The DSOMM application is frontend only. Data is only stored in server side YAML files, and in the localStorage im the user's browser.
The application can be deployed in many ways. using a number of Docker, Amazon AWS and a standalone Angular service.
The DSOMM activities as maintained in a separate GitHub repository. For the latest version, check out
- Install Docker
- Download and run DSOMM:
docker pull wurstbrot/dsomm:latest
docker run --rm -p 8080:8080 wurstbrot/dsomm:latest - Open DSOMM on http://localhost:8080
If you want to override the default generated.yaml you can mount this file when starting the docker command.
docker run --rm --volume $PWD/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
NB! Note that the docker command requires an absolute path to the local file. (Hence, the use of the $PWD variable. On Windows, substitute $PWD with %CD%.)
Since this is a frontend application any web server
-
Clone the DSOMM repo
-
NB! The DSOMM activities are maintained separately. Download the
generated.yamland put it in the required folder
git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel.git
cd DevSecOps-MaturityModel
npm install
curl https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml -o src/assets/YAML/generated/generated.yaml
ng build
The files that were created in the subfolder dist
In case you would like to perform a DevSecOps assessment, the following tools are available:
- Usage of the applicaton in a
container. - Development of an export to OWASP Maturity Models (recommended for assessments with a lot of teams)
- Creation of your excel sheet (not recommended, you want to use DevOps, don't even try!)
- Install Docker
- Run
docker pull wurstbrot/dsomm:latest && docker run --rm -p 8080:8080 wurstbrot/dsomm:latest - Browse to http://localhost:8080 (on macOS and Windows browse to http://192.168.99.100:8080 if you are using docker-machine instead of the native docker installation)
For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom.
You can download your current state from the circular heatmap and mount it again via
wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right)
docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest.
This approach also allows teams to perform self assessment with changes tracked in a repository.
- In the EC2 sidenav select Instances and click Launch Instance
- In Step 1: Choose an Amazon Machine Image (AMI) choose an Amazon Linux AMI or Amazon Linux 2 AMI
- In Step 3: Configure Instance Details unfold Advanced Details and copy the script below into User Data
- In Step 6: Configure Security Group add a Rule that opens port 80 for HTTP
- Launch your instance
- Browse to your instance's public DNS
#!/bin/bash
service docker start
docker run -d -p 80:8080 wurstbrot/dsomm:latestThe definition of the activities are in the data-repository.
To customize these teams, you can create your own meta.yaml file with your unique team definitions.
Assessments within the framework can be based on either a team or a specific application, which can be referred to as the context. Depending on how you define the context or teams, you may want to group them together.
Here are a couple of examples to illustrate this, in breakers the DSOMM word:
- Multiple applications (teams) can belong to a single overarching team (application).
- Multiple teams (teams) can belong to a larger department (group).
Feel free to create your own meta.yaml file to tailor the framework to your specific needs and mount it in your environment (e.g. kubernetes or docker). Here is an example to start docker with customized meta.yaml:
# Customized meta.yaml
cp src/assets/YAML/meta.yaml .
docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -p 8080:8080 wurstbrot/dsomm
# Customized meta.yaml and generated.yaml
cp src/assets/YAML/meta.yaml .
cp $(pwd)/src/assets/YAML/generated/generated.yaml .
docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -v $(pwd)/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
In the corresponding dimension YAMLs, use:
[...]
teamsImplemented:
Default: false
B: true
C: true
teamsEvidence:
B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11.
C: |
The pentest report from 2025 has been split into Jira tasks under
[TODO-123](https://jira.example.com/issues/TODO-123).
_2025-04-01:_ All fixes of **critical** findings are deployed to production.
The | is yaml syntax to indicate that the evidence spans multiple lines. Markdown
syntax can be used. The evidence is currently visible on the activity from the Matrix page.
- Adding a manual on how to use DSOMM
- Integration of Incident Response
- DevSecOps Toolchain Categorization
- App Sec Maturity Models Mapping
- CAMS Categorization
- Adding assessment questions
Multilanguage support is not given currently and not planned.
If you are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at the OWASP Project Wiki Page. Donations might be used for the design of logos/images/design or travels.
This program is free software: you can redistribute it and/or modify it under the terms of the GPL 3 license.
The intellectual property (content in the data folder) is licensed under Attribution-ShareAlike. An example attribution by changing the content:
This work is based on the OWASP DevSecOps Maturity Model.
The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2022.
For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom.
You can download your current state from the circular heatmap and mount it again via
wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right)
docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest