Skip to main content

OWASP 5D: Hyper-dimension assessment framework

Secure development lifecycle in more dimensions

SDL is complex and always different for every company. Applying the right strategy requires having a better idea of what is the real state of the SDL. Looking at it in more "dimensions" or aspects can unleash real effectiveness in SDL implementation. Of course looking at the same thing from many points of views may lead to some overlapping or redundancies (see pic 4) but definitely helps to have a more complete picture, understanding and finally drive action plans in the correct direction.
Imagine looking only at one the lateral projection of the following object:

Picture 1: Projections are aspects or dimensions of the real object.

Obviously looking at more dimension of the same reality helps to comprehend it better, despite occasional redundancies. Also, the more complex the object is the more dimension are needed to have a better understanding.
Fortunately, many frameworks address SDL: SAMM, Microsoft SDL definitions, countless tools, etc. Orchestrating them in a coherent way is key to accomplish a better SDL.

One to rule them all!

After almost two decades experiencing secure software creation with the biggest players, MindedSecurity created and shared, once again as an open source project (after OWASP TESTING GUIDE, TOP-10 Project...), their experience expressed as a framework: The SwSec 5D OWASP project.
If having a framework to manage aspects coming from other security frameworks may seem overkill or lack of modesty, not having one may cause a strategic mismatch. According to MindedSecurity experience, the driver behind 5D framework is the fact that traditional SDLC frameworks lack of:
  • Level of awareness
  • Security team
  • Security standards
  • Security testing tools
Here's the dimension the OWASP 5D frameworks is based on:
  • SwSec TEAM

How a software company becomes more secure?

Or: how the software in a company becomes more secure? Given that nowadays most companies are software companies whether they sell software or not.
Let’s not inspect the case in which the company wants to manage security with just a final check (penetration testing? Once in time external test at the end of the development of your software income machine, good luck with stopping that) or applying a tool (an even more expensive Static Code Analysis with a TON of false positives and unrelated findings? no luck will save you here!).
So let's inspect the case in which some small to medium company, with at most few teams, would follow "common sense approach", something like:
  1. Basic training
  2. Generic secure coding guidelines
  3. Buy a tool
  4. Test at the end
Yes, this may put that company above average in their field. But is that enough? If that enough to protect your money or safely piloting your plane?

Applying OWASP SAMM maturity measurements, after those 4 efforts are successfully applied, would lead to this level of maturity:

Picture 2: SAMM maturity after basic “common sense approach”

This is likely not optimal result, even for a medium-sized company.
OWASP SAMM will show you the "practices" maturity aspects (and help to develop a roadmap/SDL programme).
In the 5D frameworld (<- I like this work just invented) this looks like:

Picture 3: 5D maturity after basic “common sense approach”

This next table shows, based on experience, what a HIGH (3) maturity in common frameworks imply in 5D framework:

Picture 4: Frameworks to 5D maturity

With the 5D framework, you'll see the maturity not only for processes and testing tools but also for awareness, team composition, and security standards adopted.