owaspsamm / toolbox-spreadsheet Goto Github PK

In the diagram on the roadmap chart tab, the description say Strategy & metrics instead of Strategy & Metrics.

Hello @dkefer

I download latest toolbox excel from, https://github.com/owaspsamm/core/releases/tag/v2.0.4

On the 'Roadmap Chart' tab, I was expecting the score to increase by phase (from As-Is .....To-Be), but found that the scores remains same for all the 4 maturity phases. Due to this the pie radar charts on 'Scorecard' tab look same for all 4 phases. Please see below screenshot, the score is same for all phases, hence the current gap is always 0.00

I downloaded the excel sheet from OWASP SAMM website. Completed the self-assessment, but on Scorecard tab I don't see accurate numbers for phase specific maturity.
Also the Roadmap tab shows zero score for most the items.

This is the url I download the spreadsheet from: https://github.com/owaspsamm/toolbox-spreadsheet/tree/main/resources
Do you have a working version of this excel?

I opened the file and the answer column does not have the specific drop down box. There is a list of answers underneath the question using the VLOOKUP formula. What am I missing?

There is a rounding error in the Current gap column on the Roadmap Chart tab of the toolbox:

Under Eductation & Guidance in the screenshot, the gap is displayed as 0,88 but it should actually be 1,50-0,63=0,87

I assume, that both 0,63 and 0,88 are rounded values leading to this error. I find that confusing. The gap should just be the difference of the values shown in the table and not that of their unrounded base values.

Roman and Arabic numerals are mixed throughout the sheet (for example, "Phase IV" vs. "Phase 4"). It would look nicer to have a consistent style. I'd recommend sticking to the Arabic numerals, since some projects will need more than the four preloaded phases and writing out Arabic numerals should be more universal than using Roman numerals.

raised by @al in Slack - https://owasp.slack.com/archives/C0VF1EJGH/p1648503557375079
"Roadmap still has issues including color coding changes between phases under Implementation."
not sure if there are others besides the color coding changes (not changing to green/red) => can be solved by applying the same formatting to the Implementation rows.

Hello,

I was trying to use the Google Sheets version of your assessment but I am not able to answer the questions because Google Sheets does not allow set use any formula for drop down lists of Data Validation. Source

In Microsoft Excel is working properly and also in older versions (I think is the 2.0).

If you can fix it, it would be amazing.

Thank you!

There are 2 bugs in Roadmap sheet. To reproduce the bugs, please follow the steps below:

1. Go to SAMM spreadsheet -> Roadmap sheet -> Implementation section -> Secure Deployment -> Deployment Process -> Level 1
2. In Current column, select "No" as an answer
3. In Phase I column, select "Yes, for some applications"
4. In Phase III column, select "Yes, for some obligations"

Bugs:

• Bug 1: In step (3), the cell background does not turn green
• Bug 2: In step (4), the answer "Yes, for some obligations" should not be a valid option

OBS: the bugs happen for all the Implementation section on Roadmap sheet.

I noticed some activities in the Roadmap reference the wrong Answer sets. As a result, the same assessment question (e.g. Is the build process fully automated?) have the correct answers for the first maturity levels & phases (e.g. Yes, for most or all of the applications) but the wrong ones for later ones (e.g. Yes, for at least half of the obligations). Among other things this completely breaks the roadmap chart & scores.

I think the following is the full list of broken activities (it was late and I was fixing them as I was working so my record keeping may not have been the most thorough):

• Implementation

  • Secure Build

    • Build Process: Phases 3, 4
    • Software Dependencies: Phases 3, 4

  • Secure Deployment

    • Deployment Process: Phase 3
    • Secret Management: Phase 3

  • Defect Management

    • both streams?: Phases 3, 4

Most (if not all) of these mistakenly use AnsD as the source of data validation instead of AnsF.
Fix by changing the value for those cells in Data Validation -> Settings -> Source

I can submit a PR with a fixed sheet next week. In the meantime, a happy new year to all!

cheers,
nessim

In some situations the calculation of the Rating does not work

The attachment is from a v2.0.7 on a German version of Excel.
Asked to get the settings / configuration (language / regional settings) and Excel version.

We have seen similar issues on Finnish and Brazilian systems, but have not been able to pinpoint the exact root problem yet.

The Google Sheets version of the spreadsheet is broken, the lookups for the answers on the interview sheet do not currently work.

Interview sheet:

Conditional Formatting:

• Unused rule at F15

Roadmap sheet:

Formulas:

• Secure Build has incorrect formulas for Implementation: Phase 1, 2, 3, 4

• This breaks the roadmap feature

• It also breaks the scorecard calculation

Conditional Formatting:

• J22:J23 is in one record causing errors

• J55:J56 is in one record causing errors

• J130:J132 is in one record causing errors

• J153:J154 is in one record causing errors

• N22:N23 is in one record causing errors

• N55:N56 is in one record causing errors

• N130:N132 is in one record causing errors

• N153:N154 is in one record causing errors

• R22:R23 is in one record causing errors

• R55:R56 is in one record causing errors

• R130:R132 is in one record causing errors

• R153:R154 is in one record causing errors

• V22:V23 is in one record causing errors

• V55:V56 is in one record causing errors

• V130:V132 is in one record causing errors

• V153:V154 is in one record causing errors

• Answer values default to '0' maybe should be blank instead

Roadmap Chart sheet:

Formulas:

• Under Practice Charts, Secure Build, Secure Deployment, and Defect Management practice names are hard coded.

Spider chart:

• Chart does not show color for each phase, only Phase 4

Scorecard:

• Should we change the 'Current' label in each Phase be changed to the Phase name? The 'Current' column reflects the projected maturity score, and not the initial interview

Write a basic playbook to test new versions of the Toolbox under different tools.

We downloaded the toolbox several patches ago and have done weeks and months worth of work inside that version. We have now encountered some of the issues that have since been fixed. I have to download the latest sheet and copy over all of our interview and phase answers, comments, etc. from sheet to sheet. This is error prone and time consuming.

Maybe there's some Excel magic I'm missing? Or maybe there's some other way to track the changes to the sheet that I can apply directly to my copy instead of starting from scratch?