|
| 1 | +# OWASP DSOMM Enhancement Proposal |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +This proposal outlines key enhancements to the OWASP DevSecOps Maturity Model (DSOMM) to improve its functionality, usability, and integration with other security frameworks. The total estimated effort for all proposed features is 268 hours (33.5 days). |
| 6 | + |
| 7 | +## Proposed Enhancements |
| 8 | + |
| 9 | +### 1. Vulnerability Management and Patch Management Expansion |
| 10 | + |
| 11 | +**Problem:** Current vulnerability management coverage is incomplete, particularly lacking metrics. |
| 12 | +**Solution:** Integrate concepts from the Vulnerability Management Maturity Model and "Effective Vulnerability Management" book to add: |
| 13 | +- New activities mapped to SAMM, ISO, and OpenCRE |
| 14 | +- Risk and measure descriptions |
| 15 | +- Implementation guidance |
| 16 | +- Level justifications based on effort and security value |
| 17 | + |
| 18 | +**Estimated Effort:** 32 hours |
| 19 | + |
| 20 | +### 2. Compliance Date Integration |
| 21 | + |
| 22 | +**Problem:** Activity implementation status doesn't account for time-based assessment/compliance requirements. |
| 23 | + |
| 24 | +**Solution:** |
| 25 | +As a security architect, I want teams to perform threat modeling quaterly. |
| 26 | +As a project team, I perform a threat modeling and the status is DSOMM for that team is changed to "implemented". As there is no automatic removal of the status, it stays "implemented". |
| 27 | + |
| 28 | +Tasks: |
| 29 | +- Add `threshold` attribute to activities for time-based assessment/compliance |
| 30 | +- Enhance `teamsImplemented` attribute to track implementation dates |
| 31 | +- Update UI to display assessment/compliance status based on dates and thresholds |
| 32 | + |
| 33 | +Sample `threshold`: |
| 34 | +``` |
| 35 | + threshold: |
| 36 | + targets: |
| 37 | + - type: "count" |
| 38 | + minValue: 1 |
| 39 | + period: |
| 40 | + periodType: sliding |
| 41 | + timeframe: "2Y" |
| 42 | +``` |
| 43 | +The `teamsImplemented` attribute, to be filled out by teams: |
| 44 | +``` |
| 45 | + teamsImplemented: |
| 46 | + - teamA: |
| 47 | + conductionDate: 2024-08-08 00:00:00 |
| 48 | + - teamB: |
| 49 | + conductionDate: 2024-08-08 00:00:00 |
| 50 | + - teamB: |
| 51 | + implemented: true |
| 52 | +``` |
| 53 | + |
| 54 | +**Estimated Effort:** 80 hours |
| 55 | + |
| 56 | +### 3. Score Calculation |
| 57 | + |
| 58 | +**Problem:** Current visualization can be difficult to interpret quickly. |
| 59 | + |
| 60 | +**Solution:** Implement an overall score calculation for each sub-dimension, showing implemented vs. maximum possible activities for teams. |
| 61 | + |
| 62 | +**Estimated Effort:** 8 hours |
| 63 | + |
| 64 | +### 4. Customization Capabilities |
| 65 | + |
| 66 | +**Problem:** Organizations need to adapt DSOMM for their specific security programs, which is currently challenging. |
| 67 | + |
| 68 | +**Solution:** Make the DSOMM application customizable: |
| 69 | +- Auto-adjust levels in visualizations when changed |
| 70 | +- Allow hiding/adding attributes for activity descriptions |
| 71 | +- Ensure consistent updates across linked elements (e.g., overview tables, detailed descriptions) |
| 72 | + |
| 73 | +**Estimated Effort:** 80 hours |
| 74 | + |
| 75 | +### 5. OpenCRE Integration Enhancement |
| 76 | + |
| 77 | +**Problem:** Current OpenCRE chatbot lacks comprehensive DSOMM content integration. |
| 78 | + |
| 79 | +**Solution:** |
| 80 | +- Customize OpenCRE content with DSOMM-specific information |
| 81 | +- Provide sample pre-questions for improved DSOMM coverage |
| 82 | +- Create a guide for enhancing OpenCRE content for other projects |
| 83 | + |
| 84 | +The solution needs to be implemented together with openCRE team. |
| 85 | + |
| 86 | +**Estimated Effort:** 60 hours |
| 87 | + |
| 88 | +### 6. Status `notApplicable` |
| 89 | +**Problem:** An application security program defines activities to be implemented by product teams. Sometimes, the activities are not applicable to a product/application. |
| 90 | + |
| 91 | +**Solution:** Add the status `notApplicable` for teams |
| 92 | + |
| 93 | +**Estimated Effort:** 8 hours |
| 94 | + |
| 95 | +## Total Estimated Effort |
| 96 | + |
| 97 | +268 hours (33.5 days) |
| 98 | + |
| 99 | +## Benefits |
| 100 | + |
| 101 | +- Improved vulnerability management guidance |
| 102 | +- Better compliance tracking and reporting |
| 103 | +- Enhanced data visualization and interpretation |
| 104 | +- Increased flexibility for organizational adoption |
| 105 | +- Tighter integration with broader security ecosystems |
| 106 | + |
| 107 | +## Conclusion |
| 108 | + |
| 109 | +These enhancements will significantly improve the usability, adaptability, and value of OWASP DSOMM for organizations implementing DevSecOps practices. The proposed changes will make DSOMM a more comprehensive and user-friendly tool for assessing and improving security maturity. |
0 commit comments