Metrics won't necessarily improve without training engineering teams and somehow building a security-minded culture. -Security training is a long and complicated discussion. -There is a variety of approaches out there, on the testing-only end of the spectrum there is fully black box virtual machines such as [DVWA](http://www.dvwa.co.uk/), [Metasploitable series](https://metasploit.help.rapid7.com/docs/metasploitable-2) and the [VulnHub](https://www.vulnhub.com/) project. - -The code & remediation end of the spectrum isn't as well-developed, -mainly due to the complexity involved in building and distributing such material. -However, there are some respectable solutions, [Remediate The Flag](https://www.remediatetheflag.com/) -can be used to setup a code based challenge. - -![Remediate the Flag](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/rtf.png "Remediate the Flag") - -However, if questionnaires are the preferred medium, or if the organisation - is looking for self-service testing, [Secure Coding Dojo](https://github.com/trendmicro/SecureCodingDojo) is an interesting solution. - -More on the self-service side, the Security Knowledge Framework has released -several [Labs](https://owasp-skf.gitbook.io/asvs-write-ups/) that each -showcase one vulnerability and provides information on how to exploit it. - -However, to our knowledge, the most flexible project out there is probably -the [Juice Shop](https://github.com/bkimminich/juice-shop), deployed -on Heroku with one click, it offers both CTF functionality and a self-service - standalone application that comes with solution detection - and a comprehensive progress-board. - -![Juice Shop](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/juiceshop.png "Juice Shop") - -### Process - -**Example High Maturity Scenario:** - -Business continuity and Security teams run incident management drills - periodically to refresh incident playbook knowledge. - -# Test and Verification - -At any maturity level, linters can be introduced to ensure that consistent - code is being added. -For most linters, there are IDE integrations providing software engineers - with the ability to validate code correctness during development time. -Several linters also include security specific rules. -This allows for basic security checks before the code is even committed. -For example, if you write in Typescript, you can use -[tslint](https://github.com/palantir/tslint) along -with [tslint-config-security](https://www.npmjs.com/package/tslint-config-security) -to easily and quickly perform basic checks. - -However, linters cannot detect vulnerabilities in third party libraries, -and as software supply chain attacks spread, this consideration becomes more important. -To track third party library usage and audit their security you can use [Dependency Check/Track](https://dependencytrack.org/). - -![SKF Code](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_code.png "SKF Code") - -This stage can be used to validate software correctness and it's results as a - metric for the security related decisions of the previous stages. -At this stage both automated and manual testing can be performed. -SAMM again offers 3 maturity levels across Architecture Reviews, Requirements testing, and Security Testing. -Instructions can be found [here](https://owaspsamm.org/model/verification/) and a screenshot is listed below. - -![SAMM Testing](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_testing.png "SAMM Testing") - -Testing can be performed several ways and it highly depends on the nature -of the software, the organisation's cadence, and the regulatory requirements among other things. - -If available, automation is a good idea as it allows detection of easy to find vulnerabilities without much human interaction. - -If the application communicates using a web-based protocol, the [ZAP](https://github.com/zaproxy/zaproxy) project can be used to automate a great number of web related attacks and detection. -ZAP can be orchestrated using its REST API and it can even automate multi-stage attacks by leveraging its Zest scripting support. - -Vulnerabilities from ZAP and a wide variety of other tools can be imported and managed using a dedicated defect management platform such as [Defect Dojo](https://github.com/DefectDojo/django-DefectDojo)(screenshot below). - -![Defect Dojo](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/defectdojo.png "Defect Dojo") - -For manual testing the [Web](https://github.com/OWASP/wstg) and [Mobile](https://github.com/OWASP/owasp-mstg) Security Testing Guides can be used to achieve a base level of quality for human driven testing. - -**Example Low Maturity Scenario:** - -The business deployed the system to production without testing. -Soon after, the client's routine pentests uncovered deep flaws with access to backend data and services. -The remediation effort was significant. - -**Example High Maturity Scenario:** - -The application features received Dynamic Automated testing when each reached staging, a trained QA team validated business requirements that involved security checks. -A security team performed an adequate pentest and gave a sign-off. - -# Build and Deployment - -Secure configuration standards can be enforced during the deployment using the [Open Policy Agent](https://www.openpolicyagent.org/). - -![SAMM Release](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_release.png "SAMM Release") - -**Example Low Maturity scenario:** - -_please create a PR_ - -**Example High Maturity scenario:** - -The CI/CD system, when migrating successful QA environments to production, applies appropriate configuration to all components. -Configuration is tested periodically for drift. - -Secrets live in-memory only and are persisted in a dedicated Secrets Storage solution such as Hashicorp Vault. - -## Information Gathering - -Concerning metrics, the community has been quite vocal on what to measure -and how important it is. -The OWASP CISO guide offers 3 broad categories of SDLC metrics[1] which can - be used to measure effectiveness of security practices. -Moreover, there is a number of presentations on what could be leveraged -to improve a security programme, starting from Marcus' Ranum's [keynote](https://www.youtube.com/watch?v=yW7kSVwucSk) -at Appsec California[1], -Caroline Wong's similar [presentation](https://www.youtube.com/watch?v=dY8IuQ8rUd4) -and [this presentation](https://www.youtube.com/watch?v=-XI2DL2Uulo) by J. Rose and R. Sulatycki. -These among several writeups by private companies all offering their own version of what could be measured. - -Projects such as the [ELK stack](https://www.elastic.co/elastic-stack), [Grafana](https://grafana.com/) -and [Prometheus](https://prometheus.io/docs/introduction/overview/) can be used to aggregate - logging and provide observability. - -However, no matter the WAFs, Logging, and secure configuration enforced -at this stage, incidents will occur eventually. -Incident management is a complicated and high stress process. -To prepare organisations for this, SAMM includes a section on [incident management](https://owaspsamm.org/model/operations/incident-management/) involving simple questions for stakeholders to answer so you can determine incident preparedness accurately. - -**Example High Maturity scenario:** - -Logging from all components gets aggregated in dashboards and alerts -are raised based on several Thresholds and events. -There are canary values and events fired against monitoring -from time to time to validate it works. - From 0ab672ed61372efbcfb3ce1094133e1c4e09705d Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 20:35:15 +0100 Subject: [PATCH 10/26] Add dimensions.md --- src/assets/Markdown Files/dimensions.md | 272 ++++++++++++++++++++++++ 1 file changed, 272 insertions(+) create mode 100644 src/assets/Markdown Files/dimensions.md diff --git a/src/assets/Markdown Files/dimensions.md b/src/assets/Markdown Files/dimensions.md new file mode 100644 index 000000000..cbc16dd2f --- /dev/null +++ b/src/assets/Markdown Files/dimensions.md @@ -0,0 +1,272 @@ +# Dimensions + +This section describes the various dimensions +and the corresponding sub dimension. + +The descriptions are highly based (mostly copied) +on the [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md). + +## Implementation + +This dimension covers topic of "traditional" +hardening of software and infrastructure components. + +There is an abundance of libraries and frameworks implementing +secure defaults. +For frontend development, [ReactJS](https://reactjs.org/) seems to be +the latest favourite in the Javascript world. + +On the database side, there are [ORM](https://sequelize.org/) libraries +and [Query Builders](https://github.com/kayak/pypika) for most languages. + +If you write in Java, +the [ESAPI project](https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/index.html) +offers several methods to securely implement features, +ranging from Cryptography to input escaping and output encoding. + +**Example low maturity scenario:** + +The API was queryable by anyone and GraphQL introspection was enabled since +all components were left in debug configuration. + +Sensitive API paths were not whitelisted. +The team found that the application was attacked when the server showed very +high CPU load. +The response was to bring the system down, very little information about +the attack was found apart from the fact that someone +was mining cryptocurrencies on the server. + +**Example Low Maturity Scenario:** + +The team attempted to build the requested features using vanilla NodeJS, +connectivity to backend systems is validated by firing an internal request +to `/healthcheck?remoteHost=` which attempts to run a ping +command against the IP specified. +All secrets are hard coded. +The team uses off the shelf GraphQL libraries but versions +are not checked using [NPM Audit](https://docs.npmjs.com/cli/audit). +Development is performed by pushing to master which triggers a webhook that +uses FTP to copy latest master to the development server which will become production once development is finished. + +**Example High Maturity Scenario:** + +Team members have access to comprehensive documentation +and a library of code snippets they can use to accelerate development. + +Linters are bundled with pre-commit hooks +and no code reaches master without peer review. + +Pre-merge tests are executed before merging code into master. +Tests run a comprehensive suite of tests covering unit tests, +service acceptance tests, +unit tests as well as regression tests. + +Once a day a pipeline of specially configured +static code analysis tools runs against +the features merged that day, the results are +triaged by a trained security team and fed to engineering. + +There is a cronjob executing Dynamic Analysis tools against Staging +with a similar process. + +Pentests are conducted against features released on every release +and also periodically against the whole software stack. + +# Culture and Organization + +This section covers topics related to culture and organization like +processes, education and the design phase. + +Once requirements are gathered and analysis is performed, +implementation specifics need to be defined. +The outcome of this stage is usually a diagram outlining data flows +and a general system architecture. +This presents an opportunity for both threat modeling +and attaching security considerations +to every ticket and epic that is the outcome of this stage. + +### Design + +There is some great advice on threat modeling out there +*e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) +article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. + +A bite sized primer by Adam Shostack himself can be found +[here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). + +OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) +on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). +Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). + +There's a few projects that can help with creating Threat Models +at this stage, [PyTM](https://github.com/izar/pytm) is one, +[ThreatSpec](https://github.com/threatspec/threatspec) is another. + +> Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. +An example can be found below._ + +![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") + +Last, if the organisation maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. + +![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") + +This practice has the side effect that it trains non-security specialists to think like attackers. + +The outcomes of this stage should help lay the foundation of secure design and considerations. + +**Example Low Maturity Scenario:** + +Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. + +Remote data store access secrets are hardcoded in the configuration files. +All communication between backend systems is plaintext. + +Frontend serves data over GraphQL as a thin layer between caching system and end user. + +GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. +Access to data is protected with basic auth set to _1234:1234_ for development purposes. + +**Example High Maturity Scenario:** + +Based on a detailed threat model defined and updated through code, the team decides the following: + +* Local encrypted caches need to expire and auto-purged. +* Communication channels encrypted and authenticated. +* All secrets persisted in shared secrets store. +* Frontend designed with permissions model integration. +* Permissions matrix defined. +* Input is escaped output is encoded appropriately using well established libraries. + +### Education and Guidence + +Metrics won't necessarily improve without training engineering teams and somehow building a security-minded culture. +Security training is a long and complicated discussion. +There is a variety of approaches out there, on the testing-only end of the spectrum there is fully black box virtual machines such as [DVWA](http://www.dvwa.co.uk/), [Metasploitable series](https://metasploit.help.rapid7.com/docs/metasploitable-2) and the [VulnHub](https://www.vulnhub.com/) project. + +The code & remediation end of the spectrum isn't as well-developed, +mainly due to the complexity involved in building and distributing such material. +However, there are some respectable solutions, [Remediate The Flag](https://www.remediatetheflag.com/) +can be used to setup a code based challenge. + +![Remediate the Flag](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/rtf.png "Remediate the Flag") + +However, if questionnaires are the preferred medium, or if the organisation + is looking for self-service testing, [Secure Coding Dojo](https://github.com/trendmicro/SecureCodingDojo) is an interesting solution. + +More on the self-service side, the Security Knowledge Framework has released +several [Labs](https://owasp-skf.gitbook.io/asvs-write-ups/) that each +showcase one vulnerability and provides information on how to exploit it. + +However, to our knowledge, the most flexible project out there is probably +the [Juice Shop](https://github.com/bkimminich/juice-shop), deployed +on Heroku with one click, it offers both CTF functionality and a self-service + standalone application that comes with solution detection + and a comprehensive progress-board. + +![Juice Shop](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/juiceshop.png "Juice Shop") + +### Process + +**Example High Maturity Scenario:** + +Business continuity and Security teams run incident management drills + periodically to refresh incident playbook knowledge. + +# Test and Verification + +At any maturity level, linters can be introduced to ensure that consistent + code is being added. +For most linters, there are IDE integrations providing software engineers + with the ability to validate code correctness during development time. +Several linters also include security specific rules. +This allows for basic security checks before the code is even committed. +For example, if you write in Typescript, you can use +[tslint](https://github.com/palantir/tslint) along +with [tslint-config-security](https://www.npmjs.com/package/tslint-config-security) +to easily and quickly perform basic checks. + +However, linters cannot detect vulnerabilities in third party libraries, +and as software supply chain attacks spread, this consideration becomes more important. +To track third party library usage and audit their security you can use [Dependency Check/Track](https://dependencytrack.org/). + +![SKF Code](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_code.png "SKF Code") + +This stage can be used to validate software correctness and it's results as a + metric for the security related decisions of the previous stages. +At this stage both automated and manual testing can be performed. +SAMM again offers 3 maturity levels across Architecture Reviews, Requirements testing, and Security Testing. +Instructions can be found [here](https://owaspsamm.org/model/verification/) and a screenshot is listed below. + +![SAMM Testing](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_testing.png "SAMM Testing") + +Testing can be performed several ways and it highly depends on the nature +of the software, the organisation's cadence, and the regulatory requirements among other things. + +If available, automation is a good idea as it allows detection of easy to find vulnerabilities without much human interaction. + +If the application communicates using a web-based protocol, the [ZAP](https://github.com/zaproxy/zaproxy) project can be used to automate a great number of web related attacks and detection. +ZAP can be orchestrated using its REST API and it can even automate multi-stage attacks by leveraging its Zest scripting support. + +Vulnerabilities from ZAP and a wide variety of other tools can be imported and managed using a dedicated defect management platform such as [Defect Dojo](https://github.com/DefectDojo/django-DefectDojo)(screenshot below). + +![Defect Dojo](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/defectdojo.png "Defect Dojo") + +For manual testing the [Web](https://github.com/OWASP/wstg) and [Mobile](https://github.com/OWASP/owasp-mstg) Security Testing Guides can be used to achieve a base level of quality for human driven testing. + +**Example Low Maturity Scenario:** + +The business deployed the system to production without testing. +Soon after, the client's routine pentests uncovered deep flaws with access to backend data and services. +The remediation effort was significant. + +**Example High Maturity Scenario:** + +The application features received Dynamic Automated testing when each reached staging, a trained QA team validated business requirements that involved security checks. +A security team performed an adequate pentest and gave a sign-off. + +# Build and Deployment + +Secure configuration standards can be enforced during the deployment using the [Open Policy Agent](https://www.openpolicyagent.org/). + +![SAMM Release](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_release.png "SAMM Release") + +**Example Low Maturity scenario:** + +_please create a PR_ + +**Example High Maturity scenario:** + +The CI/CD system, when migrating successful QA environments to production, applies appropriate configuration to all components. +Configuration is tested periodically for drift. + +Secrets live in-memory only and are persisted in a dedicated Secrets Storage solution such as Hashicorp Vault. + +## Information Gathering + +Concerning metrics, the community has been quite vocal on what to measure +and how important it is. +The OWASP CISO guide offers 3 broad categories of SDLC metrics[1] which can + be used to measure effectiveness of security practices. +Moreover, there is a number of presentations on what could be leveraged +to improve a security programme, starting from Marcus' Ranum's [keynote](https://www.youtube.com/watch?v=yW7kSVwucSk) +at Appsec California[1], +Caroline Wong's similar [presentation](https://www.youtube.com/watch?v=dY8IuQ8rUd4) +and [this presentation](https://www.youtube.com/watch?v=-XI2DL2Uulo) by J. Rose and R. Sulatycki. +These among several writeups by private companies all offering their own version of what could be measured. + +Projects such as the [ELK stack](https://www.elastic.co/elastic-stack), [Grafana](https://grafana.com/) +and [Prometheus](https://prometheus.io/docs/introduction/overview/) can be used to aggregate + logging and provide observability. + +However, no matter the WAFs, Logging, and secure configuration enforced +at this stage, incidents will occur eventually. +Incident management is a complicated and high stress process. +To prepare organisations for this, SAMM includes a section on [incident management](https://owaspsamm.org/model/operations/incident-management/) involving simple questions for stakeholders to answer so you can determine incident preparedness accurately. + +**Example High Maturity scenario:** + +Logging from all components gets aggregated in dashboards and alerts +are raised based on several Thresholds and events. +There are canary values and events fired against monitoring +from time to time to validate it works. From 5f9cb10d06822a91b7f1705573ab1c271232e45e Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 20:44:00 +0100 Subject: [PATCH 11/26] Add new USAGE.md --- src/assets/Markdown Files/USAGE.md | 43 ++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 src/assets/Markdown Files/USAGE.md diff --git a/src/assets/Markdown Files/USAGE.md b/src/assets/Markdown Files/USAGE.md new file mode 100644 index 000000000..5e3192526 --- /dev/null +++ b/src/assets/Markdown Files/USAGE.md @@ -0,0 +1,43 @@ +# DSOMM - DevSecOps Maturity Model + +## What is DSOMM? +DSOMM is a framework that helps organizations to assess, improve and prioritize security activities in their software development cycle. + +DSOMM is a project in the OWASP family. + +## DSOMM vs OWASP SAMM +[DSOMM](https://dsomm.owasp.org/) and [OWASP SAMM](https://owaspsamm.org/) are both frameworks that share a common goal of improving security. + +**OWASP SAMM** is more focused on the overall maturity of an organization's software assurance and security practices, with a broader scope that includes governance, compliance, risk management, and secure software development. + +**DSOMM** focuses on activities that integrate security directly into the DevOps workflows. DSOMM takes a more technical approach, going lower in the technology stack it provides a roadmap on how to systematically improve the security in the software development. + +DSOMM has currently has a OWASP Lab status, while SAMM has a Flagship status. + +# How to use this DSOMM site +The DSOMM application is a frontend only application, storing all progress in your local storage in your browser. If you delete your local storage, your progress will be gone, and you cannot share your saved progress with anyone else. + +To do that, you need to install your own local DSOMM application. + +You can export the progress of the different activities as a `generated.yaml` file, which you may import into your own site. + + +## How to setup your own DSOMM +The DSOMM application can be run as a Docker image, an Amazon EC2 instance, or as a standalone Angular application using NodeJS. Please see [INSTALL.md](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/blob/master/INSTALL.md) for further instructions. + +The DSOMM application is currently still a lightweight frontend only application, without a backend to store changes of progress. Any changes are stored in the browser. However, as above, you can export the `generated.yaml` and update your own site with this. + + +# The DSOMM framework +The DSOMM framework has a number of _activities_ grouped by _dimensions_ and _maturity levels_. E.g. the _Centralized system logging_ is a maturity level 1 activity in the _Logging_ dimension, while _Correlation of security events_ is considered level 5. + + + +## Before you start +To prepare you for there are some activities that we recommend you do before you start using DSOMM. Getting the stakeholders onboard will ease your path. + +See [Maturity level 0](./usage/maturity-level-0) to learn about the important first steps. + + +## Evidence +If your CISO requires you to document evidence that an activity is completed, you can edit your `generated.yaml` file as documented in the [README.md](./usage/README) _Teams and Groups_. It is currently not possible to provide evidence directly in the browser. From 7ab2a18131b46f6d085205d42ba7011d53d02ac0 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 22:35:06 +0100 Subject: [PATCH 12/26] Reorder sections in dimensions.md to follow the same order as elsewhere in DSOMM --- src/assets/Markdown Files/USAGE.md | 16 ++ src/assets/Markdown Files/dimensions.md | 211 ++++++++++++------------ 2 files changed, 124 insertions(+), 103 deletions(-) diff --git a/src/assets/Markdown Files/USAGE.md b/src/assets/Markdown Files/USAGE.md index 5e3192526..8523122c2 100644 --- a/src/assets/Markdown Files/USAGE.md +++ b/src/assets/Markdown Files/USAGE.md @@ -39,5 +39,21 @@ To prepare you for there are some activities that we recommend you do before you See [Maturity level 0](./usage/maturity-level-0) to learn about the important first steps. +## Dimensions +The DSOMM framework categorizes its activities into dimensions, each representing a key area of the software development lifecycle where security can be integrated and matured. + +Dimensions Overview: + - **Build and Deployment**: Focuses on security practices in the CI/CD pipeline and deployment processes + - **Culture and Organization**: Addresses organizational culture, education, and processes that support security initiatives. + - **Implementation**: Covers secure coding and infrastructure hardening practices. +- **Information Gathering**: Involves gathering data for threat analysis, risk assessment, and metrics collection. +- **Test and Verification**: Focuses on testing practices to validate security measures and ensure continuous improvement. + +For detailed information on each dimension, refer to [Dimensions](./usage/dimensions). + + + + + ## Evidence If your CISO requires you to document evidence that an activity is completed, you can edit your `generated.yaml` file as documented in the [README.md](./usage/README) _Teams and Groups_. It is currently not possible to provide evidence directly in the browser. diff --git a/src/assets/Markdown Files/dimensions.md b/src/assets/Markdown Files/dimensions.md index cbc16dd2f..6971cc569 100644 --- a/src/assets/Markdown Files/dimensions.md +++ b/src/assets/Markdown Files/dimensions.md @@ -6,71 +6,22 @@ and the corresponding sub dimension. The descriptions are highly based (mostly copied) on the [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md). -## Implementation - -This dimension covers topic of "traditional" -hardening of software and infrastructure components. - -There is an abundance of libraries and frameworks implementing -secure defaults. -For frontend development, [ReactJS](https://reactjs.org/) seems to be -the latest favourite in the Javascript world. - -On the database side, there are [ORM](https://sequelize.org/) libraries -and [Query Builders](https://github.com/kayak/pypika) for most languages. - -If you write in Java, -the [ESAPI project](https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/index.html) -offers several methods to securely implement features, -ranging from Cryptography to input escaping and output encoding. - -**Example low maturity scenario:** - -The API was queryable by anyone and GraphQL introspection was enabled since -all components were left in debug configuration. - -Sensitive API paths were not whitelisted. -The team found that the application was attacked when the server showed very -high CPU load. -The response was to bring the system down, very little information about -the