Outcomes

DevSecOps Maturity Model (DSOMM)

View the original Working Session content
 

Outcomes/Deliverables

  • Resolve and describe the fundamentals of a DevSecOps Maturity Model (DSOMM)

Synopsis and Takeaways

What are the Motivations for a DevSecOps Maturity Model?

A group discussion agreed on the following:

  • Measurement
  • A widely adopted standard
  • Accessibility
  • Programmatically obtain the data
  • Reliable Information
  • Scoring/Metrics
  • The ability to see progress
  • Transparent Implementation
  • Ensuring Traceability
  • Tone from the top
  • Automation
  • Actionability
  • Bidirectional Collaboration
  • Control Prioritisation
  • Selection based on assessment of current drivers for business to adopt devops

Which level of detail does a DevSecOps Maturity Model provide?

On a scale ranging between a high of ‘SAMM: Utilize automated security testing tools’, and a low being ‘Use OWASP Dependency Check every night’, participants were asked to select a level of detail appropriate for the DSOMM.

Consensus was reached that the DSOMM should have a level of detail below that of SAMM.

Which dimensions do you see in a DevSecOps Maturity Model?

After a lively discussion, the following foundational dimensions were decided on:

  • Technology
  • Processes
  • Culture
  • Tools
  • Automation
  • Information flow

Other options for foundational dimensions were given as:

  • Culture and Organisation
  • Infrastructure
  • Build and Deployment
  • Test and Verification
  • Information Gathering

Which attributes does an implementation point/action have?

  • Frequency
  • Descriptiveness/Level of Documentation
  • Motivations/Risks
  • Intensity
  • Automation
  • Repeatability/Reproducibility
    • if you run the same tool against the same inputs, you get the same output
  • Predictability (different from above)
  • Auditability
    • can confirm that action was done and how
  • Scope/Depth
    • what level is the action taken to? (e.g. how many static checks performed?)

How do we measure maturity?

In relation to the range that should apply to a maturity scoring, the following points were put forward for consideration:

  • Range either from 0-4 or 0-6
    • Odd range sizes should not be used, because of the tendency for people to overuse the middle score
  • It was suggested that ranges might be different per attribute

Comparisons with other Maturity Models and the Integration of security in the devops operating model:

  • OpenSAMM is built around “functions of software development with security practices tied to each”. It is not people-centric the way DevOps is.
  • DevSecOps = people and collaboration over tools and processes
  • OpenSAMM is not really embedded into software development in the way it is expected to be with DevSecOps. OpenSAMM doesn’t embed the value of DevOps into the model (e.g. automation, cross-functional teams).

The following questions and points were also raised:

  • Why should security be scored separately, in a vacuum?
  • Why not make it a product team that is embedded in the process and scored along with everyone else?
  • Shouldn’t we be scored on the overall success of the product, not our own values?
    • If the product/business fails to deliver value to customers, ultimately, security fails.

References

Session page

Additional/External References

Session organiser(s)

Francois Raynaud Francois Raynaud , Puneet Thapliyal Puneet Thapliyal , Imran Mohammed A Imran Mohammed A , Paul Dubourg Paul Dubourg , Timo Pagel Timo Pagel

Participants

Mario Platt Mario Platt , Abhinav Sejpal Abhinav Sejpal , Claudio Camerino Claudio Camerino , David Cervigni David Cervigni , Dominik de Smit Dominik de Smit , Felipe Zipitria Felipe Zipitria , Gabor Pek Gabor Pek , Imran Chaudhari Imran Chaudhari , John DiLeo John DiLeo , Manuel Jeckelmann Manuel Jeckelmann , Matt Pendlebury Matt Pendlebury , Naushad S Naushad S , Orid Ahmed Orid Ahmed , Paul Davies Paul Davies , Russ Miles Russ Miles , Sotiraki Sima Sotiraki Sima , Sven Schleier Sven Schleier , Vladimir Voskresenskiy Vladimir Voskresenskiy Abhi Raj Abhi Raj , Andrew Martin Andrew Martin , Cao Wei Cao Wei , Ernesto Bethencourt Ernesto Bethencourt , Harmeet Singh Harmeet Singh , Konstantinos Damianakis Konstantinos Damianakis , Mark-David McLaughlin Mark-David McLaughlin , Mustaqiim Muhar Mustaqiim Muhar , Sergio Issi Sergio Issi , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vinod Anandan Vinod Anandan

Attached materials: