Security Assessment Models

As part of preparation for the ONAP Assessment, we are looking at several available Models.  We want to create an assessment model that results in data oriented results and allows us to identify opportunity for improvements across all aspects of ONAP (governance, design, development, quality assurance etc).  Some of the aspects that we need to evaluate are outside the core development team working on a specific software capability and some aspects focus on assessing core software development team's practices.

Ask for reviewers:  please take a look at the models and suggest what may be relevant to ONAP/OSS project and also indicate what assessing criteria should be ONAP wide vs core dev team of a SW capability.  For OWASP SAMM, a spreadsheet is attached, it provides questionnaire and report generating tools.  

Following Assessment Models were presented to SECOM on Tuesday 4/12/2022:

• OWASP Software Assurance Maturity Model (SAMM)

• https://owaspsamm.org

• OWASP DevSecOps Maturity Model (DSOM)

• https://dsomm.timo-pagel.de

• Building Security In Maturity Model (BSIMM12)

• https://www.bsimm.com

• Security Belts structures activities of the secure software development

• https://github.com/AppSecure-nrw/security-belts

• DevSecOps Platform-Independent Model: Requirements and Capabilities-SEI (FFRDC) Technical report (figure 7)

• https://apps.dtic.mil/sti/pdfs/AD1152747.pdf

• ISACA Cybersecurity Maturity Assessment (self-assessment)

• https://www.isaca.org/enterprise/cmmi-cybermaturity-platform#cmmicp-tabs

OWASP SAMM model was discussed in details.

Slides are attached:

Model Comparison Slides

OWASP SAMM Assessment tool (spreadsheet)