GitHub provides the security capabilities to achieve Level 1 of the OWASP DevSecOps Maturity Model. In this post, we explore the principles of DSOMM Level 1 and how you can implement secret scanning, SCA, SAST and DAST using native tooling on GitHub.
GitHub has been rapidly evolving into a complete development platform over the past year and a half, with the addition of native CI/CD capabilities using GitHub Actions. But did you know that you can implement DevSecOps natively in GitHub Enterprise, using GitHub Advanced Security? In this post, we will explore the OWASP DevSecOps Maturity Model (DSOMM) and demonstrate how you can achieve Level 1 maturity by implementing software composition analysis (SCA), static application security testing (SAST), dynamic application security testing (DAST), and secret scanning using GitHub-native capabilities within the developer workflow.
Before we dig into the how, let’s align on a definition of DSOMM.
OWASP created the DSOMM framework in order to show application security measures which can be applied when using DevOps strategies and how these can be prioritized. DSOMM strives to incrementally increase the effectiveness of a security program from Level 1 (least mature), to Level 4—a fully implemented DevSecOps program built into your DevOps practices.
There are four main evaluation criteria in DSOMM:
DSOMM has four maturity levels that define various aspects of your overall DevSecOps program. In a typical Level 1 program your practices could mirror the following: Level 1 calls for the execution of static analysis tools including secret scanning, SCA, and SAST without any changes to the tools or settings. DAST tooling is often run with its baseline settings. A well-planned program will increase the intensity linearly over time. The scans are run on your default branch once a week or month and reporting may be disjointed initially, but don’t worry—we will begin to consolidate at Level 2.
Beyond tool implementation, a few key requirements for DSOMM Level 1 are to:
Ensure that your tooling provides immediate feedback to developers so they can fix their issues as early in the SDLC as possible. This saves time and brain cycles for developers who often manage tool and task context switching throughout their sprint cycle.
Now that we’re aligned on a few of the cultural best practices and maturity evaluation criteria of DSOMM, let’s implement our tooling with Advanced Security. On GitHub, you can easily use native capabilities to achieve DSOMM Level 1. You can enable native SCA, SAST and secret scanning capabilities, without any changes to existing tools or configurations; and also run DAST tooling with its default settings.
To learn how to do it yourself, check out the in-depth demo in the video above. To follow this session along in your own environment, you’ll need Advanced Security enabled on your organization. I’ll walk through implementing:
Once your development team is practicing DSOMM and has achieved Level 1, you can try to tackle maturing to Level 2 in six to 12 months. Let’s do this! Please join our GitHub Demo Day livestream and stay tuned for future blog posts on DevSecOps.
Questions? Contact your account management team or the GitHub Sales Team to see how GitHub can help your engineering team build better, more secure software together.
Start your free trial for 30 days and increase your team’s collaboration. $21 per user/month after trial expires.
Curious about other plans?
In March, we experienced two incidents that resulted in degraded performance across GitHub services.
In February, we experienced two incidents that resulted in degraded performance across GitHub services.
With this version, customers can choose how to best scale their security strategy, gain more control over deployments, and so much more.
Kevin Alwell 