attack was found apart from the fact that someone -was mining cryptocurrencies on the server. - -**Example Low Maturity Scenario:** - -The team attempted to build the requested features using vanilla NodeJS, -connectivity to backend systems is validated by firing an internal request -to `/healthcheck?remoteHost=` which attempts to run a ping -command against the IP specified. -All secrets are hard coded. -The team uses off the shelf GraphQL libraries but versions -are not checked using [NPM Audit](https://docs.npmjs.com/cli/audit). -Development is performed by pushing to master which triggers a webhook that -uses FTP to copy latest master to the development server which will become production once development is finished. +# Build and Deployment -**Example High Maturity Scenario:** +Secure configuration standards can be enforced during the deployment using the [Open Policy Agent](https://www.openpolicyagent.org/). -Team members have access to comprehensive documentation -and a library of code snippets they can use to accelerate development. +![SAMM Release](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_release.png "SAMM Release") -Linters are bundled with pre-commit hooks -and no code reaches master without peer review. +**Example Low Maturity scenario:** -Pre-merge tests are executed before merging code into master. -Tests run a comprehensive suite of tests covering unit tests, -service acceptance tests, -unit tests as well as regression tests. +_please create a PR_ -Once a day a pipeline of specially configured -static code analysis tools runs against -the features merged that day, the results are -triaged by a trained security team and fed to engineering. +**Example High Maturity scenario:** -There is a cronjob executing Dynamic Analysis tools against Staging -with a similar process. +The CI/CD system, when migrating successful QA environments to production, applies appropriate configuration to all components. +Configuration is tested periodically for drift. -Pentests are conducted against features released on every release -and also periodically against the whole software stack. +Secrets live in-memory only and are persisted in a dedicated Secrets Storage solution such as Hashicorp Vault. # Culture and Organization @@ -173,6 +124,105 @@ on Heroku with one click, it offers both CTF functionality and a self-service Business continuity and Security teams run incident management drills periodically to refresh incident playbook knowledge. + + +# Implementation + +This dimension covers topic of "traditional" +hardening of software and infrastructure components. + +There is an abundance of libraries and frameworks implementing +secure defaults. +For frontend development, [ReactJS](https://reactjs.org/) seems to be +the latest favourite in the Javascript world. + +On the database side, there are [ORM](https://sequelize.org/) libraries +and [Query Builders](https://github.com/kayak/pypika) for most languages. + +If you write in Java, +the [ESAPI project](https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/index.html) +offers several methods to securely implement features, +ranging from Cryptography to input escaping and output encoding. + +**Example low maturity scenario:** + +The API was queryable by anyone and GraphQL introspection was enabled since +all components were left in debug configuration. + +Sensitive API paths were not whitelisted. +The team found that the application was attacked when the server showed very +high CPU load. +The response was to bring the system down, very little information about +the attack was found apart from the fact that someone +was mining cryptocurrencies on the server. + +**Example Low Maturity Scenario:** + +The team attempted to build the requested features using vanilla NodeJS, +connectivity to backend systems is validated by firing an internal request +to `/healthcheck?remoteHost=` which attempts to run a ping +command against the IP specified. +All secrets are hard coded. +The team uses off the shelf GraphQL libraries but versions +are not checked using [NPM Audit](https://docs.npmjs.com/cli/audit). +Development is performed by pushing to master which triggers a webhook that +uses FTP to copy latest master to the development server which will become production once development is finished. + +**Example High Maturity Scenario:** + +Team members have access to comprehensive documentation +and a library of code snippets they can use to accelerate development. + +Linters are bundled with pre-commit hooks +and no code reaches master without peer review. + +Pre-merge tests are executed before merging code into master. +Tests run a comprehensive suite of tests covering unit tests, +service acceptance tests, +unit tests as well as regression tests. + +Once a day a pipeline of specially configured +static code analysis tools runs against +the features merged that day, the results are +triaged by a trained security team and fed to engineering. + +There is a cronjob executing Dynamic Analysis tools against Staging +with a similar process. + +Pentests are conducted against features released on every release +and also periodically against the whole software stack. + + +# Information Gathering + +Concerning metrics, the community has been quite vocal on what to measure +and how important it is. +The OWASP CISO guide offers 3 broad categories of SDLC metrics[1] which can + be used to measure effectiveness of security practices. +Moreover, there is a number of presentations on what could be leveraged +to improve a security programme, starting from Marcus' Ranum's [keynote](https://www.youtube.com/watch?v=yW7kSVwucSk) +at Appsec California[1], +Caroline Wong's similar [presentation](https://www.youtube.com/watch?v=dY8IuQ8rUd4) +and [this presentation](https://www.youtube.com/watch?v=-XI2DL2Uulo) by J. Rose and R. Sulatycki. +These among several writeups by private companies all offering their own version of what could be measured. + +Projects such as the [ELK stack](https://www.elastic.co/elastic-stack), [Grafana](https://grafana.com/) +and [Prometheus](https://prometheus.io/docs/introduction/overview/) can be used to aggregate + logging and provide observability. + +However, no matter the WAFs, Logging, and secure configuration enforced +at this stage, incidents will occur eventually. +Incident management is a complicated and high stress process. +To prepare organisations for this, SAMM includes a section on [incident management](https://owaspsamm.org/model/operations/incident-management/) involving simple questions for stakeholders to answer so you can determine incident preparedness accurately. + +**Example High Maturity scenario:** + +Logging from all components gets aggregated in dashboards and alerts +are raised based on several Thresholds and events. +There are canary values and events fired against monitoring +from time to time to validate it works. + + # Test and Verification At any maturity level, linters can be introduced to ensure that consistent @@ -225,48 +275,3 @@ The remediation effort was significant. The application features received Dynamic Automated testing when each reached staging, a trained QA team validated business requirements that involved security checks. A security team performed an adequate pentest and gave a sign-off. -# Build and Deployment - -Secure configuration standards can be enforced during the deployment using the [Open Policy Agent](https://www.openpolicyagent.org/). - -![SAMM Release](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_release.png "SAMM Release") - -**Example Low Maturity scenario:** - -_please create a PR_ - -**Example High Maturity scenario:** - -The CI/CD system, when migrating successful QA environments to production, applies appropriate configuration to all components. -Configuration is tested periodically for drift. - -Secrets live in-memory only and are persisted in a dedicated Secrets Storage solution such as Hashicorp Vault. - -## Information Gathering - -Concerning metrics, the community has been quite vocal on what to measure -and how important it is. -The OWASP CISO guide offers 3 broad categories of SDLC metrics[1] which can - be used to measure effectiveness of security practices. -Moreover, there is a number of presentations on what could be leveraged -to improve a security programme, starting from Marcus' Ranum's [keynote](https://www.youtube.com/watch?v=yW7kSVwucSk) -at Appsec California[1], -Caroline Wong's similar [presentation](https://www.youtube.com/watch?v=dY8IuQ8rUd4) -and [this presentation](https://www.youtube.com/watch?v=-XI2DL2Uulo) by J. Rose and R. Sulatycki. -These among several writeups by private companies all offering their own version of what could be measured. - -Projects such as the [ELK stack](https://www.elastic.co/elastic-stack), [Grafana](https://grafana.com/) -and [Prometheus](https://prometheus.io/docs/introduction/overview/) can be used to aggregate - logging and provide observability. - -However, no matter the WAFs, Logging, and secure configuration enforced -at this stage, incidents will occur eventually. -Incident management is a complicated and high stress process. -To prepare organisations for this, SAMM includes a section on [incident management](https://owaspsamm.org/model/operations/incident-management/) involving simple questions for stakeholders to answer so you can determine incident preparedness accurately. - -**Example High Maturity scenario:** - -Logging from all components gets aggregated in dashboards and alerts -are raised based on several Thresholds and events. -There are canary values and events fired against monitoring -from time to time to validate it works. From 2cacee57f1366bdd9e093f84e23bc947910d7939 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 22:52:47 +0100 Subject: [PATCH 13/26] Suggested Example Low Maturity scenario for the Build and Deployment section --- src/assets/Markdown Files/dimensions.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/assets/Markdown Files/dimensions.md b/src/assets/Markdown Files/dimensions.md index 6971cc569..fe6b5fee6 100644 --- a/src/assets/Markdown Files/dimensions.md +++ b/src/assets/Markdown Files/dimensions.md @@ -14,7 +14,8 @@ Secure configuration standards can be enforced during the deployment using the [ **Example Low Maturity scenario:** -_please create a PR_ +The team manually deploys software to production without standardized or automated processes. Secrets, such as passwords and API keys, may have been hardcoded or left in configuration files that are committed to version control, leading to potential exposure and security risks. + **Example High Maturity scenario:** From b9e24afbd92a999a2079478d09d7143bf6b9a04b Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 23:07:25 +0100 Subject: [PATCH 14/26] Smaller improvements --- README.md | 2 +- src/assets/Markdown Files/dimensions.md | 16 ++++++++-------- src/assets/Markdown Files/maturity-level-0.md | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 86d424e77..d474e6ea8 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ From a startup to a multinational corporation the software development industry The OWASP DevSecOps Maturity Model provides opportunities to harden DevOps strategies and shows how these can be prioritized. -With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. +With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks. diff --git a/src/assets/Markdown Files/dimensions.md b/src/assets/Markdown Files/dimensions.md index fe6b5fee6..98d350d67 100644 --- a/src/assets/Markdown Files/dimensions.md +++ b/src/assets/Markdown Files/dimensions.md @@ -37,7 +37,7 @@ This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage. -### Design +## Design There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) @@ -59,7 +59,7 @@ An example can be found below._ ![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") -Last, if the organisation maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. +Last, if the organization maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. ![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") @@ -90,7 +90,7 @@ Based on a detailed threat model defined and updated through code, the team deci * Permissions matrix defined. * Input is escaped output is encoded appropriately using well established libraries. -### Education and Guidence +## Education and Guidence Metrics won't necessarily improve without training engineering teams and somehow building a security-minded culture. Security training is a long and complicated discussion. @@ -103,7 +103,7 @@ can be used to setup a code based challenge. ![Remediate the Flag](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/rtf.png "Remediate the Flag") -However, if questionnaires are the preferred medium, or if the organisation +However, if questionnaires are the preferred medium, or if the organization is looking for self-service testing, [Secure Coding Dojo](https://github.com/trendmicro/SecureCodingDojo) is an interesting solution. More on the self-service side, the Security Knowledge Framework has released @@ -118,7 +118,7 @@ on Heroku with one click, it offers both CTF functionality and a self-service ![Juice Shop](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/juiceshop.png "Juice Shop") -### Process +## Process **Example High Maturity Scenario:** @@ -135,7 +135,7 @@ hardening of software and infrastructure components. There is an abundance of libraries and frameworks implementing secure defaults. For frontend development, [ReactJS](https://reactjs.org/) seems to be -the latest favourite in the Javascript world. +the latest favorite in the Javascript world. On the database side, there are [ORM](https://sequelize.org/) libraries and [Query Builders](https://github.com/kayak/pypika) for most languages. @@ -214,7 +214,7 @@ and [Prometheus](https://prometheus.io/docs/introduction/overview/) can be used However, no matter the WAFs, Logging, and secure configuration enforced at this stage, incidents will occur eventually. Incident management is a complicated and high stress process. -To prepare organisations for this, SAMM includes a section on [incident management](https://owaspsamm.org/model/operations/incident-management/) involving simple questions for stakeholders to answer so you can determine incident preparedness accurately. +To prepare organizations for this, SAMM includes a section on [incident management](https://owaspsamm.org/model/operations/incident-management/) involving simple questions for stakeholders to answer so you can determine incident preparedness accurately. **Example High Maturity scenario:** @@ -252,7 +252,7 @@ Instructions can be found [here](https://owaspsamm.org/model/verification/) and ![SAMM Testing](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_testing.png "SAMM Testing") Testing can be performed several ways and it highly depends on the nature -of the software, the organisation's cadence, and the regulatory requirements among other things. +of the software, the organization's cadence, and the regulatory requirements among other things. If available, automation is a good idea as it allows detection of easy to find vulnerabilities without much human interaction. diff --git a/src/assets/Markdown Files/maturity-level-0.md b/src/assets/Markdown Files/maturity-level-0.md index f23519aab..a6473d24e 100644 --- a/src/assets/Markdown Files/maturity-level-0.md +++ b/src/assets/Markdown Files/maturity-level-0.md @@ -100,7 +100,7 @@ The first steps for deploying DSOMM are then the following: - The "Risk Manager" is aware that all software have security vulnerabilities, and that the related risks should be minimized -- Knowing the risk appetite XXXXXX +- Knowing the risk appetite helps the organization align its security efforts with its overall strategic goals - Resources must be allocated to improve security and to avoid, detect and fix vulnerabilities - Management can perform well informed risk decisions From 8890fee84465bf7a5d3f33f086a8519b1e4f46e3 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 26 Jan 2025 23:09:43 +0100 Subject: [PATCH 15/26] Usage: Dynamically load other markdown files --- src/app/app-routing.module.ts | 3 ++- .../readme-to-html/readme-to-html.component.css | 4 ++-- .../readme-to-html.component.html | 2 +- src/app/component/teams/teams.component.ts | 1 + src/app/component/usage/usage.component.html | 2 +- src/app/component/usage/usage.component.ts | 17 ++++++++++++++--- src/styles.css | 4 ++++ 7 files changed, 25 insertions(+), 8 deletions(-) diff --git a/src/app/app-routing.module.ts b/src/app/app-routing.module.ts index 81df5a00e..2ec9ff596 100644 --- a/src/app/app-routing.module.ts +++ b/src/app/app-routing.module.ts @@ -14,7 +14,8 @@ const routes: Routes = [ { path: 'circular-heatmap', component: CircularHeatmapComponent }, { path: 'activity-description', component: ActivityDescriptionComponent }, { path: 'mapping', component: MappingComponent }, - { path: 'usage', component: UsageComponent }, + { path: 'usage', redirectTo: 'usage/' }, + { path: 'usage/:page', component: UsageComponent }, { path: 'teams', component: TeamsComponent }, { path: 'about', component: AboutUsComponent }, { path: 'userday', component: UserdayComponent }, diff --git a/src/app/component/readme-to-html/readme-to-html.component.css b/src/app/component/readme-to-html/readme-to-html.component.css index b3185c84a..b4f87ccb2 100644 --- a/src/app/component/readme-to-html/readme-to-html.component.css +++ b/src/app/component/readme-to-html/readme-to-html.component.css @@ -2,5 +2,5 @@ /*background-color: aqua;*/ padding: 30px; padding-top: 0px; - -} \ No newline at end of file + max-width: 40rem; +} diff --git a/src/app/component/readme-to-html/readme-to-html.component.html b/src/app/component/readme-to-html/readme-to-html.component.html index eba984c36..2aaa1992d 100644 --- a/src/app/component/readme-to-html/readme-to-html.component.html +++ b/src/app/component/readme-to-html/readme-to-html.component.html @@ -1,3 +1,3 @@
-
+
diff --git a/src/app/component/teams/teams.component.ts b/src/app/component/teams/teams.component.ts index af4123843..24840893f 100644 --- a/src/app/component/teams/teams.component.ts +++ b/src/app/component/teams/teams.component.ts @@ -13,6 +13,7 @@ export class TeamsComponent implements OnInit { teamGroups: Map = new Map(); constructor(private yaml: ymlService) {} + ngOnInit(): void { this.yaml.setURI('./assets/YAML/meta.yaml'); // Function sets column header diff --git a/src/app/component/usage/usage.component.html b/src/app/component/usage/usage.component.html index 2e8ea8473..5997bd80a 100644 --- a/src/app/component/usage/usage.component.html +++ b/src/app/component/usage/usage.component.html @@ -1,3 +1,3 @@ - + diff --git a/src/app/component/usage/usage.component.ts b/src/app/component/usage/usage.component.ts index 82db1e0ba..613b83810 100644 --- a/src/app/component/usage/usage.component.ts +++ b/src/app/component/usage/usage.component.ts @@ -1,10 +1,21 @@ -import { Component } from '@angular/core'; +import { Component, OnInit } from '@angular/core'; +import { ActivatedRoute } from '@angular/router'; @Component({ selector: 'app-usage', templateUrl: './usage.component.html', styleUrls: ['./usage.component.css'], }) -export class UsageComponent { - constructor() {} +export class UsageComponent implements OnInit { + page: string = 'USAGE'; + constructor(private route: ActivatedRoute) {} + + ngOnInit() { + this.route.params.subscribe(params => { + let page = params['page']; + if (page.match(/^[\w.-]+$/)) { + this.page = page; + } + }); + } } diff --git a/src/styles.css b/src/styles.css index 079b7c645..3f9148dbb 100644 --- a/src/styles.css +++ b/src/styles.css @@ -16,4 +16,8 @@ body { margin: 0; font-family: Roboto, "Helvetica Neue", sans-serif; } max-height: 100px; float: left; margin-right: 10px; +} + +.usage-dimensions img { + max-width: 40rem; } \ No newline at end of file From d9e455d9a3f7fe2308917eb7da502510c70e4034 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Mon, 27 Jan 2025 23:33:16 +0100 Subject: [PATCH 16/26] Linting --- src/app/component/teams/teams.component.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app/component/teams/teams.component.ts b/src/app/component/teams/teams.component.ts index 24840893f..1112f5788 100644 --- a/src/app/component/teams/teams.component.ts +++ b/src/app/component/teams/teams.component.ts @@ -13,7 +13,7 @@ export class TeamsComponent implements OnInit { teamGroups: Map = new Map(); constructor(private yaml: ymlService) {} - + ngOnInit(): void { this.yaml.setURI('./assets/YAML/meta.yaml'); // Function sets column header From 05f815b6e3a2f714cee93729b7a808e988a06859 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Mon, 27 Jan 2025 23:36:12 +0100 Subject: [PATCH 17/26] Linting --- src/app/component/usage/usage.component.html | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/app/component/usage/usage.component.html b/src/app/component/usage/usage.component.html index 5997bd80a..45ccd58a8 100644 --- a/src/app/component/usage/usage.component.html +++ b/src/app/component/usage/usage.component.html @@ -1,3 +1,5 @@ - + From 388fec1785bc007eef8bf5096afb40acb57e879f Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Wed, 29 Jan 2025 23:29:37 +0100 Subject: [PATCH 18/26] What is DSOMM: part of OWASP Foundation --- README.md | 10 ++++++++-- src/assets/Markdown Files/README.md | 10 ++++++++-- src/assets/Markdown Files/USAGE.md | 2 +- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d474e6ea8..006d57739 100644 --- a/README.md +++ b/README.md @@ -124,10 +124,16 @@ In the corresponding [dimension YAMLs](https://github.com/devsecopsmaturitymodel [...] teamsImplemented: Default: false + B: true C: true - evidence: - B: Showed Jenkinsfile + teamsEvidence: + B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11. + C: | + The pentest report from 2025 has been split into Jira tasks. + _2025-04-01:_ All fixes of **critical** findings are deployed to production. ``` +The `|` is yaml syntax to indicate that the evidence spans multiple lines. Markdown +syntax can be used. The evidence is currently visible on the activity from the Matrix page. # Back link diff --git a/src/assets/Markdown Files/README.md b/src/assets/Markdown Files/README.md index d474e6ea8..006d57739 100644 --- a/src/assets/Markdown Files/README.md +++ b/src/assets/Markdown Files/README.md @@ -124,10 +124,16 @@ In the corresponding [dimension YAMLs](https://github.com/devsecopsmaturitymodel [...] teamsImplemented: Default: false + B: true C: true - evidence: - B: Showed Jenkinsfile + teamsEvidence: + B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11. + C: | + The pentest report from 2025 has been split into Jira tasks. + _2025-04-01:_ All fixes of **critical** findings are deployed to production. ``` +The `|` is yaml syntax to indicate that the evidence spans multiple lines. Markdown +syntax can be used. The evidence is currently visible on the activity from the Matrix page. # Back link diff --git a/src/assets/Markdown Files/USAGE.md b/src/assets/Markdown Files/USAGE.md index 8523122c2..ad8470f1d 100644 --- a/src/assets/Markdown Files/USAGE.md +++ b/src/assets/Markdown Files/USAGE.md @@ -3,7 +3,7 @@ ## What is DSOMM? DSOMM is a framework that helps organizations to assess, improve and prioritize security activities in their software development cycle. -DSOMM is a project in the OWASP family. +DSOMM is a project of the OWASP Foundation. ## DSOMM vs OWASP SAMM [DSOMM](https://dsomm.owasp.org/) and [OWASP SAMM](https://owaspsamm.org/) are both frameworks that share a common goal of improving security. From 1db756e4527c3d71d1c830a6a5b209589327c907 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Fri, 31 Jan 2025 00:33:25 +0100 Subject: [PATCH 19/26] Updated test files for modal and heatmap --- .../circular-heatmap.component.spec.ts | 19 ++++++----- .../modal-message.component.spec.ts | 32 +++++++++++++++++-- 2 files changed, 39 insertions(+), 12 deletions(-) diff --git a/src/app/component/circular-heatmap/circular-heatmap.component.spec.ts b/src/app/component/circular-heatmap/circular-heatmap.component.spec.ts index a1d1515d0..cb10751cb 100644 --- a/src/app/component/circular-heatmap/circular-heatmap.component.spec.ts +++ b/src/app/component/circular-heatmap/circular-heatmap.component.spec.ts @@ -4,6 +4,7 @@ import { ymlService } from 'src/app/service/yaml-parser/yaml-parser.service'; import { CircularHeatmapComponent } from './circular-heatmap.component'; import { RouterTestingModule } from '@angular/router/testing'; import { MatChip } from '@angular/material/chips'; +import { ModalMessageComponent } from '../modal-message/modal-message.component'; describe('CircularHeatmapComponent', () => { let component: CircularHeatmapComponent; @@ -11,19 +12,17 @@ describe('CircularHeatmapComponent', () => { beforeEach(async () => { await TestBed.configureTestingModule({ - providers: [ymlService, HttpClient, HttpHandler], + declarations: [CircularHeatmapComponent, MatChip], imports: [RouterTestingModule], - declarations: [CircularHeatmapComponent], + providers: [ + ymlService, + HttpClient, + HttpHandler, + { provide: ModalMessageComponent, useValue: {} }, + ], }).compileComponents(); - }); - beforeEach(async () => { - TestBed.configureTestingModule({ - declarations: [MatChip], - }).compileComponents(); - }); - beforeEach(() => { - fixture = TestBed.createComponent(CircularHeatmapComponent); + fixture = TestBed.createComponent(CircularHeatmapComponent); // Create fixture and component here component = fixture.componentInstance; fixture.detectChanges(); }); diff --git a/src/app/component/modal-message/modal-message.component.spec.ts b/src/app/component/modal-message/modal-message.component.spec.ts index 73c248e91..213ea3cb9 100644 --- a/src/app/component/modal-message/modal-message.component.spec.ts +++ b/src/app/component/modal-message/modal-message.component.spec.ts @@ -1,6 +1,8 @@ import { ComponentFixture, TestBed } from '@angular/core/testing'; - -import { ModalMessageComponent } from './modal-message.component'; +import { DialogInfo, ModalMessageComponent } from './modal-message.component'; +import { MatDialogRef, MAT_DIALOG_DATA } from '@angular/material/dialog'; +import { NoopAnimationsModule } from '@angular/platform-browser/animations'; +import { MatDialogModule } from '@angular/material/dialog'; describe('ModalMessageComponent', () => { let component: ModalMessageComponent; @@ -8,7 +10,12 @@ describe('ModalMessageComponent', () => { beforeEach(async () => { await TestBed.configureTestingModule({ + imports: [NoopAnimationsModule, MatDialogModule], declarations: [ModalMessageComponent], + providers: [ + { provide: MatDialogRef, useValue: {} }, + { provide: MAT_DIALOG_DATA, useValue: {} }, + ], }).compileComponents(); }); @@ -21,4 +28,25 @@ describe('ModalMessageComponent', () => { it('should create', () => { expect(component).toBeTruthy(); }); + + it('should render markdown correctly in the dialog', () => { + const dialogInfo: DialogInfo = new DialogInfo('A **test** markdown.'); + const dialogRef: MatDialogRef = + component.openDialog(dialogInfo); + + expect(dialogRef.componentInstance.data.message).toContain( + 'test' + ); + }); + + it('should render markdown correctly in the dialog', () => { + const dialogInfo: DialogInfo = new DialogInfo('A **test** markdown.'); + const dialogRef: MatDialogRef = + component.openDialog(dialogInfo); + + // Check if markdown rendering is applied + expect(dialogRef.componentInstance.data.message).toContain( + 'test' + ); + }); }); From 617fb29ad1a5dbee92b8f067cf2e2d99972fc412 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 2 Feb 2025 11:56:36 +0100 Subject: [PATCH 20/26] Fixes unit test for UsageComponent --- src/app/component/usage/usage.component.html | 4 ++-- .../component/usage/usage.component.spec.ts | 23 ++++++++++++++++--- src/app/component/usage/usage.component.ts | 15 +++++++----- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/src/app/component/usage/usage.component.html