DevSecOps-MaturityModel icon indicating copy to clipboard operation
DevSecOps-MaturityModel copied to clipboard
verified publisher icon wurstbrot

Source Composition Analysis

Open derweiser opened this issue 4 years ago • 3 comments

Hey, great work by the way. My issue is around testing 3rd party libraries and relates to SAMM v2 practice I-SB-1/2/3-B (Software Dependencies). DSOMM calls out this area here "Static depth for applications: Static analysis for all components/libraries" however, this is a level 4 maturity. With supply chain attacks should SCA testing have its own Test and Verification sub-dimension for SCA? Specifically tools like Dependency Check/Snyk etc. at a low maturity level up to capturing full SBOMs, using CycloneDX/Dependency Track, at a higher maturity?

thanks for consideration Nathan

derweiser avatar Oct 01 '21 09:10 derweiser

Hi @derweiser, I agree that SCA might be a subdimension of Test and Verfication. In a maturity model, a subdimension should try to have an activity on each level. In DSOMM, I try to be tool-neutral. So far I see something like "Simple SCA" and "Advanced SCA". That would be just two activities for a subdimension. Do you have an idea how to split it to get one for every level?

What do you see as an enhancement in using SBOMs compared to tools using pattern matching (e.g. Dependency Check)? Less False Positives?

Would be "Advanced SCA" something which we could put in an activity in "Test-Intensity" and elaborate, that an SBOM has advantages over pattern matching. I agree, that it wouldn't be so obvious than having everything in one subdimension.

wurstbrot avatar Oct 09 '21 07:10 wurstbrot

@wurstbrot I see something along the lines of

  1. Software bill of materials is produced and Maintained.

  2. Software is checked for vulnerabilities in software components and packages. Software components are check for license violations.

  3. Automated patching/PR and updates of software components an example Dependabot.

james-ahearn avatar Jan 21 '22 04:01 james-ahearn

  1. Great, would you like to create a PR?
  2. Compliance is so far not very present in this model, feel free to create a PR with license tests
  3. is there, already (https://github.com/wurstbrot/DevSecOps-MaturityModel/blob/2298a0c5e4ee15e99cbab2f2e05ed6c345e0ff2f/data/dimensions-subdimensions-activities/BuildAndDeployment/PatchManagement.yaml#L36).

wurstbrot avatar Feb 18 '22 13:02 wurstbrot