Security Assessment Models

As part of preparation for the ONAP Assessment, we are looking at several available Models. We want to create an assessment model that results in data oriented results and allows us to identify opportunity for improvements across all aspects of ONAP (governance, design, development, quality assurance etc). Some of the aspects that we need to evaluate are outside the core development team working on a specific software capability and some aspects focus on assessing core software development team's practices.

Ask for reviewers: please take a look at the models and suggest what may be relevant to ONAP/OSS project and also indicate what assessing criteria should be ONAP wide vs core dev team of a SW capability. For OWASP SAMM, a spreadsheet is attached, it provides questionnaire and report generating tools.

Following Assessment Models were presented to SECOM on Tuesday 4/12/2022:

OWASP Software Assurance Maturity Model (SAMM)
https://owaspsamm.org
OWASP DevSecOps Maturity Model (DSOM)
https://dsomm.timo-pagel.de
Building Security In Maturity Model (BSIMM12)
https://www.bsimm.com
Security Belts structures activities of the secure software development
https://github.com/AppSecure-nrw/security-belts
DevSecOps Platform-Independent Model: Requirements and Capabilities-SEI (FFRDC) Technical report (figure 7)
https://apps.dtic.mil/sti/pdfs/AD1152747.pdf
ISACA Cybersecurity Maturity Assessment (self-assessment)
https://www.isaca.org/enterprise/cmmi-cybermaturity-platform#cmmicp-tabs

OWASP SAMM model was discussed in details.

Slides are attached:

Model Comparison Slides

OWASP SAMM Assessment tool (spreadsheet)

ONAP Wiki

Security Assessment Models

Analytics

Related content