b/src/app/component/usage/usage.component.html index 45ccd58a8..f7b894534 100644 --- a/src/app/component/usage/usage.component.html +++ b/src/app/component/usage/usage.component.html @@ -1,5 +1,5 @@ + class="usage-{{ page }}" + MDFile="./assets/Markdown Files/{{ page }}.md"> diff --git a/src/app/component/usage/usage.component.spec.ts b/src/app/component/usage/usage.component.spec.ts index f67a0f13c..3fe84c5bb 100644 --- a/src/app/component/usage/usage.component.spec.ts +++ b/src/app/component/usage/usage.component.spec.ts @@ -1,6 +1,8 @@ import { ComponentFixture, TestBed } from '@angular/core/testing'; import { UsageComponent } from './usage.component'; +import { ActivatedRoute } from '@angular/router'; +import { of } from 'rxjs'; describe('UsageComponent', () => { let component: UsageComponent; @@ -12,13 +14,28 @@ describe('UsageComponent', () => { }).compileComponents(); }); - beforeEach(() => { + it('should create', () => { + TestBed.overrideProvider(ActivatedRoute, { + useValue: { params: of({}) }, + }); + fixture = TestBed.createComponent(UsageComponent); component = fixture.componentInstance; fixture.detectChanges(); - }); - it('should create', () => { expect(component).toBeTruthy(); + expect(component.page).toBe('USAGE'); + }); + + it('should load page', () => { + TestBed.overrideProvider(ActivatedRoute, { + useValue: { params: of({ page: 'test-page' }) }, + }); + + fixture = TestBed.createComponent(UsageComponent); + component = fixture.componentInstance; + fixture.detectChanges(); + + expect(component.page).toBe('test-page'); }); }); diff --git a/src/app/component/usage/usage.component.ts b/src/app/component/usage/usage.component.ts index 613b83810..661f80812 100644 --- a/src/app/component/usage/usage.component.ts +++ b/src/app/component/usage/usage.component.ts @@ -11,11 +11,14 @@ export class UsageComponent implements OnInit { constructor(private route: ActivatedRoute) {} ngOnInit() { - this.route.params.subscribe(params => { - let page = params['page']; - if (page.match(/^[\w.-]+$/)) { - this.page = page; - } - }); + if (this.route && this.route.params) { + this.route.params.subscribe(params => { + let page = params['page']; + // CWE-79 - sanitize input + if (page.match(/^[\w.-]+$/)) { + this.page = page; + } + }); + } } } From b8d58b6cabd9ceeca4219fdb627346b5ac45edd1 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 2 Feb 2025 12:49:17 +0100 Subject: [PATCH 21/26] Incorporated comments from PR --- README.md | 8 +++++--- src/assets/Markdown Files/README.md | 8 +++++--- src/assets/Markdown Files/USAGE.md | 4 ++++ src/assets/Markdown Files/dimensions.md | 2 -- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 006d57739..ef62b74d9 100644 --- a/README.md +++ b/README.md @@ -63,9 +63,9 @@ In case you would like to perform a DevSecOps assessment, the following tools ar 3. Browse to (on macOS and Windows browse to if you are using docker-machine instead of the native docker installation) -For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team. +For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. -You can download your current state from the circular headmap and mount it again via +You can download your current state from the circular heatmap and mount it again via ```bash wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right) @@ -129,7 +129,9 @@ In the corresponding [dimension YAMLs](https://github.com/devsecopsmaturitymodel teamsEvidence: B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11. C: | - The pentest report from 2025 has been split into Jira tasks. + The pentest report from 2025 has been split into Jira tasks under + [TODO-123](https://jira.example.com/issues/TODO-123). + _2025-04-01:_ All fixes of **critical** findings are deployed to production. ``` The `|` is yaml syntax to indicate that the evidence spans multiple lines. Markdown diff --git a/src/assets/Markdown Files/README.md b/src/assets/Markdown Files/README.md index 006d57739..cc59e6cb6 100644 --- a/src/assets/Markdown Files/README.md +++ b/src/assets/Markdown Files/README.md @@ -63,9 +63,9 @@ In case you would like to perform a DevSecOps assessment, the following tools ar 3. Browse to (on macOS and Windows browse to if you are using docker-machine instead of the native docker installation) -For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team. +For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. -You can download your current state from the circular headmap and mount it again via +You can download your current state from the circular heatmap and mount it again via ```bash wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right) @@ -129,7 +129,9 @@ In the corresponding [dimension YAMLs](https://github.com/devsecopsmaturitymodel teamsEvidence: B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11. C: | - The pentest report from 2025 has been split into Jira tasks. + The pentest report from 2025 has been split into Jira tasks under + [TODO-123](https://jira.example.com/issues/TODO-123). + _2025-04-01:_ All fixes of **critical** findings are deployed to production. ``` The `|` is yaml syntax to indicate that the evidence spans multiple lines. Markdown diff --git a/src/assets/Markdown Files/USAGE.md b/src/assets/Markdown Files/USAGE.md index ad8470f1d..fb72e4ea1 100644 --- a/src/assets/Markdown Files/USAGE.md +++ b/src/assets/Markdown Files/USAGE.md @@ -10,8 +10,12 @@ DSOMM is a project of the OWASP Foundation. **OWASP SAMM** is more focused on the overall maturity of an organization's software assurance and security practices, with a broader scope that includes governance, compliance, risk management, and secure software development. +SAMM is written by security specialists for security specialists, focusing on security processes across the whole organizations. + **DSOMM** focuses on activities that integrate security directly into the DevOps workflows. DSOMM takes a more technical approach, going lower in the technology stack it provides a roadmap on how to systematically improve the security in the software development. +DSOMM is written for technical teams focused on implementing secure software. + DSOMM has currently has a OWASP Lab status, while SAMM has a Flagship status. # How to use this DSOMM site diff --git a/src/assets/Markdown Files/dimensions.md b/src/assets/Markdown Files/dimensions.md index 98d350d67..a02112a7a 100644 --- a/src/assets/Markdown Files/dimensions.md +++ b/src/assets/Markdown Files/dimensions.md @@ -10,8 +10,6 @@ on the [OWASP Project Integration Project Writeup](https://github.com/OWASP/www- Secure configuration standards can be enforced during the deployment using the [Open Policy Agent](https://www.openpolicyagent.org/). -![SAMM Release](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_release.png "SAMM Release") - **Example Low Maturity scenario:** The team manually deploys software to production without standardized or automated processes. Secrets, such as passwords and API keys, may have been hardcoded or left in configuration files that are committed to version control, leading to potential exposure and security risks. From c7a5ce0add9d94ff287f32dd3f9cd3c84c5e0bdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 12 Feb 2025 15:26:05 +0000 Subject: [PATCH 22/26] chore(deps-dev): bump serialize-javascript from 6.0.1 to 6.0.2 Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](https://github.com/yahoo/serialize-javascript/compare/v6.0.1...v6.0.2) --- updated-dependencies: - dependency-name: serialize-javascript dependency-type: indirect ... Signed-off-by: dependabot[bot] --- package-lock.json | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 411f497b8..d2244a0e6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14346,10 +14346,11 @@ } }, "node_modules/serialize-javascript": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.1.tgz", - "integrity": "sha512-owoXEFjWRllis8/M1Q+Cw5k8ZH40e3zhp/ovX+Xr/vi1qj6QesbyXXViFbpNvWvPNAD62SutwEXavefrLJWj7w==", + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", + "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", "dev": true, + "license": "BSD-3-Clause", "dependencies": { "randombytes": "^2.1.0" } @@ -26687,9 +26688,9 @@ } }, "serialize-javascript": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.1.tgz", - "integrity": "sha512-owoXEFjWRllis8/M1Q+Cw5k8ZH40e3zhp/ovX+Xr/vi1qj6QesbyXXViFbpNvWvPNAD62SutwEXavefrLJWj7w==", + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", + "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", "dev": true, "requires": { "randombytes": "^2.1.0" From 4715237b9cc9c4767b8409f528bdd7eafd8080f2 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sun, 16 Feb 2025 14:43:37 +0100 Subject: [PATCH 23/26] Fix Error: Username and password required --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 349887f40..ee6ef35bf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,6 +14,7 @@ permissions: jobs: build: + if: github.repository == 'devsecopsmaturitymodel/DevSecOps-MaturityModel' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From b4523a58e72031a8118e8eece0321ab9e833488f Mon Sep 17 00:00:00 2001 From: Caffeine-rohit Date: Sun, 23 Feb 2025 15:07:31 +0530 Subject: [PATCH 24/26] Closes #363 Added descriptions to some sheets and updated to ensure markdown. --- Development.md | 48 ++++++++++++++++++++--------- src/assets/YAML/generated/README.md | 27 +++++++++++++++- 2 files changed, 59 insertions(+), 16 deletions(-) diff --git a/Development.md b/Development.md index 41ce4bf64..835c89c5e 100644 --- a/Development.md +++ b/Development.md @@ -1,46 +1,64 @@ -# DSOMM +# DevSecOps Maturity Model (DSOMM) + +## Introduction + +The DevSecOps Maturity Model (DSOMM) is an open-source framework designed to help organizations evaluate and improve their **DevSecOps** practices. +It provides structured **security maturity levels**, recommendations, and automation insights to enable teams to build **secure, efficient, and scalable software**. + +This guide walks you through **setting up the project locally**, making contributions, and submitting a pull request. + +## **Project Setup** + +### Development Server :- -## Development server The DSOMM is based [Angular](https://angular.dev/) and uses npm for package management. + - If you have not yet installed npm or the Angular command line tools, install them now. First [NodeJS](https://nodejs.org/en/download) (which provides npm), then Angular: -``` + +```bash npm install -g @angular/cli -``` -- Clone the DSOMM repo ``` + +- Clone the DSOMM repo + +```bash git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel.git ``` + - Change directory to DSOMM -``` + +```bash cd DevSecOps-MaturityModel ``` + - Install Dependencies -``` + +```bash npm install ``` + - **NB!** The DSOMM activities are maintained separately. Download the `generated.yaml` and put it in the required folder -``` + +```bash curl https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml -o src/assets/YAML/generated/generated.yaml ``` - Run `ng serve` for a dev server. Navigate to `http://localhost:4200/`. The application will automatically reload if you change any of the source files. - -## Code scaffolding +### Code scaffolding :- Run `ng generate component component-name` to generate a new component. You can also use `ng generate directive|pipe|service|class|guard|interface|enum|module`. -## Build +### Build :- Run `ng build` to build the project. The build artifacts will be stored in the `dist/` directory. -## Running unit tests +### Running unit tests :- Run `ng test` to execute the unit tests via [Karma](https://karma-runner.github.io). -## Coding Style Conventions +### Coding Style Conventions :- -- We follow the coding style defined by [ESLint](https://eslint.org/). +- We follow the coding style defined by [ESLint](https://eslint.org/). - We also use [Prettier](https://prettier.io/docs/en/index.html) as our opinionated code formatter. - To validate the schemas of the DSOMM yaml files in the IDE, it is recommended to use the VS Code extension [redhat.vscode-yaml](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml). The schemas are stored in /src/assets/YAML/schemas - diff --git a/src/assets/YAML/generated/README.md b/src/assets/YAML/generated/README.md index d8e2c1d4f..026785549 100644 --- a/src/assets/YAML/generated/README.md +++ b/src/assets/YAML/generated/README.md @@ -1 +1,26 @@ -In this folder, the generated.yaml will be placed +# Generated YAML Files + +This folder contains the `generated.yaml` file, which is dynamically created during the build process. +It stores configuration settings and other automatically generated data used by the DevSecOps Maturity Model (DSOMM). + +## **What is `generated.yaml`?** + +- It is a machine-generated file that is **not meant to be manually edited**. +- It helps in **storing configuration settings**, which are loaded at runtime. +- Used by the application to dynamically configure settings. + +## **How is it Generated?** + +The `generated.yaml` file is created as part of the DevSecOps Maturity Model’s **build process**. If you don’t see this file after setup, make sure to run: + +```sh +npm run build +``` + +or + +```sh +yarn build +``` + +This will generate the required **YAML** file. From 129ee9959a612016526edfa3325a984575763368 Mon Sep 17 00:00:00 2001 From: Caffeine-rohit Date: Thu, 27 Feb 2025 01:00:57 +0530 Subject: [PATCH 25/26] Improved Documentation . Addressing issue #363 - Added details about the `generated.yaml` file in `Development.md`, specifying that it is built via the DevSecOps-MaturityModel-data repository. - Moved the procedure for generating `generated.yaml` to the root `README.md`, ensuring clear setup instructions. - Included npm/yarn commands for building the file. - Suggested potential reorganization of `README.md` or the creation of an `INSTALL.md` for better documentation clarity. This update enhances onboarding clarity and ensures contributors can generate necessary YAML files seamlessly. --- Development.md | 20 ++++++++++++++------ README.md | 23 +++++++++++++++++++++++ src/assets/YAML/generated/README.md | 17 +---------------- 3 files changed, 38 insertions(+), 22 deletions(-) diff --git a/Development.md b/Development.md index 835c89c5e..232bdf22c 100644 --- a/Development.md +++ b/Development.md @@ -9,7 +9,7 @@ This guide walks you through **setting up the project locally**, making contribu ## **Project Setup** -### Development Server :- +### Development Server The DSOMM is based [Angular](https://angular.dev/) and uses npm for package management. @@ -45,20 +45,28 @@ curl https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-Maturity - Run `ng serve` for a dev server. Navigate to `http://localhost:4200/`. The application will automatically reload if you change any of the source files. -### Code scaffolding :- +## Code Scaffolding Run `ng generate component component-name` to generate a new component. You can also use `ng generate directive|pipe|service|class|guard|interface|enum|module`. -### Build :- +## Build Run `ng build` to build the project. The build artifacts will be stored in the `dist/` directory. -### Running unit tests :- +## Running Unit Tests Run `ng test` to execute the unit tests via [Karma](https://karma-runner.github.io). -### Coding Style Conventions :- +## Coding Style Conventions - We follow the coding style defined by [ESLint](https://eslint.org/). - We also use [Prettier](https://prettier.io/docs/en/index.html) as our opinionated code formatter. -- To validate the schemas of the DSOMM yaml files in the IDE, it is recommended to use the VS Code extension [redhat.vscode-yaml](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml). The schemas are stored in /src/assets/YAML/schemas +- To validate the schemas of the DSOMM yaml files in the IDE, it is recommended to use the VS Code extension [redhat.vscode-yaml](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml). The schemas are stored in `/src/assets/YAML/schemas` + +### Running Linter + +Run `ng lint` to run the linter from the command line. +If you want to lint only a specific component, use: + +```bash +ng lint --lint-file-patterns .\src\app\component\xxxxxx\ diff --git a/README.md b/README.md index ef62b74d9..e8ffe2352 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,29 @@ service docker start docker run -d -p 80:8080 wurstbrot/dsomm:latest ``` +## Generating the `generated.yaml` File + +The `generated.yaml` file is dynamically created during the build process. If you don’t see this file after setup, follow these steps to generate it: + +**1. Clone the Required Repository:** +The `generated.yaml` file is built via the DevSecOps-MaturityModel-data repository. Make sure you have cloned and set it up correctly. + +**2. Run the Build Command:** +Navigate to the project directory and run the following command: +- *Using npm:* + +```sh +npm run build +```` + +- *Using yarn:* + +```sh +yarn build +``` + +*If the file is missing, ensure all dependencies are installed and that you have the correct access to the `DevSecOps-MaturityModel-data` repository.* + ## Activity Definitions The definition of the activities are in the [data-repository](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data). diff --git a/src/assets/YAML/generated/README.md b/src/assets/YAML/generated/README.md index 026785549..3aa1ea5ea 100644 --- a/src/assets/YAML/generated/README.md +++ b/src/assets/YAML/generated/README.md @@ -8,19 +8,4 @@ It stores configuration settings and other automatically generated data used by - It is a machine-generated file that is **not meant to be manually edited**. - It helps in **storing configuration settings**, which are loaded at runtime. - Used by the application to dynamically configure settings. - -## **How is it Generated?** - -The `generated.yaml` file is created as part of the DevSecOps Maturity Model’s **build process**. If you don’t see this file after setup, make sure to run: - -```sh -npm run build -``` - -or - -```sh -yarn build -``` - -This will generate the required **YAML** file. +- This file is generated via the [DevSecOps-MaturityModel-data](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data) repository. From e64b652861f4b328b49122a3ec12eab0fb4338ce Mon Sep 17 00:00:00 2001 From: 0x41head Date: Sat, 1 Mar 2025 22:10:14 +0530 Subject: [PATCH 26/26] Test fix --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 04e4ea272..9d09dd6f9 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -13,6 +13,6 @@ jobs: with: node-version: 16.0 - name: Install dependencies - run: npm install + run: npm install --legacy-peer-deps - name: Test run: npm test -- --watch=false --browsers=ChromeHeadless