The DSOMM application is frontend only. Data is only stored in server side YAML files, and in the localStorage im the user's browser.
The application can be deployed in many ways. using a number of Docker, Amazon AWS and a standalone Angular service.
The DSOMM activities are maintained in a separate GitHub repository. For the latest version, get it from:
- Install Docker
- Download and run DSOMM:
docker pull wurstbrot/dsomm:latest
docker run --rm -p 8080:8080 wurstbrot/dsomm:latest - Open DSOMM on http://localhost:8080
- If you are using docker-machine instead of the native docker installation on Windows or macOs: open http://192.168.99.100:8080 instead
If you want to override the default
generated.yamlyou can mount this file when starting the docker command.
- If you are using docker-machine instead of the native docker installation on Windows or macOs: open http://192.168.99.100:8080 instead
If you want to override the default
docker run --rm --volume $PWD/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
NB! Note that the docker command requires an absolute path to the local file. (Hence, the use of the $PWD variable. On Windows, substitute $PWD with %CD%.)
- In the EC2 sidenav select Instances and click Launch Instance
- In Step 1: Choose an Amazon Machine Image (AMI) choose an Amazon Linux AMI or Amazon Linux 2 AMI
- In Step 3: Configure Instance Details unfold Advanced Details and copy the script below into User Data
- In Step 6: Configure Security Group add a Rule that opens port 80 for HTTP
- Launch your instance
- Browse to your instance's public DNS
#!/bin/bash
service docker start
docker run -d -p 80:8080 wurstbrot/dsomm:latestSince DSOMM is a frontend only application, any web server can host DSOMM.
-
Clone the DSOMM repo
-
NB! The DSOMM activities are maintained separately. Download the
generated.yamland put it in the required folder
git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel.git
cd DevSecOps-MaturityModel
npm install
curl https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml -o src/assets/YAML/generated/generated.yaml
ng build
The files that were created in the subfolder dist
If your DSOMM application is having a subfolder in the URL (e.g. https://server.local/our-dsomm), you need to build the Angular application to prepare for this. In that case build the application by using ng build --base-href /our-dsomm/.
To customize these teams, you can create your own meta.yaml file with your unique team definitions.
Assessments within the framework can be based on either a team or a specific application, which can be referred to as the context. Depending on how you define the context or teams, you may want to group them together.
Here are a couple of examples to illustrate this, in breakers the DSOMM word:
- Multiple applications (teams) can belong to a single overarching team (application).
- Multiple teams (teams) can belong to a larger department (group).
Feel free to create your own meta.yaml file to tailor the framework to your specific needs and mount it in your environment (e.g. kubernetes or docker). Here is an example to start docker with customized meta.yaml:
# Customized meta.yaml
cp src/assets/YAML/meta.yaml .
docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -p 8080:8080 wurstbrot/dsomm
# Customized meta.yaml and generated.yaml
cp src/assets/YAML/meta.yaml .
cp $(pwd)/src/assets/YAML/generated/generated.yaml .
docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -v $(pwd)/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
In the corresponding dimension YAMLs, use:
[...]
teamsImplemented:
Default: false
B: true
C: true
teamsEvidence:
B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11.
C: |
The pentest report from 2025 has been split into Jira tasks under
[TODO-123](https://jira.example.com/issues/TODO-123).
_2025-04-01:_ All fixes of **critical** findings are deployed to production.
The | is yaml syntax to indicate that the evidence spans multiple lines. Markdown
syntax can be used. The evidence is currently visible on the activity from the Matrix page.
- Adding a manual on how to use DSOMM
- Integration of Incident Response
- DevSecOps Toolchain Categorization
- App Sec Maturity Models Mapping
- CAMS Categorization
- Adding assessment questions
Multi-language support is not currently planned.
If you are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at the OWASP Project Wiki Page. Donations might be used for the design of logos/images/design or travels.
This program is free software: you can redistribute it and/or modify it under the terms of the GPL 3 license.
The intellectual property (content in the data folder) is licensed under Attribution-ShareAlike. An example attribution by changing the content:
This work is based on the OWASP DevSecOps Maturity Model.
The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2025.
For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom.
You can download your current state from the circular heatmap and mount it again via
wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right)
docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest