From 783739b1bc51f0cc0b433cdfbb38d85686025d14 Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Mon, 15 Dec 2025 11:47:12 +0100 Subject: [PATCH 1/2] fix: Issues related to release of v4 --- src/app/app.component.ts | 2 +- src/app/model/activity-store.ts | 4 +- src/app/service/loader/data-loader.service.ts | 7 +- .../default/{activities.yaml => model.yaml} | 8538 ++++++++--------- 4 files changed, 3906 insertions(+), 4645 deletions(-) rename src/assets/YAML/default/{activities.yaml => model.yaml} (77%) diff --git a/src/app/app.component.ts b/src/app/app.component.ts index 763283eb..045bfaff 100644 --- a/src/app/app.component.ts +++ b/src/app/app.component.ts @@ -10,7 +10,7 @@ import { TitleService } from './service/title.service'; }) export class AppComponent implements OnInit, OnDestroy { title = ''; - defaultTitle = 'DSOMM beta edition'; + defaultTitle = ''; subtitle = ''; menuIsOpen: boolean = true; diff --git a/src/app/model/activity-store.ts b/src/app/model/activity-store.ts index 747adcc1..0d494078 100644 --- a/src/app/model/activity-store.ts +++ b/src/app/model/activity-store.ts @@ -4,7 +4,7 @@ import { MarkdownText } from './markdown-text'; export class ActivityFileMeta { static DSOMM_PUBLISHER: string = - 'https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/'; + 'https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data'; version: string | null = null; released: Date | null = null; @@ -20,7 +20,7 @@ export class ActivityFileMeta { getDsommVersion(): string | null { if (this.publisher && this.publisher.startsWith(ActivityFileMeta.DSOMM_PUBLISHER)) { - return this.version; + return (this.version?.startsWith('v')) ? this.version : `v${this.version}`; } return null; } diff --git a/src/app/service/loader/data-loader.service.ts b/src/app/service/loader/data-loader.service.ts index 58126674..22bb38a0 100644 --- a/src/app/service/loader/data-loader.service.ts +++ b/src/app/service/loader/data-loader.service.ts @@ -40,7 +40,7 @@ export class LoaderService { private githubService: GithubService, private notificationService: NotificationService ) { - this.DSOMM_MODEL_URL = this.githubService.getDsommModelUrl(); + this.DSOMM_MODEL_URL = this.githubService.getDsommModelUrl() + '/tree/main/generated'; } get datastore(): DataStore | null { @@ -91,7 +91,10 @@ export class LoaderService { if (err instanceof FileNotFoundError) { console.error(`${perfNow()}: Missing model file: ${err?.filename || err}`); if (err.filename && err.filename.endsWith('default/model.yaml')) { - this.notificationService.notify('Loading error', `No DSOMM model found.\n\nPlease download \`model.yaml\` from [GitHub](${this.DSOMM_MODEL_URL}).`); // eslint-disable-line + let msg: string = `No DSOMM Model file found.\n\n` + + `Please download \`model.yaml\` from [DSOMM-data](${this.DSOMM_MODEL_URL}) on GitHub, \\\n` + + `and place it in the \`src\\assets\\default\` folder.`; + this.notificationService.notify('Loading error', msg); } else { this.notificationService.notify('Loading error', err.message + ': ' + err.filename); } diff --git a/src/assets/YAML/default/activities.yaml b/src/assets/YAML/default/model.yaml similarity index 77% rename from src/assets/YAML/default/activities.yaml rename to src/assets/YAML/default/model.yaml index 418330a8..e1959ecc 100644 --- a/src/assets/YAML/default/activities.yaml +++ b/src/assets/YAML/default/model.yaml @@ -1,28 +1,34 @@ --- +meta: + version: 1.25.0 + released: "2025-12-15" + publisher: https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data +--- Build and Deployment: Build: - Building and testing of artifacts in virtual environments: - uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3 - description: |- - While building and testing artifacts, third party systems, application frameworks - and 3rd party libraries are used. These might be malicious as a result of - vulnerable libraries or because they are altered during the delivery phase. - risk: |- - While building and testing artifacts, third party systems, application frameworks - and 3rd party libraries are used. These might be malicious as a result of - vulnerable libraries or because they are altered during the delivery phase. - measure: Each step during within the build and testing phase is performed in - a separate virtual environments, which is destroyed afterward. - meta: - implementationGuide: Depending on your environment, usage of virtual machines - or container technology is a good way. After the build, the filesystem should - not be used again in other builds. + Defined build process: + uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b + description: "A *build process* include more than just compiling your source + code. \nIt also includes steps such as managing (third party) dependencies, + \nenvironment configuration, running the unit tests, etc. \n\nA *defined build + process* has automated these steps to ensure consistency.\n\nThis can be done + with a Jenkinsfile, Maven, or similar tools.\n" + risk: Performing builds without a defined process is error prone; for example, + as a result of incorrect security related configuration. + measure: A well defined build process lowers the possibility of errors during + the build process. difficultyOfImplementation: knowledge: 2 - time: 2 + time: 3 resources: 2 - usefulness: 2 - level: 2 + usefulness: 4 + level: 1 + assessment: | + - Show your build pipeline and an exemplary job (build + test). + - Show that every team member has access. + - Show that failed jobs are fixed. + + Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) implementation: - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 name: CI/CD tools @@ -36,52 +42,42 @@ Build and Deployment: url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ references: samm2: - - I-SB-2-A + - I-SB-A-1 iso27001-2017: - - 14.2.6 + - 12.1.1 + - 14.2.2 iso27001-2022: - - 8.31 + - 5.37 + - 8.32 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/a340f46b-6360-4cb8-847b-a0d3483d09d3 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Build/subsection/Defined%20build%20process + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Defined build process: - uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b - description: | - A *build process* includes more than just compiling your source code. It also covers: - - Managing (third party) dependencies - - Environment configuration - - Running unit and integration tests - - Security scanning and compliance checks - - Artifact creation and storage - - Deployment preparation - - A *defined build process* automates these steps to ensure consistency, reproducibility, and security. Automation reduces human error and enforces security controls. Use tools such as Jenkins, GitHub Actions, GitLab CI, or Maven to codify the process. - risk: Performing builds without a defined and automated process is error-prone - and increases the risk of security misconfigurations, unauthorized changes, - and supply chain attacks. - measure: A well-defined, automated, and auditable build process lowers the possibility - of errors and unauthorized changes during the build process. It also enables - traceability and rapid response to incidents. - level: 1 + Building and testing of artifacts in virtual environments: + uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3 + description: |- + While building and testing artifacts, third party systems, application frameworks + and 3rd party libraries are used. These might be malicious as a result of + vulnerable libraries or because they are altered during the delivery phase. + risk: |- + While building and testing artifacts, third party systems, application frameworks + and 3rd party libraries are used. These might be malicious as a result of + vulnerable libraries or because they are altered during the delivery phase. + measure: Each step during within the build and testing phase is performed in + a separate virtual environments, which is destroyed afterward. + meta: + implementationGuide: Depending on your environment, usage of virtual machines + or container technology is a good way. After the build, the filesystem should + not be used again in other builds. difficultyOfImplementation: knowledge: 2 - time: 3 + time: 2 resources: 2 - usefulness: 4 - assessment: | - - Show your build pipeline configuration (e.g., Jenkinsfile, GitHub Actions workflow) and an exemplary job (build + test + security scan). - - Demonstrate that every team member has appropriate access (least privilege). - - Show that failed jobs are investigated and fixed promptly. - - Provide audit logs or evidence of build runs and changes. - - Document how security controls are enforced in the build process. - - Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + usefulness: 2 + level: 2 implementation: - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 name: CI/CD tools @@ -95,22 +91,18 @@ Build and Deployment: url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ references: samm2: - - I-SB-1-A + - I-SB-A-2 iso27001-2017: - - 12.1.1 - - 14.2.2 + - 14.2.6 iso27001-2022: - - 5.37 - - 8.32 + - 8.31 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f6f7737f-25a9-4317-8de2-09bf59f29b5b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Build/subsection/Building%20and%20testing%20of%20artifacts%20in%20virtual%20environments + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Pinning of artifacts: uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 risk: Unauthorized manipulation of artifacts might be difficult to spot. For @@ -132,6 +124,8 @@ Build and Deployment: resources: 2 usefulness: 3 level: 2 + tags: + - inventory implementation: - uuid: 9368abfb-cf37-477a-9091-a804d2de9148 name: Signing of containers @@ -152,23 +146,19 @@ Build and Deployment: description: Immutable images are an other way, e.g. by using a registry, which doesn't allow overriding of images. dependsOn: - - Defined build process + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process references: samm2: - - I-SB-1-A + - I-SB-B-1 iso27001-2017: - 14.2.6 iso27001-2022: - 8.31 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Build/subsection/Pinning%20of%20artifacts + isImplemented: false + evidence: "" comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false SBOM of components: uuid: 2858ac12-0179-40d9-9acf-1b839c030473 description: |- @@ -182,27 +172,18 @@ Build and Deployment: measure: Creation of an SBOM of components (e.g. application and container image content) during build. dependsOn: - - Defined build process + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process difficultyOfImplementation: knowledge: 2 time: 2 resources: 3 usefulness: 3 level: 2 - implementation: - - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: Trivy - tags: [] - url: https://github.com/aquasecurity/trivy - - uuid: 7543a6f2-3850-47a9-bb2f-0987e2af6f6a - name: Syft - tags: - - sbom - - dependency - url: https://github.com/anchore/syft + implementation: [] references: samm2: - - I-SB-1-A + - I-SB-B-1 + - D-TA-A-1 iso27001-2017: - 8.1 - 8.2 @@ -210,14 +191,53 @@ Build and Deployment: - 5.9 - 5.12 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/2858ac12-0179-40d9-9acf-1b839c030473 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Build/subsection/SBOM%20of%20components + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Signing of code: + uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 + risk: Execution or usage of malicious code or data e.g. via executables, libraries + or container images. + measure: Digitally signing commits helps to prevent unauthorized manipulation + of source code. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: d6d755d3-b9f1-4942-a084-e62b266541df + name: Signing of commits + tags: + - signing + url: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work + description: Signing of commits in git + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + dependsOn: + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process + references: + samm2: + - I-SB-A-2 + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Build/subsection/Signing%20of%20code + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Signing of artifacts: uuid: 5786959d-0c6f-46a6-8e1c-a32ff1a50222 risk: Execution or usage of malicious code or data e.g. via executables, libraries @@ -253,113 +273,123 @@ Build and Deployment: tags: [] url: https://in-toto.github.io/ dependsOn: - - Defined build process - - Pinning of artifacts + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process + - f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 # Pinning of artifacts references: samm2: - - I-SB-1-A + - I-SB-A-1 iso27001-2017: - 14.2.6 iso27001-2022: - 8.31 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/5786959d-0c6f-46a6-8e1c-a32ff1a50222 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Build/subsection/Signing%20of%20artifacts + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Signing of code: - uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 - risk: Execution or usage of malicious code or data e.g. via executables, libraries - or container images. - measure: Digitally signing commits helps to prevent unauthorized manipulation - of source code. + Deployment: + Defined deployment process: + uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a + risk: Deployment of insecure or malfunctioning artifacts. + measure: Defining a deployment process ensures that there are established criteria + in terms of functionalities, security, compliance, and performance, and that + the artifacts meet them. difficultyOfImplementation: knowledge: 2 time: 2 - resources: 2 - usefulness: 3 - level: 3 + resources: 1 + usefulness: 4 + level: 1 + dependsOn: + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process implementation: - - uuid: d6d755d3-b9f1-4942-a084-e62b266541df - name: Signing of commits - tags: - - signing - url: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work - description: Signing of commits in git - - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 - name: Enforcement of commit signing + - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 + name: CI/CD tools tags: - - signing - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule - description: Usage of branch protection rules - dependsOn: - - Defined build process + - ci-cd + url: https://martinfowler.com/articles/continuousIntegration.html + description: CI/CD tools such as jenkins, gitlab-ci or github-actions + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] references: samm2: - - I-SB-2-A + - I-SD-A-1 iso27001-2017: - - 14.2.6 + - 12.1.1 + - 14.2.2 iso27001-2022: - - 8.31 + - 5.37 + - 8.32 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/9f107927-61e9-4574-85ad-3f2b4bca8665 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Defined%20deployment%20process + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Deployment: - Blue/Green Deployment: - uuid: 0cb2626b-fb0d-4a0f-9688-57f787310d97 - risk: A new artifact's version can have unknown defects. + Inventory of production components: + uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f + risk: An organization is unaware of components like applications in production. + Not knowing existing applications in production leads to not assessing it. measure: |- - Using a blue/green deployment strategy increases application availability - and reduces deployment risk by simplifying the rollback process if a deployment fails. + A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production. + In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track. + dependsOn: + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process difficultyOfImplementation: knowledge: 1 - time: 2 + time: 1 resources: 1 - usefulness: 2 - level: 5 + usefulness: 4 + level: 1 implementation: - - uuid: 4fb3d95c-07c0-4cbb-b396-5054aba751c2 - name: Blue/Green Deployments - tags: [] - url: https://martinfowler.com/bliki/BlueGreenDeployment.html - dependsOn: - - Smoke Test + - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca + name: Backstage + tags: + - documentation + - inventory + url: https://github.com/backstage/backstage + description: | + Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track + description: | + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c + name: Image Metadata Collector + tags: + - documentation + - inventory + - kubernetes + url: https://github.com/SDA-SE/image-metadata-collector/ + description: | + Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. references: samm2: - - I-SD-2-A + - I-SB-B-1 + - D-TA-B-1 iso27001-2017: - - 17.2.1 - - 12.1.1 - - 12.1.2 - - 12.1.4 - - 12.5.1 - - 14.2.9 + - 8.1 + - 8.2 iso27001-2022: - - 8.14 - - 5.37 - - 8.31 - - 8.32 - - 8.19 - - 8.29 + - 5.9 + - 5.12 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0cb2626b-fb0d-4a0f-9688-57f787310d97 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Inventory%20of%20production%20components tags: - - none - teamsImplemented: - Default: false - B: false - C: false + - inventory Defined decommissioning process: uuid: da4ff665-dcb9-4e93-9d20-48cdedc50fc2 description: |- @@ -381,88 +411,34 @@ Build and Deployment: level: 2 references: samm2: - - O-OM-2-B + - O-OM-B-2 iso27001-2017: - 11.2.7 iso27001-2022: - 7.14 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/da4ff665-dcb9-4e93-9d20-48cdedc50fc2 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Defined%20decommissioning%20process + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Defined deployment process: - uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a - description: | - A defined deployment process is a documented and automated set of steps for releasing software into production. It ensures that deployments are consistent, secure, and auditable, reducing the risk of errors and unauthorized changes. This process should include validation, approval, and rollback mechanisms. - risk: Deployment based human routines are error prone, and of insecure or malfunctioning - artifacts. - measure: Defining a deployment process ensures that there are established criteria - in terms of functionalities, security, compliance, and performance, and that - the artifacts meet them. - level: 1 + Environment depending configuration parameters (secrets): + uuid: df428c9d-efa0-4226-9f47-a15bb53f822b + risk: Unauthorized access to secrets stored in source code or in artifacts (e.g. + container images) through process listing (e.g. ps -ef). + measure: Set configuration parameters via environment variables stored using + specific platform functionalities or secrets management systems (e.g. Kubernetes + secrets or Hashicorp Vault). difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 usefulness: 4 - dependsOn: - - f6f7737f-25a9-4317-8de2-09bf59f29b5b + level: 2 implementation: - - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 - name: CI/CD tools - tags: - - ci-cd - url: https://martinfowler.com/articles/continuousIntegration.html - description: CI/CD tools such as jenkins, gitlab-ci or github-actions - - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba - name: Docker - url: https://github.com/moby/moby - tags: [] - references: - samm2: - - I-SD-1-A - iso27001-2017: - - 12.1.1 - - 14.2.2 - iso27001-2022: - - 5.37 - - 8.32 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a - assessment: | - - Deployment process is documented and available to relevant staff - - All deployment steps are automated and version-controlled - - Approvals and access controls are enforced for production deployments - - Rollback procedures are defined and tested - - Deployment logs and evidence are retained for audit purposes - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Environment depending configuration parameters (secrets): - uuid: df428c9d-efa0-4226-9f47-a15bb53f822b - risk: Unauthorized access to secrets stored in source code or in artifacts (e.g. - container images) through process listing (e.g. ps -ef). - measure: Set configuration parameters via environment variables stored using - specific platform functionalities or secrets management systems (e.g. Kubernetes - secrets or Hashicorp Vault). - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - implementation: - - uuid: e3a2ffc8-313f-437e-9663-b24591568209 - name: Hashicorp Vault + - uuid: e3a2ffc8-313f-437e-9663-b24591568209 + name: Hashicorp Vault tags: - authentication - authorization @@ -473,7 +449,7 @@ Build and Deployment: A tool for secrets management, encryption as a service, and privileged access management. references: samm2: - - I-SD-1-B + - I-SD-B-1 iso27001-2017: - 9.4.5 - 14.2.6 @@ -483,13 +459,10 @@ Build and Deployment: d3f: - ApplicationConfigurationHardening openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/df428c9d-efa0-4226-9f47-a15bb53f822b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Environment%20depending%20configuration%20parameters%20%28secrets%29 + isImplemented: false tags: - secret - teamsImplemented: - Default: false - B: false - C: false Evaluation of the trust of used components: uuid: 0de465a6-55a7-4343-af79-948bb5ff10ba risk: Application and system components like Open Source libraries or images @@ -524,7 +497,7 @@ Build and Deployment: Packj is a tool to detect software supply chain attacks. It can detect malicious, vulnerable, abandoned, typo-squatting, and other "risky" packages from popular open-source package registries, such as NPM, RubyGems, and PyPI. references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 14.2.1 @@ -534,56 +507,12 @@ Build and Deployment: - 8.25 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0de465a6-55a7-4343-af79-948bb5ff10ba + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Evaluation%20of%20the%20trust%20of%20used%20components + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Handover of confidential parameters: - uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a - risk: Parameters are often used to set credentials, for example by starting - containers or applications; these parameters can often be seen by any one - listing running processes on the target system. - measure: Encryption ensures confidentiality of credentials e.g. from unauthorized - access on the file system. Also, the usage of a credential management system - can help protect credentials. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 3 - implementation: "" - dependsOn: - - Environment depending configuration parameters (secrets) - references: - samm2: - - I-SD-2-B - iso27001-2017: - - 14.1.3 - - 13.1.3 - - 9.4.3 - - 9.4.1 - - 10.1.2 - iso27001-2022: - - 8.33 - - 8.22 - - 5.17 - - 8.3 - - 8.24 - d3f: - - ApplicationConfigurationHardening - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/94a96f79-8bd6-4904-97c0-994ff88f176a - tags: - - secret - teamsImplemented: - Default: false - B: false - C: false Inventory of production artifacts: uuid: 83057028-0b77-4d2e-8135-40969768ae88 risk: In case a vulnerability of severity high or critical exists, it needs @@ -592,8 +521,8 @@ Build and Deployment: measure: A documented inventory of artifacts in production like container images exists (gathered manually or automatically). dependsOn: - - Defined deployment process - - 2a44b708-734f-4463-b0cb-86dc46344b2f + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components difficultyOfImplementation: knowledge: 2 time: 2 @@ -610,10 +539,9 @@ Build and Deployment: description: | Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). + name: Dependency-Track + description: | + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). url: https://github.com/DependencyTrack/dependency-track tags: - sca @@ -633,7 +561,8 @@ Build and Deployment: Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. references: samm2: - - I-SB-1-B + - I-SB-B-1 + - D-TA-B-1 iso27001-2017: - 8.1 - 8.2 @@ -641,84 +570,48 @@ Build and Deployment: - 5.9 - 5.12 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/83057028-0b77-4d2e-8135-40969768ae88 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Inventory%20of%20production%20artifacts tags: - inventory - teamsImplemented: - Default: false - B: false - C: false - Inventory of production components: - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f - description: | - An inventory of production components is a complete, up-to-date list of all applications and services running in production. This enables effective vulnerability management, incident response, and compliance. Without it, organizations risk running unmaintained or unauthorized software. - risk: An organization is unaware of components like applications in production. - Not knowing existing applications in production leads to not assessing it. - measure: |- - A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production. - In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track. - dependsOn: - - Defined deployment process - level: 1 + Handover of confidential parameters: + uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a + risk: Parameters are often used to set credentials, for example by starting + containers or applications; these parameters can often be seen by any one + listing running processes on the target system. + measure: Encryption ensures confidentiality of credentials e.g. from unauthorized + access on the file system. Also, the usage of a credential management system + can help protect credentials. difficultyOfImplementation: - knowledge: 1 - time: 1 + knowledge: 2 + time: 2 resources: 1 usefulness: 4 - implementation: - - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca - name: Backstage - tags: - - documentation - - inventory - url: https://github.com/backstage/backstage - description: | - Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c - name: Image Metadata Collector - tags: - - documentation - - inventory - - kubernetes - url: https://github.com/SDA-SE/image-metadata-collector/ - description: | - Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. + level: 3 + implementation: "" + dependsOn: + - df428c9d-efa0-4226-9f47-a15bb53f822b # Environment depending configuration parameters (secrets) references: samm2: - - I-SB-1-B + - I-SD-B-2 iso27001-2017: - - 8.1 - - 8.2 + - 14.1.3 + - 13.1.3 + - 9.4.3 + - 9.4.1 + - 10.1.2 iso27001-2022: - - 5.9 - - 5.12 + - 8.33 + - 8.22 + - 5.17 + - 8.3 + - 8.24 + d3f: + - ApplicationConfigurationHardening openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/2a44b708-734f-4463-b0cb-86dc46344b2f - assessment: | - - Inventory of all production components exists and is regularly updated - - Inventory includes key metadata (e.g., version, owner, deployment date) - - Inventory is accessible to security and operations teams - - There is a process for adding, updating, and removing components - - Inventory reviews are performed and documented + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Handover%20of%20confidential%20parameters + isImplemented: false tags: - - inventory - teamsImplemented: - Default: false - B: false - C: false + - secret Inventory of production dependencies: uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6 risk: Delayed identification of components and their vulnerabilities in production. @@ -727,8 +620,8 @@ Build and Deployment: measure: A documented inventory of dependencies used in artifacts like container images and containers exists. dependsOn: - - 83057028-0b77-4d2e-8135-40969768ae88 - - SBOM of components + - 83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts + - 2858ac12-0179-40d9-9acf-1b839c030473 # SBOM of components difficultyOfImplementation: knowledge: 2 time: 2 @@ -745,10 +638,9 @@ Build and Deployment: description: | Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). + name: Dependency-Track + description: | + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). url: https://github.com/DependencyTrack/dependency-track tags: - sca @@ -768,9 +660,9 @@ Build and Deployment: Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. references: samm2: - - I-SB-3-B - - I-SB-2-B - - I-SB-1-B + - I-SB-B-3 + - I-SB-B-2 + - I-SB-B-1 iso27001-2017: - 8.1 - 8.2 @@ -778,15 +670,11 @@ Build and Deployment: - 5.9 - 5.12 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/13e9757e-58e2-4277-bc0f-eadc674891e6 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Inventory%20of%20production%20dependencies comments: "" tags: - inventory - sbom - teamsImplemented: - Default: false - B: false - C: false Rolling update on deployment: uuid: 85d52588-f542-4225-a338-20dc22a5508d risk: While a deployment is performed, the application can not be reached. @@ -810,10 +698,11 @@ Build and Deployment: name: rolling update tags: [] dependsOn: - - Defined deployment process + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process references: samm2: - - I-SD-1-A + - I-SD-A-2 + - I-SD-A-3 iso27001-2017: - 12.5.1 - 14.2.2 @@ -823,14 +712,12 @@ Build and Deployment: - 8.32 - 8.14 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/85d52588-f542-4225-a338-20dc22a5508d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Rolling%20update%20on%20deployment + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Same artifact for environments: uuid: a854b48d-83bd-4f8d-8621-a0bdd470837f risk: Building of an artifact for different environments means that an untested @@ -849,10 +736,11 @@ Build and Deployment: url: https://github.com/moby/moby tags: [] dependsOn: - - Defined build process + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process references: samm2: - - I-SD-2-A + - I-SD-A-2 + - I-SD-A-3 iso27001-2017: - 14.3.1 - 14.2.8 @@ -862,14 +750,12 @@ Build and Deployment: - 8.29 - 8.31 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a854b48d-83bd-4f8d-8621-a0bdd470837f + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Same%20artifact%20for%20environments + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Usage of feature toggles: uuid: a511799b-045e-4b96-9843-7d63d8c1e2ad risk: Using environment variables to enable or disable features can lead to @@ -897,10 +783,10 @@ Build and Deployment: description: | Feature Toggles are a powerful technique, allowing teams to modify system behavior without changing code. (Pete Hodgson) dependsOn: - - Same artifact for environments + - a854b48d-83bd-4f8d-8621-a0bdd470837f # Same artifact for environments references: samm2: - - I-SD-2-A + - I-SD-A-2 iso27001-2017: - 14.3.1 - 14.2.8 @@ -913,38 +799,71 @@ Build and Deployment: d3f: - ApplicationConfigurationHardening openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a511799b-045e-4b96-9843-7d63d8c1e2ad + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Usage%20of%20feature%20toggles + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Blue/Green Deployment: + uuid: 0cb2626b-fb0d-4a0f-9688-57f787310d97 + risk: A new artifact's version can have unknown defects. + measure: |- + Using a blue/green deployment strategy increases application availability + and reduces deployment risk by simplifying the rollback process if a deployment fails. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 2 + level: 5 + implementation: + - uuid: 4fb3d95c-07c0-4cbb-b396-5054aba751c2 + name: Blue/Green Deployments + tags: [] + url: https://martinfowler.com/bliki/BlueGreenDeployment.html + dependsOn: + - 73aaae0b-5d68-4953-9fa4-fd25bf665f2a # Smoke Test + references: + samm2: + - I-SD-A-3 + iso27001-2017: + - 17.2.1 + - 12.1.1 + - 12.1.2 + - 12.1.4 + - 12.5.1 + - 14.2.9 + iso27001-2022: + - 8.14 + - 5.37 + - 8.31 + - 8.32 + - 8.19 + - 8.29 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Blue%2FGreen%20Deployment + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Patch Management: A patch policy is defined: uuid: 99415139-6b50-441b-89e1-0aa59accd43d - description: | - A patch policy defines how and when software components, images, and dependencies are updated. A patch policy ensures that all these artifacts are regularly reviewed and updated, reducing the window of exposure to known threats. The policy should specify the frequency, responsibilities, and documentation requirements for patching. - risk: Vulnerabilities in running artifacts may persist for a long time and might - be exploited. - measure: Define a patch policy for all artifacts (e.g. in images) is defined. - How often is an image rebuilt? - assessment: | - - Patch policy is documented and accessible to relevant staff. - - The policy defines patch frequency and responsible roles. - - Patch actions and exceptions are logged and reviewed. - - Evidence of regular patching and policy review is available. - level: 1 + risk: Vulnerabilities in running artifacts stay for long and might get exploited. + measure: A patch policy for all artifacts (e.g. in images) is defined. How often + is an image rebuilt? difficultyOfImplementation: knowledge: 3 time: 1 resources: 2 usefulness: 4 + level: 1 implementation: [] references: samm2: - - O-EM-1-B + - O-EM-B-1 iso27001-2017: - 12.6.1 - 12.5.1 @@ -954,38 +873,25 @@ Build and Deployment: - 8.19 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/99415139-6b50-441b-89e1-0aa59accd43d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/A%20patch%20policy%20is%20defined + isImplemented: false + evidence: "" comments: "" tags: - patching - teamsImplemented: - Default: false - B: false - C: false Automated PRs for patches: uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488 - description: | - Automated PRs for patches ensure that updates for outdated or vulnerable dependencies are created and proposed without manual intervention. Tools continuously monitor for new versions or security advisories and immediately generate pull requests to update affected components in code, container images, or infrastructure. This process ensures that available patches are quickly visible to developers and can be reviewed and merged with minimal delay, reducing the risk window for known vulnerabilities. - risk: | - Components with known (or unknown) vulnerabilities might persist for a long time and be exploited, even when a patch is available. - measure: | - Fast patching of third-party components is needed. The DevOps way is to have an automated pull request for new components. This includes: - * Applications - * Virtualized operating system components (e.g., container images) - * Operating systems - * Infrastructure as Code/GitOps (e.g., ArgoCD based on a git repository or Terraform) - assessment: | - - Automated PR tooling is enabled for all relevant repositories. - - PRs are created automatically for outdated or vulnerable dependencies. - - PRs are reviewed and merged in a timely manner. - - Evidence of automated PRs and patching activity is available. - level: 1 + risk: Components with known (or unknown) vulnerabilities might stay for long + and get exploited, even when a patch is available. + measure: |- + Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes + * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform) difficultyOfImplementation: knowledge: 2 time: 2 resources: 2 usefulness: 4 + level: 1 implementation: - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 name: dependabot @@ -1012,7 +918,7 @@ Build and Deployment: url: https://github.com/renovatebot/renovate references: samm2: - - O-EM-1-B + - O-EM-B-1 iso27001-2017: - 12.6.1 - 14.2.5 @@ -1020,61 +926,10 @@ Build and Deployment: - "8.8" - "8.27" openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/8ae0b92c-10e0-4602-ba22-7524d6aed488 - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Automated deployment of automated PRs: - uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d - description: Automated merges of automated created PRs for outdated dependencies. - risk: Even if automated dependencies PRs are merged, they might not be deployed. - This results in vulnerabilities in running artifacts stay for too long and - might get exploited. - measure: | - After merging of an automated dependency PR, automated deployment is needed, - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - dependsOn: - - Automated merge of automated PRs - implementation: - - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 - name: terraform - tags: - - IaC - url: https://www.terraform.io/ - description: | - Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. - - uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f - name: argoCD - tags: - - deployment - url: https://argo-cd.readthedocs.io/en/stable/ - references: - samm2: - - O-EM-2-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/08f27c26-2c6a-47fe-9458-5e88f188085d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Automated%20PRs%20for%20patches comments: "" tags: - patching - teamsImplemented: - Default: false - B: false - C: false Automated merge of automated PRs: uuid: f2594f8f-1cd6-45f9-af29-eaf3315698eb description: Automated merges of automated created PRs for outdated dependencies. @@ -1090,7 +945,7 @@ Build and Deployment: usefulness: 3 level: 2 dependsOn: - - Automated PRs for patches + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches implementation: - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 name: dependabot @@ -1106,21 +961,16 @@ Build and Deployment: url: https://github.com/renovatebot/renovate references: samm2: - - O-EM-2-B + - O-EM-B-2 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/f2594f8f-1cd6-45f9-af29-eaf3315698eb + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Automated%20merge%20of%20automated%20PRs comments: "" tags: - patching - teamsImplemented: - Default: false - B: false - C: false Nightly build of images (base images): uuid: 34869eaf-f2e1-4926-b0bd-28c43402f057 description: |- @@ -1144,21 +994,18 @@ Build and Deployment: implementation: [] references: samm2: - - O-EM-1-B + - O-EM-B-2 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/34869eaf-f2e1-4926-b0bd-28c43402f057 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Nightly%20build%20of%20images%20%28base%20images%29 + isImplemented: false + evidence: "" comments: "" tags: - patching - teamsImplemented: - Default: false - B: false - C: false Reduction of the attack surface: uuid: 16e39c8f-5336-4001-88ed-a552d2447531 description: |- @@ -1192,22 +1039,18 @@ Build and Deployment: url: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22 references: samm2: - - I-SB-2 + - I-SB-B-2 iso27001-2017: - hardening is missing in ISO 27001 - 14.2.1 iso27001-2022: - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/16e39c8f-5336-4001-88ed-a552d2447531 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Reduction%20of%20the%20attack%20surface + evidence: "" comments: "" tags: - patching - teamsImplemented: - Default: false - B: false - C: false Usage of a maximum lifetime for images: uuid: 485a3383-7f2e-4dba-bb84-479377070904 description: |- @@ -1236,43 +1079,80 @@ Build and Deployment: implementation: [] references: samm2: - - O-EM-1-B + - O-EM-B-1 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/485a3383-7f2e-4dba-bb84-479377070904 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Usage%20of%20a%20maximum%20lifetime%20for%20images + evidence: "" comments: "" tags: - patching - teamsImplemented: - Default: false - B: false - C: false - Usage of a short maximum lifetime for images: - uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e - description: |- - The maximum lifetime for a Docker container refers to the duration a container - should be allowed to run before it is considered outdated, stale, or insecure. - There is not a fixed, universally applicable maximum lifetime for a Docker - container, as it varies depending on the specific use case, application - requirements, and security needs. As a best practice, it is essential to define - a reasonable maximum lifetime for containers to ensure that you consistently - deploy the most recent, patched, and secure versions of both your custom base - images and third-party images. - risk: Vulnerabilities in running containers stay for too long and might get - exploited. + Automated deployment of automated PRs: + uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d + description: Automated merges of automated created PRs for outdated dependencies. + risk: Even if automated dependencies PRs are merged, they might not be deployed. + This results in vulnerabilities in running artifacts stay for too long and + might get exploited. measure: | - A good practice is to perform the build and deployment daily or even just-in-time, when a new component (e.g. package) for the image is available. + After merging of an automated dependency PR, automated deployment is needed, difficultyOfImplementation: knowledge: 3 - time: 4 - resources: 2 + time: 3 + resources: 1 usefulness: 3 - level: 4 - implementation: + level: 3 + dependsOn: + - f2594f8f-1cd6-45f9-af29-eaf3315698eb # Automated merge of automated PRs + implementation: + - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 + name: terraform + tags: + - IaC + url: https://www.terraform.io/ + description: | + Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. + - uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f + name: argoCD + tags: + - deployment + url: https://argo-cd.readthedocs.io/en/stable/ + references: + samm2: + - O-EM-B-2 + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Automated%20deployment%20of%20automated%20PRs + comments: "" + tags: + - patching + Usage of a short maximum lifetime for images: + uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e + description: |- + The maximum lifetime for a Docker container refers to the duration a container + should be allowed to run before it is considered outdated, stale, or insecure. + There is not a fixed, universally applicable maximum lifetime for a Docker + container, as it varies depending on the specific use case, application + requirements, and security needs. As a best practice, it is essential to define + a reasonable maximum lifetime for containers to ensure that you consistently + deploy the most recent, patched, and secure versions of both your custom base + images and third-party images. + risk: Vulnerabilities in running containers stay for too long and might get + exploited. + measure: | + A good practice is to perform the build and deployment daily or even just-in-time, when a new component (e.g. package) for the image is available. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 3 + level: 4 + implementation: - uuid: 1a463242-b480-46f6-a912-b51ec1c1558d name: "Sample concept: \n(1" tags: [] @@ -1289,50 +1169,32 @@ Build and Deployment: is being used and not the buggy newer one." references: samm2: - - O-EM-2-B + - O-EM-B-2 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/6b96e5a0-ce34-4ea4-a88f-469d3b84546e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Usage%20of%20a%20short%20maximum%20lifetime%20for%20images + isImplemented: false + evidence: "" comments: "" tags: - patching - teamsImplemented: - Default: false - B: false - C: false Culture and Organization: Design: - Conduction of advanced threat modeling: - uuid: ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 - risk: Inadequate identification of business and technical risks. - measure: Threat modeling is performed by using reviewing user stories and producing - security driven data flow diagrams. + Conduction of simple threat modeling on technical level: + uuid: 47419324-e263-415b-815d-e7161b6b905e + risk: Technical related threats are discovered too late in the development and + deployment process. + measure: Threat modeling of technical features is performed during the product + sprint planning. difficultyOfImplementation: - knowledge: 4 + knowledge: 2 time: 3 - resources: 2 + resources: 1 usefulness: 3 - level: 4 - dependsOn: - - Conduction of simple threat modeling on technical level - - Creation of threat modeling processes and standards - description: | - **Example High Maturity Scenario:** - - Based on a detailed threat model defined and updated through code, the team decides the following: - - * Local encrypted caches need to expire and auto-purged. - * Communication channels encrypted and authenticated. - * All secrets persisted in shared secrets store. - * Frontend designed with permissions model integration. - * Permissions matrix defined. - * Input is escaped output is encoded appropriately using well established libraries. - - Source: OWASP Project Integration Project + level: 1 implementation: - uuid: c0533602-11b7-4838-93cc-a40556398163 name: Whiteboard @@ -1372,11 +1234,6 @@ Culture and Organization: - owasp - defender url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ - - uuid: e8332407-5149-459e-a2fe-c5c78c7ec55c - name: Threagile - tags: - - threat-modeling - url: https://github.com/Threagile/threagile - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 name: Threat Matrix for Storage url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ @@ -1385,65 +1242,6 @@ Culture and Organization: - storage - cluster - kubernetes - references: - samm2: - - D-TA-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 8.2.1 - - 14.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 5.12 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of simple threat modeling on business level: - uuid: 48f97f31-931c-46eb-9b3e-e2fec0cd0426 - risk: Business related threats are discovered too late in the development and - deployment process. - measure: Threat modeling of business functionality is performed during the product - backlog creation to facilitate early detection of security defects. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: [] - references: - samm2: - - D-TA-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 8.2.1 - - 14.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 5.12 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/48f97f31-931c-46eb-9b3e-e2fec0cd0426 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of simple threat modeling on technical level: - uuid: 47419324-e263-415b-815d-e7161b6b905e description: | # OWASP SAMM Description Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment. @@ -1487,69 +1285,9 @@ Culture and Organization: GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes. Source: OWASP Project Integration Project - risk: Technical related threats are discovered too late in the development and - deployment process. - measure: | - Perform threat modeling of technical features during product sprint planning using simple checklists and diagrams. Document identified threats and mitigations for new or changed functionality. - assessment: | - - Evidence of threat modeling activities exists for high-risk applications, including annotated diagrams and documented threats/mitigations. - - Activities are performed during sprint planning and involve relevant stakeholders. Outcomes are recorded and accessible for review. - level: 1 - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 1 - usefulness: 3 - implementation: - - uuid: c0533602-11b7-4838-93cc-a40556398163 - name: Whiteboard - tags: - - defender - - threat-modeling - - collaboration - - whiteboard - url: https://en.wikipedia.org/wiki/Whiteboard - - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 - name: Miro (or any other collaborative board) - tags: - - defender - - threat-modeling - - collaboration - - whiteboard - url: https://miro.com/ - - uuid: 088794c4-3424-40d4-9084-4151587fc84d - name: Draw.io - tags: - - defender - - threat-modeling - - whiteboard - url: https://github.com/jgraph/drawio-desktop - - uuid: fd0f282b-a065-4464-beed-770c604a5f52 - name: Threat Modeling Playbook - tags: - - owasp - - defender - - threat-modeling - - whiteboard - url: https://github.com/Toreon/threat-model-playbook - - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 - name: OWASP SAMM - tags: - - threat-modeling - - owasp - - defender - url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ - - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 - name: Threat Matrix for Storage - url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ - tags: - - documentation - - storage - - cluster - - kubernetes references: samm2: - - D-TA-2-B + - D-TA-B-2 iso27001-2017: - Not explicitly covered by ISO 27001 - May be part of risk assessment @@ -1561,60 +1299,76 @@ Culture and Organization: - 5.12 - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/47419324-e263-415b-815d-e7161b6b905e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Design/subsection/Conduction%20of%20simple%20threat%20modeling%20on%20technical%20level + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Creation of advanced abuse stories: - uuid: 0a929c3e-ab9a-4206-8761-adf84b74622e - risk: Simple user stories are not going deep enough. Relevant security considerations - are performed. Security flaws are discovered too late in the development and - deployment process - measure: Advanced abuse stories are created as part of threat modeling activities. + Information security targets are communicated: + uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885 + risk: Employees don't know their organizations security targets. Therefore security + is not considered during development and administration as much as it should + be. + measure: Transparent and timely communication of the security targets by senior + management is essential to ensure teams' buy-in and support. difficultyOfImplementation: - knowledge: 4 - time: 2 + knowledge: 1 + time: 1 resources: 1 - usefulness: 4 - level: 5 - dependsOn: - - Creation of simple abuse stories - implementation: - - uuid: bb5b8988-021b-452a-a914-bd36887b6860 - name: Don't Forget EVIL User stories - tags: [] - url: https://www.owasp.org/index.php/Agile_Software_Development - description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) - and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - G-SM-A-2 + iso27001-2017: + - 5.1.1 + - 7.2.1 + iso27001-2022: + - 5.1 + - 5.4 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Design/subsection/Information%20security%20targets%20are%20communicated + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Conduction of simple threat modeling on business level: + uuid: 48f97f31-931c-46eb-9b3e-e2fec0cd0426 + risk: Business related threats are discovered too late in the development and + deployment process. + measure: Threat modeling of business functionality is performed during the product + backlog creation to facilitate early detection of security defects. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] references: samm2: - - D-TA-2-B + - D-TA-B-1 + - D-TA-A-2 iso27001-2017: - Not explicitly covered by ISO 27001 - - May be part of project management - - 6.1.5 - May be part of risk assessment - - 8.1.2 + - 8.2.1 + - 14.2.1 iso27001-2022: - Not explicitly covered by ISO 27001 - - May be part of project management - - 5.8 - May be part of risk assessment - - 5.9 + - 5.12 + - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/0a929c3e-ab9a-4206-8761-adf84b74622e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Design/subsection/Conduction%20of%20simple%20threat%20modeling%20on%20business%20level + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Creation of simple abuse stories: uuid: bacf85b6-5bc0-405d-b5ba-a5d971467cc1 risk: User stories mostly don't consider security implications. Security flaws @@ -1633,13 +1387,13 @@ Culture and Organization: url: https://www.owasp.org/index.php/Agile_Software_Development description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' dependsOn: - - Conduction of simple threat modeling on technical level - - Creation of threat modeling processes and standards + - 47419324-e263-415b-815d-e7161b6b905e # Conduction of simple threat modeling on technical level + - dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e # Creation of threat modeling processes and standards references: samm2: - - D-TA-2-B + - D-TA-B-2 iso27001-2017: - Not explicitly covered by ISO 27001 - May be part of project management @@ -1653,14 +1407,12 @@ Culture and Organization: - May be part of risk assessment - 5.9 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/bacf85b6-5bc0-405d-b5ba-a5d971467cc1 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Design/subsection/Creation%20of%20simple%20abuse%20stories + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Creation of threat modeling processes and standards: uuid: dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e risk: Inadequate identification of business and technical risks. @@ -1691,10 +1443,11 @@ Culture and Organization: - defender url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ dependsOn: - - Conduction of simple threat modeling on technical level + - 47419324-e263-415b-815d-e7161b6b905e # Conduction of simple threat modeling on technical level references: samm2: - - D-TA-3-B + - D-TA-B-3 + - D-TA-B-2 iso27001-2017: - Not explicitly covered by ISO 27001 - May be part of risk assessment @@ -1706,66 +1459,170 @@ Culture and Organization: - 5.12 - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Design/subsection/Creation%20of%20threat%20modeling%20processes%20and%20standards + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Information security targets are communicated: - uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885 - risk: Employees don't know their organizations security targets. Therefore security - is not considered during development and administration as much as it should - be. - measure: Transparent and timely communication of the security targets by senior - management is essential to ensure teams' buy-in and support. + Conduction of advanced threat modeling: + uuid: ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 + risk: Inadequate identification of business and technical risks. + measure: Threat modeling is performed by using reviewing user stories and producing + security driven data flow diagrams. difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 + knowledge: 4 + time: 3 + resources: 2 usefulness: 3 - level: 2 - implementation: [] + level: 4 + dependsOn: + - 47419324-e263-415b-815d-e7161b6b905e # Conduction of simple threat modeling on technical level + - dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e # Creation of threat modeling processes and standards + description: | + **Example High Maturity Scenario:** + + Based on a detailed threat model defined and updated through code, the team decides the following: + + * Local encrypted caches need to expire and auto-purged. + * Communication channels encrypted and authenticated. + * All secrets persisted in shared secrets store. + * Frontend designed with permissions model integration. + * Permissions matrix defined. + * Input is escaped output is encoded appropriately using well established libraries. + + Source: OWASP Project Integration Project + implementation: + - uuid: c0533602-11b7-4838-93cc-a40556398163 + name: Whiteboard + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://en.wikipedia.org/wiki/Whiteboard + - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 + name: Miro (or any other collaborative board) + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://miro.com/ + - uuid: 088794c4-3424-40d4-9084-4151587fc84d + name: Draw.io + tags: + - defender + - threat-modeling + - whiteboard + url: https://github.com/jgraph/drawio-desktop + - uuid: fd0f282b-a065-4464-beed-770c604a5f52 + name: Threat Modeling Playbook + tags: + - owasp + - defender + - threat-modeling + - whiteboard + url: https://github.com/Toreon/threat-model-playbook + - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 + name: OWASP SAMM + tags: + - threat-modeling + - owasp + - defender + url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + - uuid: e8332407-5149-459e-a2fe-c5c78c7ec55c + name: Threagile + tags: + - threat-modeling + url: https://github.com/Threagile/threagile + - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 + name: Threat Matrix for Storage + url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ + tags: + - documentation + - storage + - cluster + - kubernetes references: samm2: - - G-PS-2 + - D-TA-B-2 iso27001-2017: - - 5.1.1 - - 7.2.1 + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 iso27001-2022: - - 5.1 - - 5.4 + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Design/subsection/Conduction%20of%20advanced%20threat%20modeling + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Creation of advanced abuse stories: + uuid: 0a929c3e-ab9a-4206-8761-adf84b74622e + risk: Simple user stories are not going deep enough. Relevant security considerations + are performed. Security flaws are discovered too late in the development and + deployment process + measure: Advanced abuse stories are created as part of threat modeling activities. + difficultyOfImplementation: + knowledge: 4 + time: 2 + resources: 1 + usefulness: 4 + level: 5 + dependsOn: + - bacf85b6-5bc0-405d-b5ba-a5d971467cc1 # Creation of simple abuse stories + implementation: + - uuid: bb5b8988-021b-452a-a914-bd36887b6860 + name: Don't Forget EVIL User stories + tags: [] + url: https://www.owasp.org/index.php/Agile_Software_Development + description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + and [Practical Security Stories and Security Tasks for Agile Development + Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + references: + samm2: + - D-TA-B-2 + - V-RT-B-2 + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 6.1.5 + - May be part of risk assessment + - 8.1.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 5.8 + - May be part of risk assessment + - 5.9 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/1b9281b9-48e2-4c01-9ac6-9db9931c4885 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Design/subsection/Creation%20of%20advanced%20abuse%20stories + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Education and Guidance: Ad-Hoc Security trainings for software developers: uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298 - description: | - Ad-hoc security training provides basic awareness of software security risks and best practices to developers and other personnel involved in software development. These trainings are delivered as needed, without a fixed schedule, to address immediate knowledge gaps or respond to emerging threats. - risk: | - Without any security training, personnel may lack awareness of common software vulnerabilities (such as SQL Injection and vulnerable dependencies), increasing the risk of introducing exploitable flaws into applications. - measure: | - Provide security awareness training for all personnel involved in software development on an ad-hoc basis, ensuring that relevant topics are covered when new risks or needs are identified. - assessment: | - - Conduct security training for developers and relevant personnel - - Participants can identify common software security risks addressed in the training - - Training materials are available - - Attendance records are available - level: 1 + risk: Understanding security is hard and personnel needs to be trained on it. + Otherwise, flaws like an SQL Injection might be introduced into the software + which might get exploited. + measure: Provide security awareness training for all personnel involved in software + development Ad-Hoc. difficultyOfImplementation: knowledge: 2 time: 1 resources: 1 usefulness: 3 + level: 1 implementation: - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a name: OWASP Juice Shop @@ -1782,199 +1639,55 @@ Culture and Organization: url: https://cheatsheetseries.owasp.org/ references: samm2: - - G-EG-1-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Aligning security in teams: - uuid: f994a55d-71bb-45a4-a887-0a213d72c504 - risk: The concept of Security Champions might suggest that only he/she is responsible - for security. However, everyone in the project team should be responsible - for security. - measure: By aligning security Subject Matter Experts with project teams, a higher - security standard can be achieved. - difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 1 - usefulness: 5 - implementation: - - uuid: 8a044b74-17f2-4ffa-9dee-6b3bb6e4baf3 - name: Involve Security SME - tags: [] - description: Security SME are involved in discussion for requirements analysis, - software design and sprint planning to provide guidance and suggestions. - level: 4 - references: - samm2: - - G-EG-3-B - iso27001-2017: - - 7.1.1 - iso27001-2022: - - 6.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/f994a55d-71bb-45a4-a887-0a213d72c504 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of build-it, break-it, fix-it contests: - uuid: bfdb576e-a416-4ec6-96fe-a078d58b2ff8 - risk: Understanding security is hard, even for security champions and the conduction - of security training often focuses on breaking a component instead of building - a component secure. - measure: The build-it, break-it, fix-it contest allows to train people with - security related roles like security champions the build, break and fix part - of a secure application. This increases the learning of building secure components. - difficultyOfImplementation: - knowledge: 5 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: 8d4c1849-f310-4c42-8148-2810b382bc6f - name: Build it Break it Fix it Contest - tags: [] - url: https://builditbreakit.org/ - references: - samm2: - - G-EG-2-A + - G-EG-A-1 iso27001-2017: - 7.2.2 iso27001-2022: - 6.3 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/bfdb576e-a416-4ec6-96fe-a078d58b2ff8 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Ad-Hoc%20Security%20trainings%20for%20software%20developers tags: - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of collaborative security checks with developers and system administrators: - uuid: 95caef96-36ed-458c-a087-5c35d4f9dec2 - risk: Security checks by external companies do not increase the understanding - of an application/system for internal employees. - measure: Periodically security reviews of source code (SCA), in which security - SME, developers and operations are involved, are effective at increasing the - robustness of software and the security knowledge of the teams involved. + Security consulting on request: + uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0 + risk: Not asking a security expert when questions regarding security appear + might lead to flaws. + measure: Security consulting to teams is given on request. The security consultants + can be internal or external. difficultyOfImplementation: knowledge: 3 - time: 2 + time: 1 resources: 1 usefulness: 3 - level: 5 - implementation: [] - references: - samm2: - - G-EG-2-A - iso27001-2017: - - Mutual review of source code is not explicitly required in ISO 27001 may - be - - 7.2.2 - - 12.6.1 - - 12.7.1 - iso27001-2022: - - Mutual review of source code is not explicitly required in ISO 27001 may - be - - 6.3 - - 8.8 - - 8.34 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/95caef96-36ed-458c-a087-5c35d4f9dec2 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of collaborative team security checks: - uuid: 35446784-7610-40d9-af9e-d43f3173bf8c - risk: Development teams limited insight over security practices. - measure: Mutual security testing the security of other teams project enhances - security awareness and knowledge. - difficultyOfImplementation: - resources: 2 - knowledge: 4 - time: 4 - usefulness: 2 - level: 4 - implementation: [] - references: - samm2: - - G-EG-1-A - - G-EG-2-A - iso27001-2017: - - Mutual security testing is not explicitly required in ISO 27001 may be - - 7.2.2 - iso27001-2022: - - Mutual security testing is not explicitly required in ISO 27001 may be - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/35446784-7610-40d9-af9e-d43f3173bf8c - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of war games: - uuid: 534f60bf-0995-4314-bb9c-f0f2bf204694 - risk: Understanding incident response plans during an incident is hard and ineffective. - measure: War Games like activities help train for incidents. Security SMEs create - attack scenarios in a testing environment enabling the trainees to learn how - to react in case of an incident. - difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 4 - usefulness: 3 - level: 4 - implementation: [] + level: 1 + implementation: + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - training + - secure coding + url: https://cheatsheetseries.owasp.org/ references: samm2: - - G-EG-2-A + - G-EG-A-1 + - G-EG-B-1 iso27001-2017: - - War games are not explicitly required in ISO 27001 may be - - 7.2.2 - - 16.1 - - 16.1.5 + - security consulting is missing in ISO 27001 may be + - 6.1.1 + - 6.1.4 + - 6.1.5 iso27001-2022: - - War games are not explicitly required in ISO 27001 may be - - 6.3 - - 5.24 - - 5.26 + - Security consulting is missing in ISO 27001 may be + - 5.2 + - 5.6 + - 5.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/534f60bf-0995-4314-bb9c-f0f2bf204694 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Security%20consulting%20on%20request + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Each team has a security champion: uuid: 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 risk: No one feels directly responsible for security and the security champion @@ -2001,116 +1714,42 @@ Culture and Organization: url: https://github.com/c0rdis/security-champions-playbook references: samm2: - - G-EG-1-B - - G-EG-2-B + - G-EG-B-1 + - G-EG-B-2 iso27001-2017: - Security champions are missing in ISO 27001 most likely - 7.2.1 - 7.2.2 iso27001-2022: - - Security champions are missing in ISO 27001 most likely - - 5.4 - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Office Hours: - uuid: 185d5a74-19dc-4422-be07-44ea35226783 - risk: Developers and Operations are not in contact with the security team and - therefore do not ask prior implementation of (known or unknown) threats- - measure: As a security team, be open for questions and hints during defined - office hours. x x d - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 3 - level: 3 - implementation: ~ - references: - samm2: - - G-EG-1-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/185d5a74-19dc-4422-be07-44ea35226783 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Regular security training for all: - uuid: 9768f154-357a-4c06-af6f-d66570677c9b - risk: Understanding security is hard. - measure: Provide security awareness training for all internal personnel involved - in software development on a regular basis like twice in a year for 1-3 days. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 2 - usefulness: 4 - level: 2 - description: | - Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option. - - Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level. - - Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization. - - [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) - implementation: - - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a - name: OWASP Juice Shop - tags: - - training - url: https://github.com/bkimminich/juice-shop - description: In case you do not have the budget to hire an external security - expert, an option is to use the OWASP JuiceShop on a "hacking Friday" - - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 - name: OWASP Cheatsheet Series - tags: - - training - - secure coding - url: https://cheatsheetseries.owasp.org/ - references: - samm2: - - G-EG-1-A - iso27001-2017: - - 7.2.2 - iso27001-2022: + - Security champions are missing in ISO 27001 most likely + - 5.4 - 6.3 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/9768f154-357a-4c06-af6f-d66570677c9b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Each%20team%20has%20a%20security%20champion + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Regular security training for externals: - uuid: 31833d56-35af-4ef3-9300-f23d27646ce7 + Regular security training for all: + uuid: 9768f154-357a-4c06-af6f-d66570677c9b risk: Understanding security is hard. - measure: Provide security awareness training for all personnel including externals - involved in software development on a regular basis. + measure: Provide security awareness training for all internal personnel involved + in software development on a regular basis like twice in a year for 1-3 days. difficultyOfImplementation: knowledge: 3 - time: 2 - resources: 3 + time: 4 + resources: 2 usefulness: 4 - level: 4 + level: 2 + description: | + Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option. + + Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level. + + Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization. + + [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) implementation: - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a name: OWASP Juice Shop @@ -2127,21 +1766,18 @@ Culture and Organization: url: https://cheatsheetseries.owasp.org/ references: samm2: - - G-EG-3-A + - G-EG-A-1 iso27001-2017: - 7.2.2 iso27001-2022: - 6.3 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/31833d56-35af-4ef3-9300-f23d27646ce7 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Regular%20security%20training%20for%20all + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Regular security training of security champions: uuid: f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 risk: Understanding security is hard, even for security champions. @@ -2163,11 +1799,11 @@ Culture and Organization: - secure coding url: https://cheatsheetseries.owasp.org/ dependsOn: - - Each team has a security champion + - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion references: samm2: - - D-TA-2-B - - G-EG-1-A + - D-TA-B-2 + - G-EG-A-1 iso27001-2017: - Security champions are missing in ISO 27001 - 7.2.2 @@ -2175,15 +1811,12 @@ Culture and Organization: - Security champions are missing in ISO 27001 - 6.3 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Regular%20security%20training%20of%20security%20champions + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Reward of good communication: uuid: 91b6f75b-9f4a-4d77-95a2-af7ad3222c7c risk: Employees are not getting excited about security. @@ -2214,7 +1847,7 @@ Culture and Organization: url: https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx references: samm2: - - G-EG-1-B + - G-EG-B-1 iso27001-2017: - not required by ISO 27001 - interestingly enough A7.2.3 is requiring a process to handle misconduct @@ -2222,55 +1855,12 @@ Culture and Organization: iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/91b6f75b-9f4a-4d77-95a2-af7ad3222c7c - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security Coaching: - uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 - risk: Training does not change behaviour. Therefore, even if security practices - are understood, it's likely that they are not performed. - measure: By coaching teams on security topics using for example the samman coaching - method, teams internalize security practices as new habits in their development - process. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 1 - usefulness: 3 - implementation: - - uuid: 9223be73-00da-400e-a910-3871734cff2f - name: sammancoaching - tags: - - documentation - - coaching - - education - url: https://sammancoaching.org/ - description: | - Security coaches work with software development teams to help them adopt better security practices. - level: 3 - references: - samm2: - - G-EG-3-B - iso27001-2017: - - 7.1.1 - iso27001-2022: - - 6.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Reward%20of%20good%20communication + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Security code review: uuid: 7121b0c7-6ace-4d6b-95d0-94535dbccb57 risk: Understanding security is hard. @@ -2306,67 +1896,112 @@ Culture and Organization: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) references: samm2: - - V-ST-1-B + - V-ST-B-1 iso27001-2017: - ISO 27001:2017 mapping is missing iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/7121b0c7-6ace-4d6b-95d0-94535dbccb57 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Security%20code%20review + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Security consulting on request: - uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0 - level: 1 - description: | - Security consulting on request allows teams to seek expert advice on security-related questions or challenges as they arise. This support can be provided by internal or external security consultants and helps address specific concerns during software development. - risk: | - If teams do not consult security experts when questions arise, security flaws may be introduced or remain undetected, increasing the risk of vulnerabilities in the software. - measure: | - Make security consulting available to teams on request, ensuring that expert advice is accessible when needed to address security concerns during development. - assessment: | - Records show that teams have access to security consulting services and have used them when needed. Documentation of consultations and resulting actions is available for review. + Conduction of build-it, break-it, fix-it contests: + uuid: bfdb576e-a416-4ec6-96fe-a078d58b2ff8 + risk: Understanding security is hard, even for security champions and the conduction + of security training often focuses on breaking a component instead of building + a component secure. + measure: The build-it, break-it, fix-it contest allows to train people with + security related roles like security champions the build, break and fix part + of a secure application. This increases the learning of building secure components. difficultyOfImplementation: - knowledge: 3 + knowledge: 5 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 8d4c1849-f310-4c42-8148-2810b382bc6f + name: Build it Break it Fix it Contest + tags: [] + url: https://builditbreakit.org/ + references: + samm2: + - G-EG-A-2 + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Conduction%20of%20build-it%2C%20break-it%2C%20fix-it%20contests + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Office Hours: + uuid: 185d5a74-19dc-4422-be07-44ea35226783 + risk: Developers and Operations are not in contact with the security team and + therefore do not ask prior implementation of (known or unknown) threats- + measure: As a security team, be open for questions and hints during defined + office hours. x x d + difficultyOfImplementation: + knowledge: 1 time: 1 resources: 1 usefulness: 3 + level: 3 + implementation: ~ + references: + samm2: + - G-EG-A-1 + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Office%20Hours + tags: + - none + Security Coaching: + uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 + risk: Training does not change behaviour. Therefore, even if security practices + are understood, it's likely that they are not performed. + measure: By coaching teams on security topics using for example the samman coaching + method, teams internalize security practices as new habits in their development + process. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 implementation: - - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 - name: OWASP Cheatsheet Series + - uuid: 9223be73-00da-400e-a910-3871734cff2f + name: sammancoaching tags: - - training - - secure coding - url: https://cheatsheetseries.owasp.org/ + - documentation + - coaching + - education + url: https://sammancoaching.org/ + description: | + Security coaches work with software development teams to help them adopt better security practices. + level: 3 references: samm2: - - G-EG-1-A + - G-EG-B-3 iso27001-2017: - - security consulting is missing in ISO 27001 may be - - 6.1.1 - - 6.1.4 - - 6.1.5 + - 7.1.1 iso27001-2022: - - Security consulting is missing in ISO 27001 may be - - 5.2 - - 5.6 - - 5.8 + - 6.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/0b28367b-75a0-4bae-a926-3725c1bf9bb0 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Security%20Coaching + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Security-Lessoned-Learned: uuid: 58c46807-fee9-448b-b6dd-8050c464ab52 risk: After an incident, a similar incident might reoccur. @@ -2382,21 +2017,19 @@ Culture and Organization: implementation: [] references: samm2: - - O-IM-3-B + - G-EG-B-3 + - O-IM-B-3 iso27001-2017: - 16.1.6 iso27001-2022: - 5.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/58c46807-fee9-448b-b6dd-8050c464ab52 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Security-Lessoned-Learned + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Simple mob hacking: uuid: 535f301a-e8e8-4eda-ad77-a08b035c92de risk: Understanding security is hard. @@ -2417,13 +2050,147 @@ Culture and Organization: - The team gets an idea of how exploits can look like and how easy applications can be attacked. - The team understands functional correct working software can be highly insecure and easy to exploit. difficultyOfImplementation: - knowledge: 5 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - credits: | - AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + knowledge: 5 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + credits: | + AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + implementation: + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training + url: https://github.com/bkimminich/juice-shop + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529 + name: Damn Vulnerable Web Application + tags: + - training + description: Simple Application with intended vulnerabilities. HTML based. + references: + samm2: + - G-EG-A-2 + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Simple%20mob%20hacking + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Aligning security in teams: + uuid: f994a55d-71bb-45a4-a887-0a213d72c504 + risk: The concept of Security Champions might suggest that only he/she is responsible + for security. However, everyone in the project team should be responsible + for security. + measure: By aligning security Subject Matter Experts with project teams, a higher + security standard can be achieved. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 1 + usefulness: 5 + implementation: + - uuid: 8a044b74-17f2-4ffa-9dee-6b3bb6e4baf3 + name: Involve Security SME + tags: [] + description: Security SME are involved in discussion for requirements analysis, + software design and sprint planning to provide guidance and suggestions. + level: 4 + references: + samm2: + - G-EG-B-3 + iso27001-2017: + - 7.1.1 + iso27001-2022: + - 6.1 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Aligning%20security%20in%20teams + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Conduction of collaborative team security checks: + uuid: 35446784-7610-40d9-af9e-d43f3173bf8c + risk: Development teams limited insight over security practices. + measure: Mutual security testing the security of other teams project enhances + security awareness and knowledge. + difficultyOfImplementation: + resources: 2 + knowledge: 4 + time: 4 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - G-EG-A-1 + - G-EG-A-2 + iso27001-2017: + - Mutual security testing is not explicitly required in ISO 27001 may be + - 7.2.2 + iso27001-2022: + - Mutual security testing is not explicitly required in ISO 27001 may be + - 6.3 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Conduction%20of%20collaborative%20team%20security%20checks + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Conduction of war games: + uuid: 534f60bf-0995-4314-bb9c-f0f2bf204694 + risk: Understanding incident response plans during an incident is hard and ineffective. + measure: War Games like activities help train for incidents. Security SMEs create + attack scenarios in a testing environment enabling the trainees to learn how + to react in case of an incident. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 4 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - G-EG-A-2 + - O-IM-B-2 + iso27001-2017: + - War games are not explicitly required in ISO 27001 may be + - 7.2.2 + - 16.1 + - 16.1.5 + iso27001-2022: + - War games are not explicitly required in ISO 27001 may be + - 6.3 + - 5.24 + - 5.26 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Conduction%20of%20war%20games + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Regular security training for externals: + uuid: 31833d56-35af-4ef3-9300-f23d27646ce7 + risk: Understanding security is hard. + measure: Provide security awareness training for all personnel including externals + involved in software development on a regular basis. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 3 + usefulness: 4 + level: 4 implementation: - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a name: OWASP Juice Shop @@ -2432,126 +2199,95 @@ Culture and Organization: url: https://github.com/bkimminich/juice-shop description: In case you do not have the budget to hire an external security expert, an option is to use the OWASP JuiceShop on a "hacking Friday" - - uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529 - name: Damn Vulnerable Web Application + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series tags: - training - description: Simple Application with intended vulnerabilities. HTML based. + - secure coding + url: https://cheatsheetseries.owasp.org/ references: samm2: - - G-EG-1-A + - G-EG-A-2 iso27001-2017: - 7.2.2 iso27001-2022: - 6.3 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/535f301a-e8e8-4eda-ad77-a08b035c92de + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Regular%20security%20training%20for%20externals + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Process: - Approval by reviewing any new version: - uuid: 3f63bdbc-c75f-4780-a941-e6ad42e894e1 - risk: An individual might forget to implement security measures to protect source - code or infrastructure components. - measure: On each new version (e.g. Pull Request) of source code or infrastructure - components a security peer review of the changes is performed (two eyes principle) - and approval given by the reviewer. + Conduction of collaborative security checks with developers and system administrators: + uuid: 95caef96-36ed-458c-a087-5c35d4f9dec2 + risk: Security checks by external companies do not increase the understanding + of an application/system for internal employees. + measure: Periodically security reviews of source code (SCA), in which security + SME, developers and operations are involved, are effective at increasing the + robustness of software and the security knowledge of the teams involved. difficultyOfImplementation: - knowledge: 2 + knowledge: 3 time: 2 resources: 1 usefulness: 3 - level: 3 - implementation: [] - references: - samm2: [] - iso27001-2017: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 6.1.2 - - 14.2.1 - iso27001-2022: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 5.3 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/3f63bdbc-c75f-4780-a941-e6ad42e894e1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Definition of a change management process: - uuid: b4193d32-3948-47e2-a326-3748c48019a1 - risk: The impact of a change is not controlled because these are not recorded - or documented. - measure: Each change of a system is automatically recorded and adequately logged. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 1 - usefulness: 3 - level: 3 + level: 5 implementation: [] references: - samm2: [] + samm2: + - G-EG-A-2 + - G-EG-B-2 iso27001-2017: - - 14.2.2 - - 12.1.2 - - 12.4.1 + - Mutual review of source code is not explicitly required in ISO 27001 may + be + - 7.2.2 + - 12.6.1 + - 12.7.1 iso27001-2022: - - 8.32 - - 8.15 + - Mutual review of source code is not explicitly required in ISO 27001 may + be + - 6.3 + - 8.8 + - 8.34 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/b4193d32-3948-47e2-a326-3748c48019a1 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Education%20and%20Guidance/subsection/Conduction%20of%20collaborative%20security%20checks%20with%20developers%20and%20system%20administrators + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false + Process: Definition of simple BCDR practices for critical components: uuid: c72da779-86cc-45b1-a339-190ce5093171 - description: | - Business Continuity and Disaster Recovery (BCDR) is a plan and a process that enable an organization to quickly restore normal operations after a disruptive event, such as a cyberattack or natural disaster. - risk: | - If the disaster recovery actions are not clear, you risk slow reaction and remediation delays. - This applies to cyber attacks as well as natural emergencies, such as a power outage. - measure: | - Develop, document, and communicate a BCDR plan for all critical components. The plan must define roles and responsibilities, Service Level Agreements (SLAs), Recovery Point Objectives (RPOs), Recovery Time Objectives (RTOs), and failover procedures. Ensure all relevant personnel are trained and the plan is reviewed and updated regularly. - assessment: "- The organization has a documented BCDR plan covering all critical - components.\n- The plan clearly defines responsibilities, SLAs, RPOs, RTOs, - and failover steps. \n- Relevant staff are aware of the plan, and evidence - of regular review and testing is available.\n" - level: 1 + description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan + and a process that helps a business to return to normal operations if a disaster + occurs. + risk: If the disaster recovery actions are not clear, you risk slow reaction + and remediation delays. This applies to cyber attacks as well as natural emergencies, + such as a power outage. + measure: By understanding and documenting a business continuity and disaster + recovery (BCDR) plan, the overall availability of systems and applications + is increased. Success factors like responsibilities, Service Level Agreements, + Recovery Point Objectives, Recovery Time Objectives or Failover must be fully + documented and understood by the people involved in the recovery. difficultyOfImplementation: knowledge: 4 time: 3 resources: 2 usefulness: 4 + level: 1 implementation: [] references: - samm2: [] + samm2: + - O-IM-B-2 iso27001-2017: - 17.1.1 iso27001-2022: - 5.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/c72da779-86cc-45b1-a339-190ce5093171 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Process/subsection/Definition%20of%20simple%20BCDR%20practices%20for%20critical%20components tags: - none - teamsImplemented: - Default: false - B: false - C: false Determining the protection requirement: uuid: 72737130-472c-4984-80f8-9ab2f1c2ed5d risk: "Not defining the protection requirement of applications can lead to wrong @@ -2568,7 +2304,7 @@ Culture and Organization: usefulness: 3 level: 2 dependsOn: - - 2a44b708-734f-4463-b0cb-86dc46344b2f + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components implementation: - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb name: OWASP DefectDojo @@ -2602,92 +2338,80 @@ Culture and Organization: This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. references: samm2: - - I-DM-3-B + - O-OM-A-2 + - G-PC-B-2 iso27001-2022: - 5.25 - 5.12 - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/72737130-472c-4984-80f8-9ab2f1c2ed5d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Process/subsection/Determining%20the%20protection%20requirement tags: - vulnerability-mgmt - metrics - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false -Implementation: - Application Hardening: - App. Hardening Level 1: - uuid: cf819225-30cb-4702-8e32-60225eedc33d - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 1 - * OWASP Mobile Application Security Verification Standard - - in all applications provides a good baseline. Implement 95%-100% of the recommendations. + Approval by reviewing any new version: + uuid: 3f63bdbc-c75f-4780-a941-e6ad42e894e1 + risk: An individual might forget to implement security measures to protect source + code or infrastructure components. + measure: On each new version (e.g. Pull Request) of source code or infrastructure + components a security peer review of the changes is performed (two eyes principle) + and approval given by the reviewer. difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 - usefulness: 4 - level: 2 - dependsOn: - - App. Hardening Level 1 (50%) - description: | - To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jump-start the development process, but also do so securely. - - [...] - - ### Planning aka Requirements Gathering & Analysis - The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. - - ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) - - Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. - - These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. - - In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. - - Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) - implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS - tags: [] - url: https://github.com/OWASP/owasp-masvs - - uuid: 596cb528-8981-4723-bcc3-22c261f26114 - name: API Security Maturity Model for Authorization - tags: - - api - url: https://curity.io/resources/learn/the-api-security-maturity-model/ + usefulness: 3 + level: 3 + implementation: [] references: - samm2: - - D-SR-1-A + samm2: [] iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Process/subsection/Approval%20by%20reviewing%20any%20new%20version + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Definition of a change management process: + uuid: b4193d32-3948-47e2-a326-3748c48019a1 + risk: The impact of a change is not controlled because these are not recorded + or documented. + measure: Each change of a system is automatically recorded and adequately logged. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 14.2.2 + - 12.1.2 + - 12.4.1 + iso27001-2022: + - 8.32 + - 8.15 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/cf819225-30cb-4702-8e32-60225eedc33d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Process/subsection/Definition%20of%20a%20change%20management%20process + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false +Implementation: + Application Hardening: App. Hardening Level 1 (50%): uuid: b597928e-54d6-48a5-a806-8003dcd56aab risk: Using an insecure application might lead to a compromised application. @@ -2737,7 +2461,7 @@ Implementation: url: https://curity.io/resources/learn/the-api-security-maturity-model/ references: samm2: - - D-SR-1-A + - D-SR-A-2 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -2745,89 +2469,93 @@ Implementation: - Hardening is not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/b597928e-54d6-48a5-a806-8003dcd56aab + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/App.%20Hardening%20Level%201%20%2850%25%29 comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - App. Hardening Level 2: - uuid: ffe86caf-2fec-4630-b514-2db83983984d - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 2 - * OWASP Mobile Application Security Verification Standard Level 2 - - Implement 95%-100% of the recommendations. + Context-aware output encoding: + uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7 + description: "**Input validation** stops malicious data from entering your system. + \\\n**Output encoding** neutralizes malicious data before rendering to user, + or the next system.\n\nInput validation and output encoding work together. + Apply both. \n\n**Context-aware output encoding** encodes data differently, + depending on its context. In the sample below the `{{bad_data}}` must be encoded + differently, depending on its context, to render safe HTML.\n\n```html\n
{{bad_data}}
\nClick me\n\n\n```\n" + risk: If an attacker manages to slip though your input validation, the attacker + may gain control over the user session or execute arbitrary actions. + measure: "* Use modern secure frameworks such as React/Angular/Vue/Svelte. The + default method here renders data in a safe way.\n* Use established and well-maintained + encoding libraries such as OWASP\u2019s Java Encoder and Microsoft\u2019s + AntiXSS.\n* Implement content security policies (CSP) to restrict the types + of content that can be loaded and executed.\n" difficultyOfImplementation: - knowledge: 3 - time: 3 + knowledge: 1 + time: 2 resources: 1 usefulness: 3 - level: 4 + level: 1 implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS + - uuid: 2d61e48f-bade-4332-a383-adc50c29673a + name: OWASP DOM based XSS Prevention CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html tags: [] - url: https://github.com/OWASP/owasp-masvs + - uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc + name: CWE-838 Inappropriate Encoding for Output Context + tags: + - documentation + - cwe + url: https://cwe.mitre.org/data/definitions/838.html references: samm2: - - D-SR-2-A + - D-SR-A-1 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 iso27001-2022: - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/ffe86caf-2fec-4630-b514-2db83983984d - comments: "" - dependsOn: - - App. Hardening Level 2 (75%) - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - App. Hardening Level 2 (75%): - uuid: 03643ca2-03c2-472b-8e19-956bf02fe9b7 - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 2 - * OWASP Mobile Application Security Verification Standard Level 2 + - 8.22 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/Context-aware%20output%20encoding + comments: "" + tags: + - none + Parametrization: + uuid: 00e91a8a-3972-4692-8679-674ab8547486 + description: | + By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well. - Implement 75% of the recommendations. + This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed. + + Pay attention to these two lines of code. They seem similar, but behave very differently. + + * `sql.execute("SELECT * FROM table WHERE ID = " + id);` + * `sql.execute("SELECT * FROM table WHERE ID = ?", id);` + The second line is parameterized. The same principle applies to other types, such as command line execution, etc. + risk: "Systems vulnerable to injections may lead to data breaches, loss of data, + \nunauthorized alteration of data, or complete database compromise or downtime.\n\nThis + applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc.\n" + measure: | + * Identify which of the types your application is using. Check that you use: + * Use _parametrized queries_ (or _prepared statements_) + * For database queries, you may also use: + * Use _stored procedures_ () + * Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization difficultyOfImplementation: - knowledge: 3 - time: 3 + knowledge: 1 + time: 2 resources: 1 usefulness: 3 - level: 3 + level: 1 implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS + - uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4 + name: OWASP Parameterization CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html tags: [] - url: https://github.com/OWASP/owasp-masvs references: samm2: - - D-SR-2-A + - D-SR-A-1 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -2835,33 +2563,45 @@ Implementation: - Hardening is not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/03643ca2-03c2-472b-8e19-956bf02fe9b7 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/Parametrization comments: "" - dependsOn: - - App. Hardening Level 1 tags: - none - teamsImplemented: - Default: false - B: false - C: false - App. Hardening Level 3: - uuid: 4cae98c2-4163-44ed-bb88-3c67c569533a + App. Hardening Level 1: + uuid: cf819225-30cb-4702-8e32-60225eedc33d risk: Using an insecure application might lead to a compromised application. This might lead to total data theft or data modification. measure: | Following frameworks like the - * OWASP Application Security Verification Standard Level 3 + * OWASP Application Security Verification Standard Level 1 * OWASP Mobile Application Security Verification Standard - Implement 95%-100% of the recommendations. + in all applications provides a good baseline. Implement 95%-100% of the recommendations. difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 2 + knowledge: 2 + time: 2 + resources: 1 usefulness: 4 - level: 5 + level: 2 + dependsOn: + - b597928e-54d6-48a5-a806-8003dcd56aab # App. Hardening Level 1 (50%) + description: | + To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jump-start the development process, but also do so securely. + + [...] + + ### Planning aka Requirements Gathering & Analysis + The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. + + ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) + + Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. + + These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. + + In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. + + Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) implementation: - uuid: 88767cde-1610-402e-98ec-bc3575377183 name: OWASP ASVS @@ -2871,9 +2611,14 @@ Implementation: name: OWASP MASVS tags: [] url: https://github.com/OWASP/owasp-masvs + - uuid: 596cb528-8981-4723-bcc3-22c261f26114 + name: API Security Maturity Model for Authorization + tags: + - api + url: https://curity.io/resources/learn/the-api-security-maturity-model/ references: samm2: - - D-SR-3-A + - D-SR-A-3 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -2881,16 +2626,10 @@ Implementation: - Hardening is not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a - dependsOn: - - App. Hardening Level 2 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/App.%20Hardening%20Level%201 + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Containers are running as non-root: uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f risk: |- @@ -2938,7 +2677,7 @@ Implementation: implementation: [] references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - Virtual environments are not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -2946,102 +2685,37 @@ Implementation: - Virtual environments are not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/a86c1fbc-28fd-4610-89a3-a7f73acfe45f - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Context-aware output encoding: - uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7 - description: "**Input validation** stops malicious data from entering your system. - \\\n**Output encoding** neutralizes malicious data before rendering to user, - or the next system.\n\nInput validation and output encoding work together. - Apply both. \n\n**Context-aware output encoding** encodes data differently, - depending on its context. In the sample below the `{{bad_data}}` must be encoded - differently, depending on its context, to render safe HTML.\n\n```html\n
{{bad_data}}
\nClick me\n\n\n``` \n" - risk: If an attacker manages to slip though your input validation, the attacker - may gain control over the user session or execute arbitrary actions. - measure: "* Use modern secure frameworks such as React/Angular/Vue/Svelte. The - default method here renders data in a safe way.\n* Use established and well-maintained - encoding libraries such as OWASP\u2019s Java Encoder and Microsoft\u2019s - AntiXSS.\n* Implement content security policies (CSP) to restrict the types - of content that can be loaded and executed.\n" - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 1 - usefulness: 3 - level: 1 - implementation: - - uuid: 2d61e48f-bade-4332-a383-adc50c29673a - name: OWASP DOM based XSS Prevention CheatSheet - url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html - tags: [] - - uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc - name: CWE-838 Inappropriate Encoding for Output Context - tags: - - documentation - - cwe - url: https://cwe.mitre.org/data/definitions/838.html - references: - samm2: - - D-SR-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/e1f37abb-d848-4a3a-b3df-65e91a89dcb7 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/Containers%20are%20running%20as%20non-root tags: - none - teamsImplemented: - Default: false - B: false - C: false - Parametrization: - uuid: 00e91a8a-3972-4692-8679-674ab8547486 - description: | - By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well. - - This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed. - - Pay attention to these two lines of code. They seem similar, but behave very differently. - - * `sql.execute("SELECT * FROM table WHERE ID = " + id);` - * `sql.execute("SELECT * FROM table WHERE ID = ?", id);` - The second line is parameterized. The same principle applies to other types, such as command line execution, etc. - risk: "Systems vulnerable to injections may lead to data breaches, loss of data, - \nunauthorized alteration of data, or complete database compromise or downtime.\n\nThis - applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. \n" + App. Hardening Level 2 (75%): + uuid: 03643ca2-03c2-472b-8e19-956bf02fe9b7 + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. measure: | - * Identify which of the types your application is using. Check that you use: - * Use _parametrized queries_ (or _prepared statements_) - * For database queries, you may also use: - * Use _stored procedures_ () - * Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization + Following frameworks like the + * OWASP Application Security Verification Standard Level 2 + * OWASP Mobile Application Security Verification Standard Level 2 + + Implement 75% of the recommendations. difficultyOfImplementation: - knowledge: 1 - time: 2 + knowledge: 3 + time: 3 resources: 1 usefulness: 3 - level: 1 + level: 3 implementation: - - uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4 - name: OWASP Parameterization CheatSheet - url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS tags: [] + url: https://github.com/OWASP/owasp-masvs references: samm2: - - D-SR-1-A + - D-SR-A-3 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -3049,15 +2723,13 @@ Implementation: - Hardening is not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/00e91a8a-3972-4692-8679-674ab8547486 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/App.%20Hardening%20Level%202%20%2875%25%29 + isImplemented: false comments: "" + dependsOn: + - cf819225-30cb-4702-8e32-60225eedc33d # App. Hardening Level 1 tags: - none - teamsImplemented: - Default: false - B: false - C: false Secure headers: uuid: 29318d60-18ce-4526-80ea-f5928e49f639 risk: | @@ -3109,7 +2781,7 @@ Implementation: - Referrer-Policy: Control information in the Referrer header references: samm2: - - D-SR-3-A + - O-EM-A-2 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -3120,27 +2792,110 @@ Implementation: - https://www.opencre.org/cre/620-421 tags: - none - teamsImplemented: - Default: false - B: false - C: false + App. Hardening Level 2: + uuid: ffe86caf-2fec-4630-b514-2db83983984d + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 2 + * OWASP Mobile Application Security Verification Standard Level 2 + + Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 4 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-A-2 + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/App.%20Hardening%20Level%202 + isImplemented: false + comments: "" + dependsOn: + - 03643ca2-03c2-472b-8e19-956bf02fe9b7 # App. Hardening Level 2 (75%) + tags: + - none + App. Hardening Level 3: + uuid: 4cae98c2-4163-44ed-bb88-3c67c569533a + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 3 + * OWASP Mobile Application Security Verification Standard + + Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 2 + usefulness: 4 + level: 5 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-A-3 + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20Hardening/subsection/App.%20Hardening%20Level%203 + dependsOn: + - ffe86caf-2fec-4630-b514-2db83983984d # App. Hardening Level 2 + tags: + - none Development and Source Control: - .gitignore: - uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d - risk: Unintended leakage of secrets, debug, or workstation specific data - measure: .gitignore files help prevent accidental commits of secrets, debug, - or workstation specific data + Versioning: + uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f + risk: Deployment of untracked artifacts. + description: Use a version control system platform like Github, Gitlab, Bitbucket, + gittea,... to version your code. + measure: Version artifacts in order to identify deployed features and issues. + This includes application and infrastructure code, jenkins configuration, + container and virtual machine images definitions. difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 + knowledge: 3 + time: 3 + resources: 3 usefulness: 5 - level: 4 - dependsOn: [] + level: 1 + dependsOn: + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process implementation: [] references: samm2: - - O-EM-1-A + - O-EM-A-1 + - I-SB-A-2 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 12.1.1 @@ -3151,14 +2906,52 @@ Implementation: - 5.37 - 8.32 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/363a3eea-baf9-4010-88ca-bb8186a2989d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Versioning + tags: + - none + Require a PR before merging: + uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + risk: Intentional or accidental alterations in critical branches like main (or + master). + measure: Define source code management system policies (e.g. branch protection + rules, mandatory code reviews from at least one person, ...) to ensure that + changes to critical branches are only possible under defined conditions. These + policies can be implemented at repository level or organization level, depending + on the source code management system. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 2 + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + references: + samm2: + - O-EM-A-1 + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Require%20a%20PR%20before%20merging tags: - none - teamsImplemented: - Default: false - B: false - C: false Block force pushes: uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 risk: "Misuse of force push can lead to loss of work. It may overwrite remote @@ -3176,7 +2969,7 @@ Implementation: usefulness: 3 level: 3 dependsOn: - - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging implementation: - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a name: Improve code quality with branch policies @@ -3192,7 +2985,7 @@ Implementation: - scm references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - 6.1.2 - 14.2.1 @@ -3200,14 +2993,9 @@ Implementation: - 5.3 - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Block%20force%20pushes tags: - none - teamsImplemented: - Default: false - B: false - C: false Dismiss stale PR approvals: uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162 risk: Intentional or accidental alterations in critical branches like main (or @@ -3222,7 +3010,7 @@ Implementation: usefulness: 4 level: 3 dependsOn: - - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging implementation: - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a name: Improve code quality with branch policies @@ -3244,7 +3032,7 @@ Implementation: description: Usage of branch protection rules references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - Peer review - four eyes principle is not explicitly required by ISO 27001 - 6.1.2 @@ -3254,14 +3042,84 @@ Implementation: - 5.3 - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/ea6f69f7-54a5-4922-ac15-a77ff0c16162 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Dismiss%20stale%20PR%20approvals + tags: + - none + Require status checks to pass: + uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee + risk: Organizations risk introducing broken builds, quality issues, and security + vulnerabilities into their codebase. + measure: Mandate passing of security related specified status checks, like successful + builds or static application security tests, before proceeding. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + references: + samm2: + - O-EM-A-1 + iso27001-2017: + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Require%20status%20checks%20to%20pass + tags: + - none + .gitignore: + uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d + risk: Unintended leakage of secrets, debug, or workstation specific data + measure: .gitignore files help prevent accidental commits of secrets, debug, + or workstation specific data + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 5 + level: 4 + dependsOn: [] + implementation: [] + references: + samm2: + - O-EM-A-1 + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 + - 14.2.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/.gitignore tags: - none - teamsImplemented: - Default: false - B: false - C: false Local development linting & style checks performed: uuid: 517b0957-4981-4ac0-b4c7-0d8d1934c474 risk: Insecure or unmaintainable code base. @@ -3288,157 +3146,128 @@ Implementation: - linting references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - ISO 27001:2017 mapping is missing iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/517b0957-4981-4ac0-b4c7-0d8d1934c474 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Local%20development%20linting%20%26%20style%20checks%20performed + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Require a PR before merging: - uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2 - risk: Intentional or accidental alterations in critical branches like main (or - master). - measure: Define source code management system policies (e.g. branch protection - rules, mandatory code reviews from at least one person, ...) to ensure that - changes to critical branches are only possible under defined conditions. These - policies can be implemented at repository level or organization level, depending - on the source code management system. + Infrastructure Hardening: + MFA for admins: + uuid: 8098e416-e1ed-4ae4-a561-83efbe76bf57 + risk: One factor authentication is more vulnerable to brute force attacks and + is considered less secure. + measure: Two ore more factor authentication for all privileged accounts on systems + and applications difficultyOfImplementation: knowledge: 2 time: 1 resources: 2 usefulness: 4 - level: 2 + level: 1 implementation: - - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a - name: Improve code quality with branch policies - url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops - tags: - - source-code-protection - - scm - - uuid: 99211481-de9c-4358-880e-628366416a27 - name: About protected branches - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches - tags: - - source-code-protection - - scm + - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 + name: YubiKey - Smartcard + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 + name: SMS + tags: [] + - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d + name: TOTP + tags: [] + url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 9.2.4 - 6.1.2 - 14.2.1 iso27001-2022: - - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.17 - 5.3 - 8.25 + d3f: + - Multi-factorAuthentication openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/MFA%20for%20admins + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Require status checks to pass: - uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee - risk: Organizations risk introducing broken builds, quality issues, and security - vulnerabilities into their codebase. - measure: Mandate passing of security related specified status checks, like successful - builds or static application security tests, before proceeding. + Simple access control for systems: + uuid: 82e499d1-f463-4a4b-be90-68812a874af6 + risk: Attackers a gaining access to internal systems and application interfaces + measure: All internal systems are using simple authentication difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 4 - level: 3 + knowledge: 3 + time: 3 + resources: 3 + usefulness: 5 + level: 1 dependsOn: - - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process implementation: - - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a - name: Improve code quality with branch policies - url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops - tags: - - source-code-protection - - scm - - uuid: 99211481-de9c-4358-880e-628366416a27 - name: About protected branches - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches - tags: - - source-code-protection - - scm - - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 - name: Enforcement of commit signing - tags: - - signing - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule - description: Usage of branch protection rules + - uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9 + name: HTTP-Basic Authentication + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/ + - uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e + name: VPN + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/ references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - - 6.1.2 - - 14.2.1 + - 9.4.1 iso27001-2022: - - 5.3 - - 8.25 + - 8.3 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/ac8730a2-ccc0-465c-9550-d91edae9d5ee + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Simple%20access%20control%20for%20systems + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Versioning: - uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f - risk: Deployment of untracked artifacts. - measure: Version artifacts in order to identify deployed features and issues. - This includes application and infrastructure code, jenkins configuration, - container and virtual machine images. + Usage of edge encryption at transit: + uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629 + risk: Evil actors might be able to perform a man in the middle attack and sniff + confidential information (e.g. authentication factors like passwords). + measure: |- + By using encryption at the edge of traffic in transit, it is impossible + or at least harder to sniff credentials or information being outside of the organization. + + Using standard secure protocols like HTTPS is recommended. difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 5 + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 level: 1 - dependsOn: - - Defined deployment process - implementation: [] + implementation: "" references: samm2: - - O-EM-1-A + - I-SD-B-2 iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.1 - - 12.1.2 - - 14.2.2 + - 10.1 iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.37 - - 8.32 + - 8.24 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/066084c6-1135-4635-9cc5-9e75c7c5459f + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Usage%20of%20edge%20encryption%20at%20transit + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Infrastructure Hardening: Applications are running in virtualized environments: uuid: 3a94d55e-fd82-4996-9eb3-20d23ff2a873 risk: Through a vulnerability in one service on a server, the attacker gains @@ -3453,7 +3282,7 @@ Implementation: implementation: [] references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - Virtual environments are not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -3461,15 +3290,10 @@ Implementation: - Virtual environments are not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/3a94d55e-fd82-4996-9eb3-20d23ff2a873 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Applications%20are%20running%20in%20virtualized%20environments comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Backup: uuid: 5c61fd6b-8106-4c68-ac28-a8a42f1c67dc risk: If errors are experienced during the deployment process you want to deploy @@ -3490,7 +3314,7 @@ Implementation: name: A Point in Time Recovery for databases should be implemented. tags: [] dependsOn: - - Defined deployment process + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process references: samm2: - TODO @@ -3501,15 +3325,12 @@ Implementation: - 8.13 - 8.31 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/5c61fd6b-8106-4c68-ac28-a8a42f1c67dc + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Backup + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Baseline Hardening of the environment: uuid: 5992c38c-8597-4035-89db-d15820d81c3a risk: Using default configurations for a cluster environment leads to potential @@ -3525,13 +3346,13 @@ Implementation: level: 2 implementation: - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff - name: CIS Kubernetes Bench for Security + name: CIS Kubernetes Benchmark for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/benchmark/kubernetes - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f - name: CIS Docker Bench for Security + name: CIS Docker Benchmark for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/benchmark/docker - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef name: For example for Cont tags: [] @@ -3565,224 +3386,19 @@ Implementation: - kubernetes references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - system hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/5992c38c-8597-4035-89db-d15820d81c3a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Filter outgoing traffic: - uuid: 6df508ef-86fc-4c22-bd9f-646c3127ce7d - risk: A compromised infrastructure component might try to send out stolen data. - measure: Having a whitelist and explicitly allowing egress traffic provides - the ability to stop unauthorized data leakage. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 2 - level: 3 - dependsOn: [] - implementation: - - uuid: 4a024319-4510-4a53-a8b6-8f35b6c01867 - name: Open Policy Agent - tags: [] - url: https://www.openpolicyagent.org/ - - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 - name: firewalls - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/6df508ef-86fc-4c22-bd9f-646c3127ce7d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Hardening of the Environment: - uuid: dcf9601b-b4f2-4e25-9143-e39af75f7c33 - risk: Using default configurations for a cluster environment leads to potential - risks. - measure: Harden environments according to best practices. Level 2 and partially - level 3 from hardening practices like 'CIS Kubernetes Bench for Security' - should be considered. - difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 2 - usefulness: 3 - level: 4 - implementation: - - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff - name: CIS Kubernetes Bench for Security - tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ - - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f - name: CIS Docker Bench for Security - tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ - - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef - name: For example for Cont - tags: [] - description: 'For example for Containers: Deny running containers as root, - deny using advanced privileges, deny mounting of the hole filesystem, ...' - url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ - - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b - name: Attack Matrix Cloud - tags: - - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ - description: Attack matrix for cloud - - uuid: 59881520-4c69-4922-a44e-99044a77de2b - name: Attack Matrix Containers - tags: - - mitre - url: https://attack.mitre.org/matrices/enterprise/containers/ - description: Attack matrix for containers - - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 - name: Attack Matrix Kubernetes - tags: - - mitre - url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - description: Attack matrix for kubernetes - - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af - name: Defend the core kubernetes security at every layer - url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ - tags: - - documentation - - cluster - - kubernetes - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/dcf9601b-b4f2-4e25-9143-e39af75f7c33 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Immutable infrastructure: - uuid: 48e92bb1-fdba-40e8-b6c2-35de0d431833 - risk: The availability of IT systems might be disturbed due to components failures - measure: Redundancies in the IT systems - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 3 - dependsOn: - - Infrastructure as Code - implementation: - - uuid: b206481f-9c66-45e2-843c-37c5730580cd - name: Remove direct access to infrastructure - tags: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 17.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.14 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/48e92bb1-fdba-40e8-b6c2-35de0d431833 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Infrastructure as Code: - uuid: 8b994601-575e-4ea5-b228-accb18c8e514 - risk: No tracking of changes in systems might lead to errors in the configuration. - In additions, it might lead to unauthorized changes. An examples is jenkins. - measure: Systems are setup by code. A full environment can be provisioned. In - addition, software like Jenkins 2 can be setup and configured in in code too. - The code should be stored in a version control system. - difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 4 - usefulness: 4 - level: 3 - implementation: - - uuid: b0931397-2402-44f1-814b-63292ab4a339 - name: GitOps - tags: [] - url: https://www.redhat.com/en/topics/devops/what-is-gitops - - uuid: 73747d35-2185-4f22-94a0-723288fa283c - name: Ansible - tags: [] - url: https://github.com/ansible/ansible - - uuid: 691c443f-b6e2-498d-94dc-778d8d51cfce - name: Chef - tags: [] - url: https://github.com/chef/chef - - uuid: eb7f76a8-87e5-4394-af4c-c09487c85982 - name: Puppet - tags: [] - url: https://github.com/puppetlabs/puppet - - uuid: 321dcfe4-d2fc-4dd2-85bf-aac563958458 - name: Jenkinsfile - tags: [] - url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.1 - - 12.1.2 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.37 - - 8.32 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/8b994601-575e-4ea5-b228-accb18c8e514 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Baseline%20Hardening%20of%20the%20environment + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Isolated networks for virtual environments: uuid: 4ce24abd-8ba6-494c-828d-4d193e28e4a1 risk: Virtual environments in default settings are able to access other virtual @@ -3812,7 +3428,7 @@ Implementation: url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - Virtual environments are not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -3820,134 +3436,29 @@ Implementation: - Virtual environments are not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/4ce24abd-8ba6-494c-828d-4d193e28e4a1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Limitation of system events: - uuid: e5386abf-9154-4752-a1a8-c3a8900f732d - risk: System events (system calls) can lead to privilege escalation. - measure: System calls are limited. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 5 - level: 3 - dependsOn: - - Audit of system events - implementation: - - uuid: 0cc7e68b-f7d9-4e66-8065-47d076129ffd - name: seccomp - tags: [] - url: https://man7.org/linux/man-pages/man2/seccomp.2.html - - uuid: 73ab2e3d-11a7-459d-8b57-9337662bd1ff - name: strace - tags: [] - url: https://man7.org/linux/man-pages/man1/strace.1.html - - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 - name: Falco - tags: - - falco - - systemcall - - monitoring - url: https://github.com/falcosecurity/falco - description: | - Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. - references: - samm2: - - O-EM-1-A - iso27001-2017: - - System hardening is not explicitly covered by ISO 27001 - too specific - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/e5386abf-9154-4752-a1a8-c3a8900f732d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - MFA: - uuid: 598e9f13-1ac8-4a01-b85e-8fab93ee81de - risk: One factor authentication is more vulnerable to brute force attacks and - is considered less secure. - measure: Two ore more factor authentication for all accounts on all (important) - systems and applications - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 4 - level: 2 - dependsOn: - - MFA for admins - implementation: - - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 - name: Smartcard - tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 - name: YubiKey - tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 - name: SMS - tags: [] - - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d - name: TOTP - tags: [] - url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 9.2.4 - - 6.1.2 - - 14.2.1 - iso27001-2022: - - 5.17 - - 5.3 - - 8.25 - d3f: - - Multi-factorAuthentication - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/598e9f13-1ac8-4a01-b85e-8fab93ee81de + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Isolated%20networks%20for%20virtual%20environments + isImplemented: false + evidence: "" comments: "" tags: - - none - teamsImplemented: - Default: false - B: false - C: false - MFA for admins: - uuid: 8098e416-e1ed-4ae4-a561-83efbe76bf57 + - none + MFA: + uuid: 598e9f13-1ac8-4a01-b85e-8fab93ee81de risk: One factor authentication is more vulnerable to brute force attacks and is considered less secure. - measure: Two ore more factor authentication for all privileged accounts on systems - and applications + measure: Two ore more factor authentication for all accounts on all (important) + systems and applications difficultyOfImplementation: knowledge: 2 - time: 1 + time: 2 resources: 2 usefulness: 4 - level: 1 + level: 2 + dependsOn: + - 8098e416-e1ed-4ae4-a561-83efbe76bf57 # MFA for admins implementation: - - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 - name: Smartcard - tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 - name: YubiKey + name: YubiKey - Smartcard tags: [] url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 @@ -3959,7 +3470,7 @@ Implementation: url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - 9.2.4 - 6.1.2 @@ -3971,297 +3482,336 @@ Implementation: d3f: - Multi-factorAuthentication openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/8098e416-e1ed-4ae4-a561-83efbe76bf57 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/MFA + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Microservice-architecture: - uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a - risk: Monolithic applications are hard to test. - measure: A microservice-architecture helps to have small components, which are - more easy to test. + Usage of an security account: + uuid: 746025a6-dbfb-4087-a000-e46acab64ee1 + risk: Having security auditing in the same account as infrastructure and applications + at the cloud provide might cause evil administrators (or threat actors taking + over an account of an administrator) to alter evidence like audit logs. + measure: Usage of a separate account dedicated for security activities. difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 5 - usefulness: 1 - level: 5 - implementation: [] + knowledge: 3 + time: 2 + resources: 3 + usefulness: 4 + level: 2 + implementation: "" references: samm2: - - O-EM-1-A + - I-SD-B-2 iso27001-2017: - - Not explicitly covered by ISO 27001 + - 10.1 iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/118b869b-3850-456e-98d9-1abdb85cbc5a + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Usage%20of%20an%20security%20account + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Production near environments are used by developers: - uuid: e14de741-94b3-447c-8b07-eea947d82e61 - risk: In case an errors occurs in production, the developer need to be able - to create a production near environment on a local development environment. - measure: Usage of infrastructure as code helps to create a production near environment. - The developer needs to be trained in order to setup a local development environment. - In addition, it should be possible to create production like test data. Often - personal identifiable information is anonymized in order to comply with data - protection laws. + Usage of encryption at rest: + uuid: 0ff45fb8-7eef-46ed-9b3a-84c955cd7060 + risk: Evil actors might be able to access data and read information, e.g. from + physical hard disks. + measure: By using encryption at rest, it is impossible or at least harder to + to read information. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: "" + references: + samm2: + - I-SD-B-2 + iso27001-2017: + - 10.1 + iso27001-2022: + - 8.24 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Usage%20of%20encryption%20at%20rest + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Usage of test and production environments: + uuid: bfdacb52-1e3f-431d-ae72-d844a5e86415 + risk: Security tests are not running regularly because test environments are + missing + measure: A test and a production like environment is used difficultyOfImplementation: knowledge: 3 time: 3 - resources: 3 + resources: 5 usefulness: 4 - level: 4 + level: 2 dependsOn: - - Defined deployment process - - Infrastructure as Code + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process implementation: [] references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific - 12.1.4 - 17.2.1 iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific - 8.31 - 8.14 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/e14de741-94b3-447c-8b07-eea947d82e61 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Usage%20of%20test%20and%20production%20environments + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Role based authentication and authorization: - uuid: 070bb14b-e04a-4f3d-896a-a08eba7a35f9 - risk: Everyone is able to get unauthorized access to information on systems - or to modify information unauthorized on systems. - measure: The usage of a (role based) access control helps to restrict system - access to authorized users. + Virtual environments are limited: + uuid: 760f1056-b0ee-4f22-a35b-f65446f944ca + risk: Denial of service (internally by an attacker or unintentionally by a bug) + on one service effects other services + measure: All virtual environments are using resource limits on hard disks, memory + and CPU difficultyOfImplementation: knowledge: 2 - time: 3 - resources: 1 + time: 2 + resources: 3 usefulness: 3 - level: 3 - implementation: - - uuid: 04edc63e-d389-48dd-b365-552aaf4ea004 - name: Directory Service - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:DirectoryService/ - - uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e - name: Plugins - tags: [] + level: 2 dependsOn: - - Defined deployment process - - Defined build process + - 3a94d55e-fd82-4996-9eb3-20d23ff2a873 # Applications are running in virtualized environments + implementation: [] references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - - 9.4.1 + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 12.1.3 + - 13.1.3 + - 17.2.1 iso27001-2022: - - 8.3 + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.6 + - 8.22 + - 8.14 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/070bb14b-e04a-4f3d-896a-a08eba7a35f9 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Virtual%20environments%20are%20limited + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Simple access control for systems: - uuid: 82e499d1-f463-4a4b-be90-68812a874af6 - risk: Attackers a gaining access to internal systems and application interfaces - measure: All internal systems are using simple authentication + Filter outgoing traffic: + uuid: 6df508ef-86fc-4c22-bd9f-646c3127ce7d + risk: A compromised infrastructure component might try to send out stolen data. + measure: Having a whitelist and explicitly allowing egress traffic provides + the ability to stop unauthorized data leakage. difficultyOfImplementation: knowledge: 3 time: 3 resources: 3 - usefulness: 5 - level: 1 - dependsOn: - - Defined deployment process + usefulness: 2 + level: 3 + dependsOn: [] implementation: - - uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9 - name: HTTP-Basic Authentication + - uuid: 4a024319-4510-4a53-a8b6-8f35b6c01867 + name: Open Policy Agent tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/ - - uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e - name: VPN + url: https://www.openpolicyagent.org/ + - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 + name: firewalls tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/ + url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ references: samm2: - - O-EM-1-A + - O-EM-A-2 iso27001-2017: - - 9.4.1 + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 iso27001-2022: - - 8.3 + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/82e499d1-f463-4a4b-be90-68812a874af6 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Filter%20outgoing%20traffic + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Usage of a chaos technology: - uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe - risk: Due to manual changes on a system, they are not replaceable anymore. In - case of a crash it might happen that a planned redundant system is unavailable. - In addition, it is hard to replay manual changes. - measure: A randomized periodically shutdown of systems makes sure, that nobody - will perform manual changes to a system. + Immutable infrastructure: + uuid: 48e92bb1-fdba-40e8-b6c2-35de0d431833 + risk: The availability of IT systems might be disturbed due to components failures + measure: Redundancies in the IT systems difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 5 + knowledge: 2 + time: 2 + resources: 1 usefulness: 3 - level: 4 + level: 3 + dependsOn: + - 8b994601-575e-4ea5-b228-accb18c8e514 # Infrastructure as Code implementation: - - uuid: c117e79b-8223-4e55-9da5-efbf5d741c15 - name: Chaos Monkey - tags: - - chaos - - testing - url: https://github.com/Netflix/chaosmonkey - description: Chaos Monkey is a resiliency tool that helps applications tolerate - random instance failures. Chaos Monkey randomly terminates virtual machine - instances and containers that run inside of your production environment. - Exposing engineers to failures more frequently incentivizes them to build - resilient services. + - uuid: b206481f-9c66-45e2-843c-37c5730580cd + name: Remove direct access to infrastructure + tags: [] references: samm2: - - O-EM-1-A + - O-EM-A-2 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - - 17.1.3 + - 17.2.1 iso27001-2022: - Not explicitly covered by ISO 27001 - too specific - - 5.29 + - 8.14 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f8e80f18-2503-4e3e-b3bc-7f67bb28defe + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Immutable%20infrastructure + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Usage of an security account: - uuid: 746025a6-dbfb-4087-a000-e46acab64ee1 - risk: Having security auditing in the same account as infrastructure and applications - at the cloud provide might cause evil administrators (or threat actors taking - over an account of an administrator) to alter evidence like audit logs. - measure: Usage of a separate account dedicated for security activities. + Infrastructure as Code: + uuid: 8b994601-575e-4ea5-b228-accb18c8e514 + risk: No tracking of changes in systems might lead to errors in the configuration. + In additions, it might lead to unauthorized changes. An examples is jenkins. + measure: Systems are setup by code. A full environment can be provisioned. In + addition, software like Jenkins 2 can be setup and configured in in code too. + The code should be stored in a version control system. difficultyOfImplementation: knowledge: 3 - time: 2 - resources: 3 + time: 5 + resources: 4 usefulness: 4 - level: 2 - implementation: "" + level: 3 + implementation: + - uuid: b0931397-2402-44f1-814b-63292ab4a339 + name: GitOps + tags: [] + url: https://www.redhat.com/en/topics/devops/what-is-gitops + - uuid: 73747d35-2185-4f22-94a0-723288fa283c + name: Ansible + tags: [] + url: https://github.com/ansible/ansible + - uuid: 691c443f-b6e2-498d-94dc-778d8d51cfce + name: Chef + tags: [] + url: https://github.com/chef/chef + - uuid: eb7f76a8-87e5-4394-af4c-c09487c85982 + name: Puppet + tags: [] + url: https://github.com/puppetlabs/puppet + - uuid: 321dcfe4-d2fc-4dd2-85bf-aac563958458 + name: Jenkinsfile + tags: [] + url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/ references: samm2: - - I-SD-2-B + - O-EM-A-2 iso27001-2017: - - 10.1 + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 iso27001-2022: - - ISO 27001:2022 mapping is missing + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/746025a6-dbfb-4087-a000-e46acab64ee1 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Infrastructure%20as%20Code + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Usage of edge encryption at transit: - uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629 - risk: Evil actors might be able to perform a man in the middle attack and sniff - confidential information (e.g. authentication factors like passwords). - measure: |- - By using encryption at the edge of traffic in transit, it is impossible - or at least harder to sniff credentials or information being outside of the organization. - - Using standard secure protocols like HTTPS is recommended. + Limitation of system events: + uuid: e5386abf-9154-4752-a1a8-c3a8900f732d + risk: System events (system calls) can lead to privilege escalation. + measure: System calls are limited. difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 - usefulness: 4 - level: 1 - implementation: "" + usefulness: 5 + level: 3 + dependsOn: + - 1cd5e4b8-be36-4726-adc7-d8f843f47ac8 # Audit of system events + implementation: + - uuid: 0cc7e68b-f7d9-4e66-8065-47d076129ffd + name: seccomp + tags: [] + url: https://man7.org/linux/man-pages/man2/seccomp.2.html + - uuid: 73ab2e3d-11a7-459d-8b57-9337662bd1ff + name: strace + tags: [] + url: https://man7.org/linux/man-pages/man1/strace.1.html + - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 + name: Falco + tags: + - falco + - systemcall + - monitoring + url: https://github.com/falcosecurity/falco + description: | + Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. references: samm2: - - I-SD-2-B + - O-EM-A-2 iso27001-2017: - - 10.1 + - System hardening is not explicitly covered by ISO 27001 - too specific iso27001-2022: - - 8.24 + - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/ad23be9c-5661-4f1f-81a3-5a5dc7061629 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Limitation%20of%20system%20events + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Usage of encryption at rest: - uuid: 0ff45fb8-7eef-46ed-9b3a-84c955cd7060 - risk: Evil actors might be able to access data and read information, e.g. from - physical hard disks. - measure: By using encryption at rest, it is impossible or at least harder to - to read information. + Role based authentication and authorization: + uuid: 070bb14b-e04a-4f3d-896a-a08eba7a35f9 + risk: Everyone is able to get unauthorized access to information on systems + or to modify information unauthorized on systems. + measure: The usage of a (role based) access control helps to restrict system + access to authorized users. And enhancement is to use attribute based access + control. difficultyOfImplementation: knowledge: 2 - time: 2 + time: 3 resources: 1 - usefulness: 4 - level: 2 - implementation: "" + usefulness: 3 + level: 3 + implementation: + - uuid: 04edc63e-d389-48dd-b365-552aaf4ea004 + name: Directory Service + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:DirectoryService/ + - uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e + name: Plugins + tags: [] + dependsOn: + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process references: samm2: - - I-SD-2-B + - O-EM-A-2 iso27001-2017: - - 10.1 + - 9.4.1 iso27001-2022: - - 8.24 + - 8.3 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/0ff45fb8-7eef-46ed-9b3a-84c955cd7060 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Role%20based%20authentication%20and%20authorization + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Usage of internal encryption at transit: uuid: ecb0184c-6bc9-45da-bbbb-a983797ffc93 risk: Evil actors within the organization of traffic in transit might be able @@ -4278,21 +3828,18 @@ Implementation: implementation: "" references: samm2: - - I-SD-2-B + - I-SD-B-2 iso27001-2017: - 10.1 iso27001-2022: - 8.24 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/ecb0184c-6bc9-45da-bbbb-a983797ffc93 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Usage%20of%20internal%20encryption%20at%20transit + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Usage of security by default for components: uuid: 11b3848e-e931-4146-a35d-35409ada24ee risk: Components (images, libraries, applications) are not hardened. @@ -4321,157 +3868,234 @@ Implementation: tags: [] url: https://d3fend.mitre.org/dao/artifact/d3f:Authentication/ dependsOn: - - Defined build process + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process references: samm2: - - O-EM-1-A + - O-EM-A-2 iso27001-2017: - not explicitly covered by ISO 27001 - too specific iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/11b3848e-e931-4146-a35d-35409ada24ee + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Usage%20of%20security%20by%20default%20for%20components + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Usage of test and production environments: - uuid: bfdacb52-1e3f-431d-ae72-d844a5e86415 - risk: Security tests are not running regularly because test environments are - missing - measure: A test and a production like environment is used + WAF baseline: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b + risk: Vulnerable input, such as exploits, can infiltrate the application via + numerous entry points, posing a significant security threat. + measure: |- + Implementing a web application firewall (WAF) is a critical security control. At a baseline level, the objective is to finely balance the reduction of false positives, maintaining user experience, against a potential increase in the less noticeable false negatives. + Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic. + description: | + A baseline WAF configuration provides essential defense against common vulnerabilities, acting as a first line of automated threat detection and response. + Steps: + - Configure WAF in alert mode to establish traffic patterns + - Analyze alerts and adjust sensitivity to optimize for fewer false positives + - Gradually switch to a proactive blocking stance as confidence in the accuracy of the rules increases + + It's crucial to monitor and update the WAF configuration to adapt to evolving threats and minimize the potential for both false positives and false negatives. + + There are debates on how useful a WAF is for APIs. difficultyOfImplementation: knowledge: 3 - time: 3 - resources: 5 - usefulness: 4 - level: 2 + time: 4 + resources: 3 + usefulness: 3 + level: 3 dependsOn: - - Defined deployment process + - e1f37abb-d848-4a3a-b3df-65e91a89dcb7 # Context-aware output encoding implementation: [] references: samm2: - - O-EM-1-A + - O-EM-A-1 iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.4 - - 17.2.1 + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.31 - - 8.14 + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/WAF%20baseline + comments: ~ + tags: + - none + Hardening of the Environment: + uuid: dcf9601b-b4f2-4e25-9143-e39af75f7c33 + risk: Using default configurations for a cluster environment leads to potential + risks. + measure: Harden environments according to best practices. Level 2 and partially + level 3 from hardening practices like 'CIS Kubernetes Bench for Security' + should be considered. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 2 + usefulness: 3 + level: 4 + implementation: + - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff + name: CIS Kubernetes Benchmark for Security + tags: [] + url: https://www.cisecurity.org/benchmark/kubernetes + - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f + name: CIS Docker Benchmark for Security + tags: [] + url: https://www.cisecurity.org/benchmark/docker + - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef + name: For example for Cont + tags: [] + description: 'For example for Containers: Deny running containers as root, + deny using advanced privileges, deny mounting of the hole filesystem, ...' + url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ + - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b + name: Attack Matrix Cloud + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for cloud + - uuid: 59881520-4c69-4922-a44e-99044a77de2b + name: Attack Matrix Containers + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/containers/ + description: Attack matrix for containers + - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 + name: Attack Matrix Kubernetes + tags: + - mitre + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Attack matrix for kubernetes + - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af + name: Defend the core kubernetes security at every layer + url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ + tags: + - documentation + - cluster + - kubernetes + references: + samm2: + - O-EM-A-2 + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/bfdacb52-1e3f-431d-ae72-d844a5e86415 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Hardening%20of%20the%20Environment + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Virtual environments are limited: - uuid: 760f1056-b0ee-4f22-a35b-f65446f944ca - risk: Denial of service (internally by an attacker or unintentionally by a bug) - on one service effects other services - measure: All virtual environments are using resource limits on hard disks, memory - and CPU + Production near environments are used by developers: + uuid: e14de741-94b3-447c-8b07-eea947d82e61 + risk: In case an errors occurs in production, the developer need to be able + to create a production near environment on a local development environment. + measure: Usage of infrastructure as code helps to create a production near environment. + The developer needs to be trained in order to setup a local development environment. + In addition, it should be possible to create production like test data. Often + personal identifiable information is anonymized in order to comply with data + protection laws. difficultyOfImplementation: - knowledge: 2 - time: 2 + knowledge: 3 + time: 3 resources: 3 - usefulness: 3 - level: 2 + usefulness: 4 + level: 4 dependsOn: - - Applications are running in virtualized environments + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process + - 8b994601-575e-4ea5-b228-accb18c8e514 # Infrastructure as Code implementation: [] references: samm2: - - O-EM-1-A + - O-EM-A-2 iso27001-2017: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 12.1.3 - - 13.1.3 + - 12.1.4 - 17.2.1 iso27001-2022: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 8.6 - - 8.22 + - 8.31 - 8.14 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/760f1056-b0ee-4f22-a35b-f65446f944ca + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Production%20near%20environments%20are%20used%20by%20developers + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - WAF Advanced: - uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced - risk: The presence of sophisticated threats necessitates a robust defense strategy - where application inputs are meticulously scrutinized for security breaches, - including advanced persistent threats and zero-day vulnerabilities. - measure: An advanced WAF protection level includes rigorous input validation, - rejecting any parameters not explicitly required, and custom rule sets that - are dynamically updated in response to emerging threats. - description: | - The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape. + Usage of a chaos technology: + uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe + risk: Due to manual changes on a system, they are not replaceable anymore. In + case of a crash it might happen that a planned redundant system is unavailable. + In addition, it is hard to replay manual changes. + measure: A randomized periodically shutdown of systems makes sure, that nobody + will perform manual changes to a system. difficultyOfImplementation: - knowledge: 5 + knowledge: 3 time: 5 resources: 5 - usefulness: 4 - level: 5 - dependsOn: - - WAF medium - implementation: [] + usefulness: 3 + level: 4 + implementation: + - uuid: c117e79b-8223-4e55-9da5-efbf5d741c15 + name: Chaos Monkey + tags: + - chaos + - testing + url: https://github.com/Netflix/chaosmonkey + description: Chaos Monkey is a resiliency tool that helps applications tolerate + random instance failures. Chaos Monkey randomly terminates virtual machine + instances and containers that run inside of your production environment. + Exposing engineers to failures more frequently incentivizes them to build + resilient services. references: samm2: - - D-SR-3-A + - O-EM-A-3 iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 + - Not explicitly covered by ISO 27001 - too specific + - 17.1.3 iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 + - Not explicitly covered by ISO 27001 - too specific + - 5.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced - comments: ~ + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/Usage%20of%20a%20chaos%20technology + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - WAF baseline: - uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b - risk: Vulnerable input, such as exploits, can infiltrate the application via - numerous entry points, posing a significant security threat. - measure: Implementing a web application firewall (WAF) is a critical security - control. At a baseline level, the objective is to finely balance the reduction - of false positives, maintaining user experience, against a potential increase - in the less noticeable false negatives. - description: | - Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic. + WAF medium: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium + risk: The threat from malicious inputs remains high, with exploits seeking to + exploit any vulnerabilities present at the various points of entry to the + application. + measure: |- + A WAF deployed with a medium level of protection strengthens the security posture by striking a more advanced balance between the detection of genuine threats and the minimization of false alarms. + Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic. + description: "A medium-level WAF configuration builds upon the baseline to offer + a more nuanced and responsive defense mechanism against a wider array of threats.\n\nSample + steps:\n - Implement an enhanced set of WAF rules based on baseline data\n + \ - Continuous monitoring and fine-tuning of the WAF configuration\n - Develop + a strategic incident response plan utilizing WAF insights \n \nThe + medium configuration requires diligent management and continuous improvement + to address new vulnerabilities while maintaining the integrity of application + access.\n\nThere are debates on how useful a WAF is for APIs.\n" difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 3 + knowledge: 4 + time: 5 + resources: 4 usefulness: 3 - level: 3 + level: 4 dependsOn: - - Context-aware output encoding + - f0e01814-3b88-4bd0-a3a9-f91db001d20b # WAF baseline implementation: [] references: samm2: - - D-SR-3-A + - O-EM-A-2 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -4479,37 +4103,45 @@ Implementation: - Hardening is not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/WAF%20medium comments: ~ tags: - none - teamsImplemented: - Default: false - B: false - C: false - WAF medium: - uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium - risk: The threat from malicious inputs remains high, with exploits seeking to - exploit any vulnerabilities present at the various points of entry to the - application. - measure: A WAF deployed with a medium level of protection strengthens the security - posture by striking a more advanced balance between the detection of genuine - threats and the minimization of false alarms. + WAF Advanced: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced + risk: The presence of sophisticated threats necessitates a robust defense strategy + where application inputs are meticulously scrutinized for security breaches, + including advanced persistent threats and zero-day vulnerabilities. + measure: |- + An advanced WAF protection level includes rigorous input validation, rejecting any parameters not explicitly required, and custom rule sets that are dynamically updated in response to emerging threats. + The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape. description: | - Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic. + This advanced configuration goes beyond typical WAF implementations by enforcing strict input format checks and parameter validation to prevent any unauthorized or malformed data from compromising the application. + + Sample Steps: + - Implement strict data type and format validation rules to ensure only correctly formatted data is processed. + - Establish a denylist for all parameters that are not explicitly required, blocking them by default. + - Develop and continuously refine custom rulesets based on the application's traffic patterns, user behavior, and known vulnerabilities. + - Integrate machine learning algorithms to enhance anomaly detection and automatic rule adjustment. + - Correlate and analyze WAF logs with other security systems like SIEM for comprehensive threat intelligence. + - Conduct regular red team exercises to test and validate the effectiveness of the WAF configurations against simulated advanced attack scenarios. + - Activate automated threat response mechanisms to immediately neutralize detected threats. + + Embracing an advanced WAF setup requires a proactive approach, with continuous improvement and updating of security measures to ensure all inputs are scrutinized and validated, thus maintaining a resilient security posture against sophisticated attacks. + + There are debates on how useful a WAF is for APIs. difficultyOfImplementation: - knowledge: 4 + knowledge: 5 time: 5 - resources: 4 - usefulness: 3 - level: 4 + resources: 5 + usefulness: 4 + level: 5 dependsOn: - - WAF baseline + - f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium # WAF medium implementation: [] references: samm2: - - D-SR-3-A + - O-EM-A-2 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -4517,66 +4149,25 @@ Implementation: - Hardening is not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Infrastructure%20Hardening/subsection/WAF%20Advanced comments: ~ tags: - none - teamsImplemented: - Default: false - B: false - C: false Information Gathering: Logging: - Centralized application logging: - uuid: fe875e17-ae4a-45f8-a359-244aa4fcbc04 - risk: Local stored logs can be unauthorized manipulated by attackers with system - access or might be corrupt after an incident. In addition, it is hard to perform - an correlation of logs. This leads attacks, which can be performed silently. - measure: A centralized logging system is used and applications logs (including - application exceptions) are shipped to it. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 5 - level: 3 - dependsOn: - - Alerting - implementation: [] - references: - samm2: - - O-IM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.4.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/fe875e17-ae4a-45f8-a359-244aa4fcbc04 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false Centralized system logging: uuid: 4eced38a-7904-4c45-adb0-50b663065540 - description: | - Centralized system logging involves collecting and storing system logs from multiple sources in a secure, central location. This approach improves log integrity, simplifies monitoring, and enables efficient incident response. - risk: | - Locally stored system logs can be manipulated by attackers unauthorized or might be corrupt or lost after an incident. In addition, it is hard to perform aggregation of logs. - measure: | - - Implement a centralized logging solution for all critical systems. - - System logs must be securely transmitted and stored in a central repository, protected from unauthorized access and modification. - - Ensure that log collection is automated and covers all relevant system events. - level: 1 + risk: Local stored system logs can be unauthorized manipulated by attackers + or might be corrupt after an incident. In addition, it is hard to perform + a aggregation of logs. + measure: By using centralized logging logs are protected against unauthorized + modification. difficultyOfImplementation: knowledge: 1 time: 1 resources: 1 usefulness: 2 + level: 1 implementation: - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 name: rsyslog @@ -4592,7 +4183,7 @@ Information Gathering: - logging references: samm2: - - O-IM-1-A + - O-IM-A-1 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 12.4.1 @@ -4600,33 +4191,31 @@ Information Gathering: - Not explicitly covered by ISO 27001 - too specific - 8.15 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/4eced38a-7904-4c45-adb0-50b663065540 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Logging/subsection/Centralized%20system%20logging + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Correlation of security events: - uuid: ccf4561d-253f-4762-adcb-bc4622fd6fc5 - risk: Detection of security related events with hints on different systems/tools/metrics - is not possible. - measure: Events are correlated on one system. For example the correlation and - visualization of failed login attempts combined with successful login attempts. + Centralized application logging: + uuid: fe875e17-ae4a-45f8-a359-244aa4fcbc04 + risk: Local stored logs can be unauthorized manipulated by attackers with system + access or might be corrupt after an incident. In addition, it is hard to perform + an correlation of logs. This leads attacks, which can be performed silently. + measure: A centralized logging system is used and applications logs (including + application exceptions) are shipped to it. difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 4 - usefulness: 3 - level: 5 + knowledge: 1 + time: 1 + resources: 1 + usefulness: 5 + level: 2 dependsOn: - - Visualized logging - - Alerting + - 8a442d8e-0eb1-4793-a513-571aef982edd # Alerting implementation: [] references: samm2: - - O-IM-2-A + - O-IM-A-1 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 12.4.1 @@ -4634,14 +4223,9 @@ Information Gathering: - Not explicitly covered by ISO 27001 - too specific - 8.15 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccf4561d-253f-4762-adcb-bc4622fd6fc5 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Logging/subsection/Centralized%20application%20logging tags: - none - teamsImplemented: - Default: false - B: false - C: false Logging of security events: uuid: ccfdd0a8-991e-4269-ad77-c0a54ca655cb description: | @@ -4690,23 +4274,117 @@ Information Gathering: - documentation references: samm2: - - O-IM-1-A + - O-IM-A-1 iso27001-2017: - 12.4.1 iso27001-2022: - 8.15 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccfdd0a8-991e-4269-ad77-c0a54ca655cb + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Logging/subsection/Logging%20of%20security%20events risk: |- * No track of security-relevant events makes it harder to analyze an incident. * Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal. + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Analyze logs: + uuid: b217c8bb-5d61-4b41-a675-1083993f83b1 + risk: Not aware of attacks happening. + measure: Check logs for keywords. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 1adf1ac0-8572-407b-a358-3976d9a225e2 + name: SigmaHQ + tags: [] + url: https://github.com/SigmaHQ/sigma + references: + samm2: + - O-IM-A-1 + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Logging/subsection/Analyze%20logs + tags: + - none + Visualized logging: + uuid: 7c735089-6a83-419f-8b27-c1e676cedea1 + risk: System and application protocols are not visualized properly which leads + to no or very limited logging assessment. Specially developers might have + difficulty to read applications logs with unusually tools like the Linux tool + 'cat' + measure: Protocols are visualized in a simple to use real time monitoring system. + The GUI gives the ability to search for special attributes in the protocol. + difficultyOfImplementation: + knowledge: 1 + time: 3 + resources: 3 + usefulness: 4 + level: 3 + dependsOn: + - 4eced38a-7904-4c45-adb0-50b663065540 # Centralized system logging + - fe875e17-ae4a-45f8-a359-244aa4fcbc04 # Centralized application logging + implementation: + - uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3 + name: ELK-Stack + tags: [] + url: https://www.elastic.co/elk-stack + references: + samm2: + - O-IM-A-1 + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Logging/subsection/Visualized%20logging + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Correlation of security events: + uuid: ccf4561d-253f-4762-adcb-bc4622fd6fc5 + risk: Detection of security related events with hints on different systems/tools/metrics + is not possible. + measure: Events are correlated on one system. For example the correlation and + visualization of failed login attempts combined with successful login attempts. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 4 + usefulness: 3 + level: 5 + dependsOn: + - 7c735089-6a83-419f-8b27-c1e676cedea1 # Visualized logging + - 8a442d8e-0eb1-4793-a513-571aef982edd # Alerting + implementation: [] + references: + samm2: + - O-IM-A-2 + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Logging/subsection/Correlation%20of%20security%20events + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false PII logging concept: uuid: 613a73dc-4f60-49db-a6ce-4fb7bf8519f9 risk: Personal identifiable information (PII) is logged and the privacy law @@ -4743,7 +4421,7 @@ Information Gathering: url: https://www.gnu.org/software/bash/ references: samm2: - - O-IM-1-A + - O-OM-A-1 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 12.4.1 @@ -4753,86 +4431,207 @@ Information Gathering: - 8.15 - 5.31 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/613a73dc-4f60-49db-a6ce-4fb7bf8519f9 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Logging/subsection/PII%20logging%20concept + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Visualized logging: - uuid: 7c735089-6a83-419f-8b27-c1e676cedea1 - risk: System and application protocols are not visualized properly which leads - to no or very limited logging assessment. Specially developers might have - difficulty to read applications logs with unusually tools like the Linux tool - 'cat' - measure: Protocols are visualized in a simple to use real time monitoring system. - The GUI gives the ability to search for special attributes in the protocol. + Monitoring: + Simple application metrics: + uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1 + risk: Attacks on an application are not recognized. + measure: |- + Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include: + - Authentication attempts (successful/failed logins) + - Transaction volumes and patterns (e.g. orders, payments) + - API call rates and response times + - User session metrics + - Resource utilization + + Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either: + - A legitimate event (unannounced marketing campaign, viral social media post) + - A security incident (automated bulk purchase bots, credential stuffing attack) + + By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 5 + level: 1 + implementation: + - uuid: ddf221df-3517-42e4-b23d-c1d9a162744c + name: Prometheus + tags: [] + url: https://prometheus.io/ + references: + samm2: + - O-IM-A-1 + iso27001-2017: + - 12.4.1 + iso27001-2022: + - 8.15 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Simple%20application%20metrics + comments: "" + tags: + - none + Simple budget metrics: + uuid: f08a3219-6941-43ec-8762-4aff739f4664 + risk: Not getting notified about reaching the end of the budget (e.g. due to + a denial of service) creates unexpected costs. + measure: Cloud providers often provide insight into budgets. A threshold and + alarming for the budget is set. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 5 + level: 1 + implementation: + - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 + name: collected + tags: [] + references: + samm2: + - O-IM-A-1 + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Simple%20budget%20metrics + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Simple system metrics: + uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03 + risk: Without simple metrics analysis of incidents are hard. In case an application + uses a lot of CPU from time to time, it is hard for a developer to find out + the source with Linux commands. + measure: Gathering of system metrics helps to identify incidents and specially + bottlenecks like in CPU usage, memory usage and hard disk usage. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 5 + assessment: | + Are system metrics gathered? + level: 1 + implementation: + - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 + name: collected + tags: [] + references: + samm2: + - O-IM-A-1 + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Simple%20system%20metrics + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Alerting: + uuid: 8a442d8e-0eb1-4793-a513-571aef982edd + risk: Incidents are discovered after they happened. + measure: | + Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 5 + usefulness: 5 + level: 2 + dependsOn: + - ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics + implementation: [] + references: + samm2: + - O-IM-A-2 + - I-DM-A-3 + iso27001-2017: + - 16.1.2 + - 16.1.4 + - 12.1.4 + iso27001-2022: + - 6.8 + - 5.25 + - 8.31 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Alerting + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Monitoring of costs: + uuid: 10e23a8c-22ff-4487-a706-87ccc9d0798e + risk: Not monitoring costs might lead to unexpected high resource consumption + and a high invoice. + measure: Implement cost budgets. Setting of an alert threshold and sending out + errors when it is reached. In the best case, a second threshold with a limit + is set so that the cost can not go higher. difficultyOfImplementation: knowledge: 1 - time: 3 - resources: 3 - usefulness: 4 + time: 2 + resources: 2 + usefulness: 3 level: 2 dependsOn: - - Centralized system logging - - Centralized application logging - implementation: - - uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3 - name: ELK-Stack - tags: [] - url: https://www.elastic.co/elk-stack + - e9a6d403-a467-445e-b98a-74f0c29da0b1 # Simple application metrics + - 3d1f4c3b-f713-46d9-933a-54a014a26c03 # Simple system metrics + implementation: [] references: samm2: - - O-IM-1-A + - O-IM-A-2 iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.4.1 + - 12.1.3 iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.15 + - 8.6 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/7c735089-6a83-419f-8b27-c1e676cedea1 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Monitoring%20of%20costs + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Monitoring: - Advanced app. metrics: - uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf - risk: People are not looking into tests results. Vulnerabilities not recolonized, - even they are detected by tools. - measure: All defects from the dimension Test- and Verification are instrumented. + Visualized metrics: + uuid: ded39bcf-4eaa-4c5f-9c94-09acde0a4734 + risk: Not visualized metrics lead to restricted usage of metrics. + measure: Metrics are visualized in real time in a user friendly way. difficultyOfImplementation: - knowledge: 3 - time: 3 + knowledge: 1 + time: 2 resources: 2 - usefulness: 4 - level: 4 + usefulness: 3 + level: 2 dependsOn: - - Simple application metrics - - Visualized metrics + - e9a6d403-a467-445e-b98a-74f0c29da0b1 # Simple application metrics + - 3d1f4c3b-f713-46d9-933a-54a014a26c03 # Simple system metrics implementation: [] references: samm2: - - O-IM-2-A + - O-IM-A-2 iso27001-2017: - - 12.6.1 + - 12.1.3 iso27001-2022: - - 8.8 + - 8.6 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d03bc410-74a7-4e92-82cb-d01a020cb6bf + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Visualized%20metrics + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Advanced availability and stability metrics: uuid: ed715b38-c34b-40cd-83fd-ce807f306fc1 risk: Trends and advanced attacks are not detected. @@ -4845,60 +4644,23 @@ Information Gathering: usefulness: 4 level: 3 dependsOn: - - Simple application metrics - - Visualized metrics + - e9a6d403-a467-445e-b98a-74f0c29da0b1 # Simple application metrics + - ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics implementation: [] references: samm2: - - O-IM-2-A + - O-IM-A-2 iso27001-2017: - 12.1.3 iso27001-2022: - 8.6 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ed715b38-c34b-40cd-83fd-ce807f306fc1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Alerting: - uuid: 8a442d8e-0eb1-4793-a513-571aef982edd - risk: Incidents are discovered after they happened. - measure: | - Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically. - difficultyOfImplementation: - knowledge: 2 - time: 5 - resources: 5 - usefulness: 5 - level: 2 - dependsOn: - - Visualized metrics - implementation: [] - references: - samm2: - - O-IM-2-A - - I-DM-3-A - iso27001-2017: - - 16.1.2 - - 16.1.4 - - 12.1.4 - iso27001-2022: - - 6.8 - - 5.25 - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8a442d8e-0eb1-4793-a513-571aef982edd + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Advanced%20availability%20and%20stability%20metrics + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Audit of system events: uuid: 1cd5e4b8-be36-4726-adc7-d8f843f47ac8 risk: System events (system calls) trends and attacks are not detected. @@ -4910,7 +4672,7 @@ Information Gathering: usefulness: 4 level: 3 dependsOn: - - Visualized metrics + - ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics implementation: - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 name: Falco @@ -4923,60 +4685,18 @@ Information Gathering: Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. references: samm2: - - O-IM-2-A + - O-IM-A-2 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/1cd5e4b8-be36-4726-adc7-d8f843f47ac8 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Coverage and control metrics: - uuid: d0d681e7-d6de-4829-ac64-a9eb2546aa0d - risk: The effectiveness of configuration, patch and vulnerability management - is unknown. - measure: "Usage of Coverage- and control-metrics to show the effectiveness of - the security program. Coverage is the degree in \n which a specific - security control for a specific target group is applied with all resources.\n - \ The control degree shows the actual application of security standards - and security-guidelines. Examples are gathering information on anti-virus, - anti-rootkits, patch management, server configuration and vulnerability management." - difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 2 - usefulness: 4 - level: 4 - dependsOn: - - Visualized metrics - implementation: - - uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d - name: https://ht.transpare - tags: [] - url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD - description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf - references: - samm2: - - O-IM-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d0d681e7-d6de-4829-ac64-a9eb2546aa0d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Audit%20of%20system%20events + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Deactivation of unused metrics: uuid: 7f36b9ba-bc05-4fd6-9a2a-73344c249722 risk: High resources are used while gathering unused metrics. @@ -4988,11 +4708,11 @@ Information Gathering: usefulness: 5 level: 3 dependsOn: - - Visualized metrics + - ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics implementation: [] references: samm2: - - O-IM-1-A + - O-IM-A-1 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 12.1.3 @@ -5000,49 +4720,12 @@ Information Gathering: - Not explicitly covered by ISO 27001 - too specific - 8.6 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/7f36b9ba-bc05-4fd6-9a2a-73344c249722 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Defense metrics: - uuid: e808028c-351c-42f1-bcd9-fba738d1fc55 - risk: IDS/IPS systems like packet- or application-firewalls detect and prevent - attacks. It is not known how many attacks has been detected and blocked. - measure: | - Gathering of defense metrics like TCP/UDP sources enables to assume the geographic location of the request. - Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered. - difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 2 - usefulness: 4 - level: 4 - dependsOn: - - Visualized metrics - - Filter outgoing traffic - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.4.1 - - 13.1.1 - iso27001-2022: - - 8.15 - - 8.2 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e808028c-351c-42f1-bcd9-fba738d1fc55 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Deactivation%20of%20unused%20metrics + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Grouping of metrics: uuid: 42170a71-d4c8-47af-bd71-bf36875fd05b risk: The analysis of metrics takes long. @@ -5056,7 +4739,7 @@ Information Gathering: implementation: [] references: samm2: - - O-IM-2-A + - O-IM-A-2 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 12.1.3 @@ -5064,93 +4747,31 @@ Information Gathering: - Not explicitly covered by ISO 27001 - too specific - 8.6 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/42170a71-d4c8-47af-bd71-bf36875fd05b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Metrics are combined with tests: - uuid: 71699daf-b2a4-466b-a0b2-89f7dbb18506 - risk: Changes might cause high load due to programming errors. - measure: Metrics during tests helps to identify programming errors. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 2 - usefulness: 5 - level: 5 - dependsOn: - - Grouping of metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/71699daf-b2a4-466b-a0b2-89f7dbb18506 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Monitoring of costs: - uuid: 10e23a8c-22ff-4487-a706-87ccc9d0798e - risk: Not monitoring costs might lead to unexpected high resource consumption - and a high invoice. - measure: Implement cost budgets. Setting of an alert threshold and sending out - errors when it is reached. In the best case, a second threshold with a limit - is set so that the cost can not go higher. - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 2 - usefulness: 3 - level: 2 - dependsOn: - - Simple application metrics - - Simple system metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.1.3 - iso27001-2022: - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/10e23a8c-22ff-4487-a706-87ccc9d0798e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Grouping%20of%20metrics + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Screens with metric visualization: - uuid: 8746647c-638c-473f-8e17-82c068e4c311 - risk: Security related information is discovered too late during an incident. - measure: By having an internal accessible screen with a security related dashboards - helps to visualize incidents. + Targeted alerting: + uuid: d6f06ae8-401a-4f44-85df-1079247fa030 + risk: People are bored (ignorant) of incident alarm messages, as they are not + responsible to react. + measure: By the definition of target groups for incidents people are only getting + alarms for incidents they are in charge for. difficultyOfImplementation: knowledge: 2 - time: 1 - resources: 1 + time: 5 + resources: 5 usefulness: 5 - level: 4 + level: 3 dependsOn: - - Grouping of metrics + - 8a442d8e-0eb1-4793-a513-571aef982edd # Alerting implementation: [] references: samm2: - - O-IM-2-A + - O-IM-A-2 + - I-DM-A-3 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 16.1.5 @@ -5158,155 +4779,129 @@ Information Gathering: - Not explicitly covered by ISO 27001 - too specific - 5.26 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8746647c-638c-473f-8e17-82c068e4c311 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Targeted%20alerting + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Simple application metrics: - uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1 - description: | - Collecting basic operational data from applications, such as authentication attempts, transaction volumes, and resource usage, will help detect abnormal patterns that may indicate security incidents or system issues. - risk: | - Without monitoring application metrics, attacks or abnormal behaviors may go undetected, increasing the risk of successful exploitation, data breaches, and delayed incident response. - measure: | - Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include: - - Authentication attempts (successful/failed logins) - - Transaction volumes and patterns (e.g. orders, payments) - - API call rates and response times - - User session metrics - - Resource utilization - - Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either: - - A legitimate event (unannounced marketing campaign, viral social media post) - - A security incident (automated bulk purchase bots, credential stuffing attack) - - By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response. - assessment: | - - Basic application metrics are collected and reviewed. - level: 1 + Advanced app. metrics: + uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf + risk: People are not looking into tests results. Vulnerabilities not recolonized, + even they are detected by tools. + measure: All defects from the dimension Test- and Verification are instrumented. difficultyOfImplementation: - knowledge: 2 - time: 2 + knowledge: 3 + time: 3 resources: 2 - usefulness: 5 - implementation: - - uuid: ddf221df-3517-42e4-b23d-c1d9a162744c - name: Prometheus - tags: [] - url: https://prometheus.io/ + usefulness: 4 + level: 4 + dependsOn: + - e9a6d403-a467-445e-b98a-74f0c29da0b1 # Simple application metrics + - ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics + implementation: [] references: samm2: - - O-IM-1-A + - O-IM-A-2 iso27001-2017: - - 12.4.1 + - 12.6.1 iso27001-2022: - - 8.15 + - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e9a6d403-a467-445e-b98a-74f0c29da0b1 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Advanced%20app.%20metrics + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Simple budget metrics: - uuid: f08a3219-6941-43ec-8762-4aff739f4664 - description: | - Monitoring resource usage and costs to prevent unexpected expenses. This is especially important in cloud environments where resource consumption can quickly exceed planned budgets. - risk: | - Failure to monitor budget metrics can result in unexpected costs, financial loss, and potential service disruption due to resource exhaustion or denial-of-service attacks. - measure: | - Set up budget monitoring and alerting for all critical resources. Use provider tools to track spending and configure alerts when thresholds are reached. Implement hard limits where possible to prevent budget overruns. - assessment: | - - The organization regularly monitors budget metrics - - Alerting outside given thresholds are implemented - level: 1 + Coverage and control metrics: + uuid: d0d681e7-d6de-4829-ac64-a9eb2546aa0d + risk: The effectiveness of configuration, patch and vulnerability management + is unknown. + measure: "Usage of Coverage- and control-metrics to show the effectiveness of + the security program. Coverage is the degree in \n which a specific + security control for a specific target group is applied with all resources.\n + \ The control degree shows the actual application of security standards + and security-guidelines. Examples are gathering information on anti-virus, + anti-rootkits, patch management, server configuration and vulnerability management." difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 5 + knowledge: 3 + time: 5 + resources: 2 + usefulness: 4 + level: 4 + dependsOn: + - ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics implementation: - - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 - name: collected + - uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d + name: https://ht.transpare tags: [] + url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD + description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf references: samm2: - - O-IM-1-A + - O-IM-A-2 iso27001-2017: - - 12.1.3 + - not explicitly covered by ISO 27001 - too specific iso27001-2022: - - 8.6 + - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/f08a3219-6941-43ec-8762-4aff739f4664 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Coverage%20and%20control%20metrics + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Simple system metrics: - uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03 - description: | - Monitoring basic system performance data, such as CPU, memory, and disk usage, will help identify performance bottlenecks and potential security incidents. - risk: | - Without monitoring system metrics, it is difficult to detect incidents or performance issues, leading to delayed response, reduced availability, and increased risk of undetected attacks. + Defense metrics: + uuid: e808028c-351c-42f1-bcd9-fba738d1fc55 + risk: IDS/IPS systems like packet- or application-firewalls detect and prevent + attacks. It is not known how many attacks has been detected and blocked. measure: | - Collect and monitor key system metrics, including CPU, memory, and disk usage. Set up alerts for abnormal resource consumption or patterns that may indicate incidents or attacks. - assessment: | - - Basic system metrics are monitored and reviewed regularly - - Alerting outside given thresholds are implemented - level: 1 + Gathering of defense metrics like TCP/UDP sources enables to assume the geographic location of the request. + Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered. difficultyOfImplementation: - knowledge: 2 - time: 2 + knowledge: 3 + time: 5 resources: 2 - usefulness: 5 - implementation: - - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 - name: collected - tags: [] + usefulness: 4 + level: 4 + dependsOn: + - ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics + - 6df508ef-86fc-4c22-bd9f-646c3127ce7d # Filter outgoing traffic + implementation: [] references: samm2: - - O-IM-1-A + - O-IM-A-2 iso27001-2017: - - 12.1.3 + - 12.4.1 + - 13.1.1 iso27001-2022: - - 8.6 + - 8.15 + - 8.2 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/3d1f4c3b-f713-46d9-933a-54a014a26c03 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Defense%20metrics + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Targeted alerting: - uuid: d6f06ae8-401a-4f44-85df-1079247fa030 - risk: People are bored (ignorant) of incident alarm messages, as they are not - responsible to react. - measure: By the definition of target groups for incidents people are only getting - alarms for incidents they are in charge for. + Screens with metric visualization: + uuid: 8746647c-638c-473f-8e17-82c068e4c311 + risk: Security related information is discovered too late during an incident. + measure: By having an internal accessible screen with a security related dashboards + helps to visualize incidents. difficultyOfImplementation: knowledge: 2 - time: 5 - resources: 5 + time: 1 + resources: 1 usefulness: 5 - level: 3 + level: 4 dependsOn: - - Alerting + - 42170a71-d4c8-47af-bd71-bf36875fd05b # Grouping of metrics implementation: [] references: samm2: - - O-IM-2-A - - I-DM-3-A + - O-IM-A-2 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 16.1.5 @@ -5314,181 +4909,38 @@ Information Gathering: - Not explicitly covered by ISO 27001 - too specific - 5.26 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d6f06ae8-401a-4f44-85df-1079247fa030 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Screens%20with%20metric%20visualization comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Visualized metrics: - uuid: ded39bcf-4eaa-4c5f-9c94-09acde0a4734 - risk: Not visualized metrics lead to restricted usage of metrics. - measure: Metrics are visualized in real time in a user friendly way. + Metrics are combined with tests: + uuid: 71699daf-b2a4-466b-a0b2-89f7dbb18506 + risk: Changes might cause high load due to programming errors. + measure: Metrics during tests helps to identify programming errors. difficultyOfImplementation: - knowledge: 1 - time: 2 + knowledge: 2 + time: 3 resources: 2 - usefulness: 3 - level: 2 + usefulness: 5 + level: 5 dependsOn: - - Simple application metrics - - Simple system metrics + - 42170a71-d4c8-47af-bd71-bf36875fd05b # Grouping of metrics implementation: [] references: samm2: - - O-IM-2-A + - O-IM-A-2 iso27001-2017: - - 12.1.3 + - not explicitly covered by ISO 27001 iso27001-2022: - - 8.6 + - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ded39bcf-4eaa-4c5f-9c94-09acde0a4734 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Monitoring/subsection/Metrics%20are%20combined%20with%20tests + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Test KPI: - Fix rate per repo/product: - uuid: cf0d600e-114d-4887-9059-d81c53805f0d - risk: "Not communicating how many applications are adhering to SLAs based on - the criticality of vulnerabilities can lead to delayed remediation of \ncritical - security issues, increasing the risk of exploitation and potential damage - to the organization." - measure: "Measurement and communication of the number of vulnerabilities handled - per severity level for components such as applications, ensuring alignment - with SLAs. \nThe rate should be broken down by team, product, application, - repository, and/or service. This analysis should be conducted at least quarterly." - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-3-B - - I-SB-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/cf0d600e-114d-4887-9059-d81c53805f0d - tags: - - vulnerability-mgmt - - metrics - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Generation of response statistics: - uuid: c922981b-65ed-40f3-a947-96fee9a0125f - risk: No or delayed reaction to findings leads to potential exploitation of - findings. - measure: Creation and response statistics (e.g. Mean Time to Resolution) of - findings. This is also referred to as _Mean Time to Resolve_. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - dependsOn: - - Usage of a vulnerability management system - level: 3 - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-2-B - - I-SB-3-B - iso27001-2017: - - 16.1.4 - - 8.2.3 - iso27001-2022: - - 5.25 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/c922981b-65ed-40f3-a947-96fee9a0125f - tags: - - vulnerability-mgmt - - metrics - - vmm-measurements - comments: The [DefectDojo-Client](https://github.com/SDA-SE/defectdojo-client/tree/master/statistic-client) - generates statistics from OWASP DefectDojo and places the results in a [Github - repository](https://github.com/pagel-pro/cluster-image-scanner-all-results). - teamsImplemented: - Default: false - B: false - C: false Number of vulnerabilities/severity: uuid: bc548cba-cb82-4f76-bd4b-325d9d256279 risk: Failing to convey the number of vulnerabilities by severity might undermine @@ -5508,24 +4960,18 @@ Information Gathering: implementation: [] references: samm2: - - I-DM-3-B - - I-SB-3-B + - I-DM-B-2 iso27001-2022: - 5.25 - 5.12 - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/bc548cba-cb82-4f76-bd4b-325d9d256279 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20KPI/subsection/Number%20of%20vulnerabilities%2Fseverity tags: - vulnerability-mgmt - metrics - vmm-measurement - teamsImplemented: - Default: false - B: false - C: false Number of vulnerabilities/severity/layer: uuid: 0ec92899-a5cb-4649-984b-2fb1d6c784ad risk: Failing to convey the number of vulnerabilities by severity and layer @@ -5558,24 +5004,18 @@ Information Gathering: implementation: [] references: samm2: - - I-DM-3-B - - I-SB-3-B + - I-DM-B-2 iso27001-2022: - 5.25 - 5.12 - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/0ec92899-a5cb-4649-984b-2fb1d6c784ad + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20KPI/subsection/Number%20of%20vulnerabilities%2Fseverity%2Flayer tags: - vulnerability-mgmt - metrics - vmm-measurement - teamsImplemented: - Default: false - B: false - C: false Patching mean time to resolution via PR: uuid: 86d490b9-d798-4a5b-a011-ab9688014c46 risk: Without measuring Mean Time to Resolution (MTTR) related to patching, @@ -5596,64 +5036,147 @@ Information Gathering: usefulness: 3 level: 2 dependsOn: - - 8ae0b92c-10e0-4602-ba22-7524d6aed488 + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches implementation: [] references: samm2: - - I-DM-3-B + - I-DM-B-2 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20KPI/subsection/Patching%20mean%20time%20to%20resolution%20via%20PR + tags: + - patching + - metrics + - vmm-measurements + Fix rate per repo/product: + uuid: cf0d600e-114d-4887-9059-d81c53805f0d + risk: "Not communicating how many applications are adhering to SLAs based on + the criticality of vulnerabilities can lead to delayed remediation of \ncritical + security issues, increasing the risk of exploitation and potential damage + to the organization." + measure: "Measurement and communication of the number of vulnerabilities handled + per severity level for components such as applications, ensuring alignment + with SLAs. \nThe rate should be broken down by team, product, application, + repository, and/or service. This analysis should be conducted at least quarterly." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-B-2 iso27001-2022: - 5.25 - 5.12 - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/86d490b9-d798-4a5b-a011-ab9688014c46 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20KPI/subsection/Fix%20rate%20per%20repo%2Fproduct tags: - - patching + - vulnerability-mgmt - metrics - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Patching mean time to resolution via production: - uuid: 77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f - risk: Without measuring Mean Time to Resolution (MTTR) related to patching, - it is challenging to identify delays in the patching process. Unaddressed - vulnerabilities can be exploited by attackers, leading to potential security - breaches and data loss. - measure: |- - Measurement and communication of the time from the availability of a patch to its deployment in production in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis. - Average time to patch is visualized per component/project/team. + Generation of response statistics: + uuid: c922981b-65ed-40f3-a947-96fee9a0125f + risk: No or delayed reaction to findings leads to potential exploitation of + findings. + measure: Creation and response statistics (e.g. Mean Time to Resolution) of + findings. This is also referred to as _Mean Time to Resolve_. difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 2 + knowledge: 2 + time: 2 + resources: 1 usefulness: 3 - level: 4 dependsOn: - - 86d490b9-d798-4a5b-a011-ab9688014c46 - - 8ae0b92c-10e0-4602-ba22-7524d6aed488 - implementation: [] + - 85ba5623-84be-4219-8892-808837be582d # Usage of a vulnerability management system + level: 3 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. references: samm2: - - I-DM-3-B + - I-DM-B-2 + - I-SB-B-3 iso27001-2017: - 16.1.4 + - 8.2.3 iso27001-2022: - 5.25 + - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20KPI/subsection/Generation%20of%20response%20statistics tags: - - patching + - vulnerability-mgmt - metrics - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false + comments: The [DefectDojo-Client](https://github.com/SDA-SE/defectdojo-client/tree/master/statistic-client) + generates statistics from OWASP DefectDojo and places the results in a [Github + repository](https://github.com/pagel-pro/cluster-image-scanner-all-results). SLA per criticality: uuid: 51f3fce5-b5c8-4683-8c41-e785fe4f3b5f risk: "Not communicating how many applications are adhering to SLAs based on @@ -5704,89 +5227,52 @@ Information Gathering: This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. references: samm2: - - I-DM-3-B - - I-SB-3-B + - I-DM-B-2 iso27001-2022: - 5.25 - 5.12 - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/51f3fce5-b5c8-4683-8c41-e785fe4f3b5f + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20KPI/subsection/SLA%20per%20criticality tags: - vulnerability-mgmt - metrics - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false -Test and Verification: - Application tests: - High coverage of security related module and integration tests: - uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a - risk: Vulnerabilities are rising due to code changes in a complex microservice - environment in not important components. - measure: Implementation of security related tests via unit tests and integration - tests. Including the test of libraries, in case the are not tested already. + Patching mean time to resolution via production: + uuid: 77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f + risk: Without measuring Mean Time to Resolution (MTTR) related to patching, + it is challenging to identify delays in the patching process. Unaddressed + vulnerabilities can be exploited by attackers, leading to potential security + breaches and data loss. + measure: |- + Measurement and communication of the time from the availability of a patch to its deployment in production in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis. + Average time to patch is visualized per component/project/team. difficultyOfImplementation: - knowledge: 5 - time: 5 - resources: 3 + knowledge: 1 + time: 1 + resources: 2 usefulness: 3 - level: 5 + level: 4 + dependsOn: + - 86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches implementation: [] references: samm2: - - V-ST-3-B - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/67667c97-c33e-4306-a4e5-e7b1d8e10c5a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security integration tests for important components: - uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 - risk: Vulnerabilities are rising due to code changes in a complex microservice - environment. - measure: Implementation of essential security related integration tests. For - example for authentication and authorization. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 2 - usefulness: 2 - level: 3 - references: - samm2: - - V-ST-3-B + - I-DM-B-2 iso27001-2017: - - 14.2.3 - - 14.2.8 + - 16.1.4 iso27001-2022: - - 8.32 - - 8.29 + - 5.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20KPI/subsection/Patching%20mean%20time%20to%20resolution%20via%20production tags: - - none - teamsImplemented: - Default: false - B: false - C: false + - patching + - metrics + - vmm-measurements +Test and Verification: + Application tests: Security unit tests for important components: uuid: eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 risk: Vulnerabilities are rising due to code changes. @@ -5813,7 +5299,34 @@ Test and Verification: url: https://karma-runner.github.io references: samm2: - - V-ST-3-B + - V-RT-A-3 + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20tests/subsection/Security%20unit%20tests%20for%20important%20components + isImplemented: false + evidence: "" + tags: + - none + Security integration tests for important components: + uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 + risk: Vulnerabilities are rising due to code changes in a complex microservice + environment. + measure: Implementation of essential security related integration tests. For + example for authentication and authorization. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 2 + level: 3 + references: + samm2: + - V-RT-A-3 iso27001-2017: - 14.2.3 - 14.2.8 @@ -5821,14 +5334,12 @@ Test and Verification: - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20tests/subsection/Security%20integration%20tests%20for%20important%20components + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Smoke Test: uuid: 73aaae0b-5d68-4953-9fa4-fd25bf665f2a risk: During a deployment an error might happen which leads to non-availability @@ -5843,10 +5354,39 @@ Test and Verification: level: 4 implementation: [] dependsOn: - - Defined deployment process + - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process + references: + samm2: + - V-RT-A-3 + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20tests/subsection/Smoke%20Test + isImplemented: false + evidence: "" + comments: "" + tags: + - none + High coverage of security related module and integration tests: + uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a + risk: Vulnerabilities are rising due to code changes in a complex microservice + environment in not important components. + measure: Implementation of security related tests via unit tests and integration + tests. Including the test of libraries, in case the are not tested already. + difficultyOfImplementation: + knowledge: 5 + time: 5 + resources: 3 + usefulness: 3 + level: 5 + implementation: [] references: samm2: - - V-ST-3-B + - V-RT-B-3 iso27001-2017: - 14.2.3 - 14.2.8 @@ -5854,27 +5394,35 @@ Test and Verification: - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/73aaae0b-5d68-4953-9fa4-fd25bf665f2a + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Application%20tests/subsection/High%20coverage%20of%20security%20related%20module%20and%20integration%20tests + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Consolidation: - Advanced visualization of defects: - uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876 - risk: Correlation of the vulnerabilities of different tools to have an overview - of the the overall security level per component/project/team is not given. - measure: Findings are visualized per component/project/team. + Simple false positive treatment: + uuid: c1acc8af-312e-4503-a817-a26220c993a0 + risk: As false positive occur during each test, all vulnerabilities might be + ignored. Specially, if tests are automated an run daily. + measure: |- + Findings from security tests must be triaged and outcomes persisted/documented to: + - Prevent re-analysis of known issues in subsequent test runs + - Track accepted risks vs false positives + - Enable consistent decision-making across teams + + At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings. + + Samples for false positive handling: + - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html) + - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/) + - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status) difficultyOfImplementation: - knowledge: 2 - time: 4 + knowledge: 1 + time: 1 resources: 1 - usefulness: 2 - level: 4 + usefulness: 4 + level: 1 implementation: - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb name: OWASP DefectDojo @@ -5891,35 +5439,50 @@ Test and Verification: url: https://github.com/faloker/purify/ description: | The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system references: samm2: - - I-DM-3-B + - I-DM-A-1 + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.6 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.27 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Simple%20false%20positive%20treatment + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Treatment of defects with severity high or higher: + uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385 + risk: Vulnerabilities with severity high or higher are not visible. + measure: Vulnerabilities with severity high or higher are added to the quality + gate. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 1 + comments: False positive analysis, specially for static analysis, is time consuming. + references: + samm2: + - I-DM-A-2 iso27001-2017: - 16.1.4 - - 8.2.1 - - 8.2.2 - - 8.2.3 + - 12.6.1 iso27001-2022: + - 8.8 - 5.25 - - 5.12 - - 5.13 - - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/7a82020c-94d1-471c-bbd3-5f7fe7df4876 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20defects%20with%20severity%20high%20or%20higher + implementation: [] tags: - - none - teamsImplemented: - Default: false - B: false - C: false + - vuln-action + - defect-management + evidence: "" Artifact-based false positive treatment: uuid: 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f risk: Without artifact-specific false positive handling, teams must repeatedly @@ -5941,7 +5504,7 @@ Test and Verification: usefulness: 3 level: 2 dependsOn: - - Simple false positive treatment + - c1acc8af-312e-4503-a817-a26220c993a0 # Simple false positive treatment implementation: - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb name: OWASP DefectDojo @@ -5959,10 +5522,9 @@ Test and Verification: description: | The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). + name: Dependency-Track + description: | + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). url: https://github.com/DependencyTrack/dependency-track tags: - sca @@ -5973,9 +5535,9 @@ Test and Verification: - inventory references: samm2: - - I-DM-2-A - - I-DM-2-B - - I-SB-3-B + - I-DM-A-2 + - I-DM-B-2 + - I-SB-B-3 iso27001-2017: - 16.1.4 - 16.1.6 @@ -5983,14 +5545,79 @@ Test and Verification: - 5.25 - 5.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Artifact-based%20false%20positive%20treatment tags: - false-positive - defect-management - teamsImplemented: - Default: false - B: false - C: false + Simple visualization of defects: + uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83 + risk: The security level of a component is not visible. Therefore, the motivation + to enhance the security is not give. + measure: Vulnerabilities are simple visualized. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 + name: OWASP Dependency Check + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://owasp.org/www-project-dependency-check/ + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track + description: | + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: ef80cd34-d3ba-4406-a4fa-4cf6f30c2e81 + name: LogParser Jenkins Plugins + tags: [] + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + references: + samm2: + - I-DM-A-2 + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Simple%20visualization%20of%20defects + isImplemented: false + evidence: "" + comments: "" + tags: + - none Fix based on accessibility: uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed risk: Overwhelming volume of security findings from automated testing tools. @@ -6010,13 +5637,12 @@ Test and Verification: - The number of network hops required to reach the asset (recommended) - Authentication requirements for access (recommended) dependsOn: - - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 - - 2a44b708-734f-4463-b0cb-86dc46344b2f + - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components implementation: ~ references: samm2: - - I-DM-3-B - - I-SB-3-B + - I-DM-A-3 iso27001-2017: - 16.1.4 - 8.2.1 @@ -6028,14 +5654,10 @@ Test and Verification: - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/0c10a7f7-f78f-49f2-943d-19fdef248fed + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Fix%20based%20on%20accessibility tags: - vuln-action - defect-management - teamsImplemented: - Default: false - B: false - C: false Global false positive treatment: uuid: 9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c risk: Without centralized false positive management across environments, organizations @@ -6057,14 +5679,14 @@ Test and Verification: usefulness: 4 level: 3 dependsOn: - - 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f - - 85ba5623-84be-4219-8892-808837be582d + - 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f # Artifact-based false positive treatment + - 85ba5623-84be-4219-8892-808837be582d # Usage of a vulnerability management system implementation: ~ references: samm2: - - I-DM-2-B - - I-DM-3-A - - I-SB-3-B + - I-DM-B-2 + - I-DM-A-3 + - I-SB-B-3 iso27001-2017: - 16.1.3 - 16.1.4 @@ -6074,14 +5696,10 @@ Test and Verification: - 5.25 - 5.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Global%20false%20positive%20treatment tags: - false-positive - defect-management - teamsImplemented: - Default: false - B: false - C: false Integration in development process: uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d risk: "Not integrating vulnerability handling into the development process may @@ -6123,234 +5741,8 @@ Test and Verification: description: Jira is a bug tracking and project management tool developed by Atlassian, used by development teams for tracking issues, planning sprints, and managing software releases. It offers features for creating and managing - tasks, assigning them to team members, and monitoring progress through customizable - workflows and dashboards. - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/aaffa73f-59f6-4267-b0ab-732f3d13e90d - tags: - - vulnerability-mgmt - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Integration of vulnerability issues into the development process: - uuid: ce970c9b-da94-41cf-bd78-8c15357b7e8e - risk: To read console output of the build server to search for vulnerabilities - might be difficult. Also, to check a vulnerability management system might - not be a daily task for a developer. - measure: Vulnerabilities are tracked in the teams issue system (e.g. jira). - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 2 - level: 3 - implementation: - - uuid: aaad322e-806e-4c51-b78d-6551f7dc376a - name: SAST - tags: [] - description: 'At SAST (Static Application Security Testing): Server-side / - client-side teams can easily be recorded. With microservice architecture - individual microservices can be used usually Teams.' - url: https://d3fend.mitre.org/dao/artifact/d3f:StaticAnalysisTool/ - - uuid: 9d4bd377-11ec-4054-9c9e-9bfb99ac9609 - name: DAST - tags: [] - description: 'At DAST (Dynamic Application Security Testing): vulnerabilities - are classified and can be assigned to server-side and client-side teams.' - url: https://d3fend.mitre.org/dao/artifact/d3f:DynamicAnalysisTool/ - references: - samm2: - - I-DM-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 16.1.4 - - 16.1.5 - - 16.1.6 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.25 - - 5.26 - - 5.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/ce970c9b-da94-41cf-bd78-8c15357b7e8e - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Reproducible defect tickets: - uuid: 27337442-e4b1-4e87-8dc9-ce86fbb79a39 - risk: Vulnerability descriptions are hard to understand by staff from operations - and development. - measure: Vulnerabilities include the test procedure to give the staff from operations - and development the ability to reproduce vulnerabilities. This enhances the - understanding of vulnerabilities and therefore the fix have a higher quality. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 2 - usefulness: 2 - level: 4 - implementation: [] - references: - samm2: - - I-DM-2-B - - I-SB-3-B - iso27001-2017: - - 16.1.4 - - 8.2.1 - - 8.2.2 - - 8.2.3 - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/27337442-e4b1-4e87-8dc9-ce86fbb79a39 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple false positive treatment: - uuid: c1acc8af-312e-4503-a817-a26220c993a0 - description: "Security tests may produce false positives\u2014findings that - are incorrectly identified as vulnerabilities.\n\nIt is important distinguish - these from true vulnerabilities to avoid wasting time and resources on non-issues.\n\nFalse - positive treatment ensures that findings from security tests are triaged and - documented, allowing teams to distinguish between real vulnerabilities and - false positives. This reduces unnecessary work and helps maintain focus on - true risks.\n\nSome positive findings might be considered an accepted risk - by the organization. This must also be documented.\n" - risk: | - If false positives are not managed, teams may ignore all findings, leading to real vulnerabilities being overlooked and increasing the risk of exploitation. Specially, if tests are automated an run daily. - measure: | - Findings from security tests must be triaged and outcomes persisted/documented to: - - Prevent re-analysis of known issues in subsequent test runs - - Track accepted risks vs false positives - - Enable consistent decision-making across teams - - At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings. - - Samples for false positive handling: - - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html) - - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/) - - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status) - assessment: | - The organization has a process for triaging and documenting false positives and accepted risks - level: 1 - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 4 - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - references: - samm2: - - I-DM-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 16.1.6 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/c1acc8af-312e-4503-a817-a26220c993a0 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple visualization of defects: - uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83 - risk: The security level of a component is not visible. Therefore, the motivation - to enhance the security is not give. - measure: Vulnerabilities are simple visualized. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 - name: OWASP Dependency Check - tags: - - OpenSource - - Supply Chain - - vulnerability - url: https://owasp.org/www-project-dependency-check/ - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: ef80cd34-d3ba-4406-a4fa-4cf6f30c2e81 - name: LogParser Jenkins Plugins - tags: [] + tasks, assigning them to team members, and monitoring progress through customizable + workflows and dashboards. - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb name: OWASP DefectDojo tags: @@ -6366,59 +5758,73 @@ Test and Verification: url: https://github.com/faloker/purify/ description: | The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. references: samm2: - - I-DM-1-B - iso27001-2017: - - 16.1.4 - - 8.2.1 - - 8.2.2 - - 8.2.3 + - I-DM-A-2 iso27001-2022: - 5.25 - 5.12 - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/55f4c916-3a34-474d-ad96-9a9f7a4f6a83 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Integration%20in%20development%20process tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Treatment of all defects: - uuid: b2f77606-3e6c-41e9-b72d-7c0b1d3d581d - risk: Vulnerabilities with severity low are not visible. - measure: All vulnerabilities are added to the quality gate. + - vulnerability-mgmt + - vmm-measurements + Integration of vulnerability issues into the development process: + uuid: ce970c9b-da94-41cf-bd78-8c15357b7e8e + risk: To read console output of the build server to search for vulnerabilities + might be difficult. Also, to check a vulnerability management system might + not be a daily task for a developer. + measure: Vulnerabilities are tracked in the teams issue system (e.g. jira). difficultyOfImplementation: - knowledge: 3 - time: 4 + knowledge: 2 + time: 2 resources: 1 usefulness: 2 - level: 5 - implementation: [] + level: 3 + implementation: + - uuid: aaad322e-806e-4c51-b78d-6551f7dc376a + name: SAST + tags: [] + description: 'At SAST (Static Application Security Testing): Server-side / + client-side teams can easily be recorded. With microservice architecture + individual microservices can be used usually Teams.' + url: https://d3fend.mitre.org/dao/artifact/d3f:StaticAnalysisTool/ + - uuid: 9d4bd377-11ec-4054-9c9e-9bfb99ac9609 + name: DAST + tags: [] + description: 'At DAST (Dynamic Application Security Testing): vulnerabilities + are classified and can be assigned to server-side and client-side teams.' + url: https://d3fend.mitre.org/dao/artifact/d3f:DynamicAnalysisTool/ references: samm2: - - I-DM-2-B - - I-SB-3-B + - I-DM-A-2 iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific - 16.1.4 - - 12.6.1 + - 16.1.5 + - 16.1.6 iso27001-2022: - - 8.8 + - Not explicitly covered by ISO 27001 - too specific - 5.25 + - 5.26 + - 5.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/b2f77606-3e6c-41e9-b72d-7c0b1d3d581d - tags: - - vuln-action - - defect-management + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Integration%20of%20vulnerability%20issues%20into%20the%20development%20process + isImplemented: false + evidence: "" comments: "" - teamsImplemented: - Default: false - B: false - C: false + tags: + - none Treatment of defects per protection requirement: uuid: 2b7cc923-bdaf-43e3-8fb4-a995b7783969 risk: "Not defining the protection requirement of applications can lead to wrong @@ -6474,77 +5880,18 @@ Test and Verification: This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. references: samm2: - - I-DM-3-B + - I-DM-A-2 iso27001-2022: - 5.25 - 5.12 - 5.13 - 5.1 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/2b7cc923-bdaf-43e3-8fb4-a995b7783969 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20defects%20per%20protection%20requirement tags: - vulnerability-mgmt - metrics - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Treatment of defects with severity high or higher: - uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385 - description: | - All security problems that are rated as "high" or "critical" must be fixed before the software can be released or used in production. This means that if a serious vulnerability is found, it cannot be ignored or postponed. - risk: | - If serious security problems are not fixed, attackers could exploit them to steal data, disrupt services, or cause other harm. Ignoring these issues puts the organization, its customers, and its reputation at risk. - measure: | - - Make it a rule that all high or critical security findings must be fixed before the software is approved for release or use. - - Track these issues and make sure they are resolved quickly. - - Pay extra attention to Known Exploited Vulnerabilities (KEV) from CISA and EPSS scores when prioritizing fixes. - assessment: | - There is clear evidence that all high or critical security issues are tracked and fixed before release. No high or critical issues remain open in production systems. - comments: False positive analysis, specially for static analysis, is time consuming. - level: 1 - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - references: - samm2: - - I-DM-2-B - iso27001-2017: - - 16.1.4 - - 12.6.1 - iso27001-2022: - - 8.8 - - 5.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385 - implementation: - - uuid: aa507341-9531-42cd-95cf-d7b51af47086 - name: Known Exploited Vulnerabilities - tags: - - vulnerability - url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - description: A catalog of vulnerabilities that have been exploited. - - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: Trivy - tags: [] - url: https://github.com/aquasecurity/trivy - - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: Grype - tags: - - sbom - - dependency - - vulnerability - url: https://github.com/anchore/grype - tags: - - vuln-action - - defect-management - teamsImplemented: - Default: false - B: false - C: false Treatment of defects with severity middle: uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594 risk: Vulnerabilities with severity middle are not visible. @@ -6558,8 +5905,7 @@ Test and Verification: comments: False positive analysis, specially for static analysis, is time consuming. references: samm2: - - I-DM-2-B - - I-SB-3-B + - I-DM-A-2 iso27001-2017: - 16.1.4 - 12.6.1 @@ -6567,15 +5913,11 @@ Test and Verification: - 8.8 - 5.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9cac3341-fe83-4079-bef2-bfc4279eb594 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20defects%20with%20severity%20middle implementation: [] tags: - vuln-action - defect-management - teamsImplemented: - Default: false - B: false - C: false Usage of a vulnerability management system: uuid: 85ba5623-84be-4219-8892-808837be582d risk: Maintenance of false positives in each tool enforces a high workload. @@ -6589,9 +5931,9 @@ Test and Verification: resources: 2 usefulness: 2 dependsOn: - - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad - - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 - - 185d5a74-19dc-4422-be07-44ea35226783 + - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # Exploit likelihood estimation + - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion + - 185d5a74-19dc-4422-be07-44ea35226783 # Office Hours level: 3 description: "For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended.\n\nTo implement a security culture @@ -6618,14 +5960,12 @@ Test and Verification: name: SecObserve tags: - vulnerability management system - url: https://github.com/MaibornWolff/SecObserve + url: https://github.com/SecObserve/SecObserve description: | - The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools. + SecObserve is an open source vulnerability and license management system for software development teams and cloud environments. It supports a variety of open source vulnerability scanners and integrates into CI/CD pipelines. references: samm2: - - I-DM-1-B - - I-SB-2-B - - I-SB-3-B + - I-DM-A-3 iso27001-2017: - 12.6.1 - 16.1.3 @@ -6639,94 +5979,243 @@ Test and Verification: - 5.26 - 5.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/85ba5623-84be-4219-8892-808837be582d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Usage%20of%20a%20vulnerability%20management%20system + tags: + - none + Advanced visualization of defects: + uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876 + risk: Correlation of the vulnerabilities of different tools to have an overview + of the the overall security level per component/project/team is not given. + measure: Findings are visualized per component/project/team. + difficultyOfImplementation: + knowledge: 2 + time: 4 + resources: 1 + usefulness: 2 + level: 4 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + references: + samm2: + - I-DM-A-3 + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Advanced%20visualization%20of%20defects + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Reproducible defect tickets: + uuid: 27337442-e4b1-4e87-8dc9-ce86fbb79a39 + risk: Vulnerability descriptions are hard to understand by staff from operations + and development. + measure: Vulnerabilities include the test procedure to give the staff from operations + and development the ability to reproduce vulnerabilities. This enhances the + understanding of vulnerabilities and therefore the fix have a higher quality. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - I-DM-A-2 + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Reproducible%20defect%20tickets + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false + Treatment of all defects: + uuid: b2f77606-3e6c-41e9-b72d-7c0b1d3d581d + risk: Vulnerabilities with severity low are not visible. + measure: All vulnerabilities are added to the quality gate. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 1 + usefulness: 2 + level: 5 + implementation: [] + references: + samm2: + - I-DM-A-2 + iso27001-2017: + - 16.1.4 + - 12.6.1 + iso27001-2022: + - 8.8 + - 5.25 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20all%20defects + tags: + - vuln-action + - defect-management + comments: "" Dynamic depth for applications: - Coverage analysis: - uuid: d0ba0be5-c573-405f-b905-b7a8f87a9cc7 - risk: Parts of the service are not still covered by tests. - measure: Check that there are no missing paths in the application with coverage-tools. + Coverage of client side dynamic components: + uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e + risk: Parts of the service are not covered during the scan, because JavaScript + is not getting executed. Therefore, the coverage of client-side dynamic components + is limited, leading to potential security risks and undetected vulnerabilities. + measure: Usage of a spider which executes dynamic content like JavaScript, e.g. + via Selenium. difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 3 + knowledge: 3 + time: 3 + resources: 1 usefulness: 4 - level: 5 + level: 2 + dependsOn: + - 65a2d7d9-5441-46bf-a4e3-f76919857750 # Usage of different roles + references: + samm2: + - V-ST-A-2 + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Coverage%20of%20client%20side%20dynamic%20components + implementation: + - uuid: 6583fd5f-4314-4b39-9265-de72f861c8cb + name: Ajax Spider + tags: [] + url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/ + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Simple Scan: + uuid: 07796811-37f9-467c-9ff2-48f346e77ff3 + risk: Deficient security tests are performed. Simple vulnerabilities are not + detected and missing security configurations (e.g. headers) are not set. Fast + feedback is not given. + measure: A simple scan is performed to get a security baseline. In case the + test is done in under 10 minutes, it should be part of the build and deployment + process. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 1 + level: 2 + dependsOn: + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process implementation: - - uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366 - name: OWASP Code Pulse - tags: [] - url: https://www.owasp.org/index.php/OWASP_Code_Pulse - - uuid: f011de6e-ab7c-4ec7-af55-03427271ab32 - name: Coverage.py + - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 + name: OWASP Zap tags: - - testing - - coverage - url: https://github.com/nedbat/coveragepy + - vulnerability + - scanner + url: https://github.com/zaproxy/zaproxy description: | - Code coverage measurement for Python + The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... + - uuid: 83ae1e92-5eb9-4467-b3d3-fd2f96e6ab63 + name: Arachni + url: https://github.com/Arachni/arachni references: samm2: - - V-ST-2-A + - V-ST-A-1 iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - - part of periodic review, PDCA + - 14.2.3 + - 14.2.8 iso27001-2022: - - ISO 27001:2022 mapping is missing + - 8.32 + - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/d0ba0be5-c573-405f-b905-b7a8f87a9cc7 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Simple%20Scan + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Coverage of client side dynamic components: - uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e - risk: Parts of the service are not covered during the scan, because JavaScript - is not getting executed. Therefore, the coverage of client-side dynamic components - is limited, leading to potential security risks and undetected vulnerabilities. - measure: Usage of a spider which executes dynamic content like JavaScript, e.g. - via Selenium. + Usage of different roles: + uuid: 65a2d7d9-5441-46bf-a4e3-f76919857750 + risk: Parts of the service are not covered during the scan, because a login + is not performed. + measure: Integration of authentication with all roles used in the service. difficultyOfImplementation: knowledge: 3 time: 3 resources: 1 - usefulness: 4 + usefulness: 2 level: 2 dependsOn: - - Usage of different roles + - 07796811-37f9-467c-9ff2-48f346e77ff3 # Simple Scan references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: + - not explicitly covered by ISO 27001 - too specific - 14.2.3 - 14.2.8 iso27001-2022: - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/9711f871-f79d-4573-8d4f-d2c98fd0d18e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Usage%20of%20different%20roles implementation: - - uuid: 6583fd5f-4314-4b39-9265-de72f861c8cb - name: Ajax Spider - tags: [] - url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/ + - uuid: 7eb37566-02d5-4fff-8dcf-8fcd1c8197f3 + name: Zest + url: https://www.zaproxy.org/docs/desktop/addons/zest/ + tags: + - zap + description: | + Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools. + isImplemented: false + assessment: For REST APIs, multiple OAuth2 scopes are used. + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Coverage of hidden endpoints: uuid: 6a9cb303-0f98-48a8-bdcd-56d41c0012b8 risk: Hidden endpoints of the service are not getting tracked. @@ -6765,24 +6254,21 @@ Test and Verification: description: | Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. dependsOn: - - Usage of different roles + - 65a2d7d9-5441-46bf-a4e3-f76919857750 # Usage of different roles references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - not explicitly covered by ISO 27001 - too specific iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/6a9cb303-0f98-48a8-bdcd-56d41c0012b8 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Coverage%20of%20hidden%20endpoints + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Coverage of more input vectors: uuid: 5e0ff85b-ec89-4ef0-96b1-5695fa0025dc risk: Parts of the service are not covered. For example specially formatted @@ -6797,17 +6283,16 @@ Test and Verification: usefulness: 4 level: 3 dependsOn: - - Usage of different roles + - 65a2d7d9-5441-46bf-a4e3-f76919857750 # Usage of different roles references: samm2: - - V-ST-2-A + - V-RT-B-1 iso27001-2017: - not explicitly covered by ISO 27001 - too specific iso27001-2022: - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/5e0ff85b-ec89-4ef0-96b1-5695fa0025dc + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Coverage%20of%20more%20input%20vectors implementation: - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b name: Schemathesis @@ -6818,13 +6303,11 @@ Test and Verification: url: https://github.com/schemathesis/schemathesis description: | Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Coverage of sequential operations: uuid: 845f06ec-148c-4c67-9755-7041911dcca5 risk: Sequential operations like workflows (e.g. login -> put products in the @@ -6843,10 +6326,10 @@ Test and Verification: tags: [] url: https://curl.se/ dependsOn: - - Usage of different roles + - 65a2d7d9-5441-46bf-a4e3-f76919857750 # Usage of different roles references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - 14.2.8 - 14.2.3 @@ -6854,267 +6337,254 @@ Test and Verification: - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/845f06ec-148c-4c67-9755-7041911dcca5 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Coverage%20of%20sequential%20operations + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Coverage of service to service communication: - uuid: 22aab0ef-76ce-4b8c-979c-3699784330db - risk: Service to service communication is not covered. - measure: Service to service communication is dumped and checked. + Usage of multiple scanners: + uuid: 5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea + risk: Each vulnerability scanner has different opportunities. By using just + one scanner, some vulnerabilities might not be found. + measure: Usage of multiple spiders and scanner enhance the coverage and the + vulnerabilities. difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 2 - usefulness: 3 - level: 5 + knowledge: 3 + time: 3 + resources: 5 + usefulness: 1 + level: 4 dependsOn: - - Simple Scan + - 65a2d7d9-5441-46bf-a4e3-f76919857750 # Usage of different roles + implementation: + - uuid: f220b299-0917-4750-96c5-d81cd402b4df + name: OWASP secureCodeBox + tags: + - vulnerability + - scanner-orchestration + url: https://github.com/secureCodeBox/secureCodeBox + description: | + secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - - 14.2.3 - - 14.2.8 + - 12.6.1 + - 14.2.5 iso27001-2022: - - 8.32 - - 8.29 + - 8.8 + - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/22aab0ef-76ce-4b8c-979c-3699784330db - implementation: - - uuid: 000b55f9-e6fd-4649-8290-27876a0409e2 - name: Citrus Fresh Integration Testing - tags: - - framework - - testing - url: https://citrusframework.org/ - description: Integration Test framework with focus on messaging applications - and Microservices. + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Usage%20of%20multiple%20scanners + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Simple Scan: - uuid: 07796811-37f9-467c-9ff2-48f346e77ff3 - risk: Deficient security tests are performed. Simple vulnerabilities are not - detected and missing security configurations (e.g. headers) are not set. Fast - feedback is not given. - measure: A simple scan is performed to get a security baseline. In case the - test is done in under 10 minutes, it should be part of the build and deployment - process. + Coverage analysis: + uuid: d0ba0be5-c573-405f-b905-b7a8f87a9cc7 + risk: Parts of the service are not still covered by tests. + measure: Check that there are no missing paths in the application with coverage-tools. difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 1 - level: 2 - dependsOn: - - Defined build process + knowledge: 4 + time: 5 + resources: 3 + usefulness: 4 + level: 5 implementation: - - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 - name: OWASP Zap + - uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366 + name: OWASP Code Pulse + tags: [] + url: https://www.owasp.org/index.php/OWASP_Code_Pulse + - uuid: f011de6e-ab7c-4ec7-af55-03427271ab32 + name: Coverage.py tags: - - vulnerability - - scanner - url: https://github.com/zaproxy/zaproxy + - testing + - coverage + url: https://github.com/nedbat/coveragepy description: | - The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... - - uuid: 83ae1e92-5eb9-4467-b3d3-fd2f96e6ab63 - name: Arachni - url: https://github.com/Arachni/arachni + Code coverage measurement for Python references: samm2: - - V-ST-1-A + - V-ST-A-2 iso27001-2017: - - 14.2.3 - - 14.2.8 + - not explicitly covered by ISO 27001 - too specific + - part of periodic review, PDCA iso27001-2022: - - 8.32 - - 8.29 + - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/07796811-37f9-467c-9ff2-48f346e77ff3 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Coverage%20analysis + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Usage of different roles: - uuid: 65a2d7d9-5441-46bf-a4e3-f76919857750 - risk: Parts of the service are not covered during the scan, because a login - is not performed. - measure: Integration of authentication with all roles used in the service. + Coverage of service to service communication: + uuid: 22aab0ef-76ce-4b8c-979c-3699784330db + risk: Service to service communication is not covered. + measure: Service to service communication is dumped and checked. difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 2 - level: 2 + knowledge: 4 + time: 5 + resources: 2 + usefulness: 3 + level: 5 dependsOn: - - Simple Scan + - 07796811-37f9-467c-9ff2-48f346e77ff3 # Simple Scan references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - 14.2.3 - 14.2.8 iso27001-2022: - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/65a2d7d9-5441-46bf-a4e3-f76919857750 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20applications/subsection/Coverage%20of%20service%20to%20service%20communication implementation: - - uuid: 7eb37566-02d5-4fff-8dcf-8fcd1c8197f3 - name: Zest - url: https://www.zaproxy.org/docs/desktop/addons/zest/ + - uuid: 000b55f9-e6fd-4649-8290-27876a0409e2 + name: Citrus Fresh Integration Testing tags: - - zap - description: | - Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools. - assessment: For REST APIs, multiple OAuth2 scopes are used. + - framework + - testing + url: https://citrusframework.org/ + description: Integration Test framework with focus on messaging applications + and Microservices. + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Usage of multiple scanners: - uuid: 5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea - risk: Each vulnerability scanner has different opportunities. By using just - one scanner, some vulnerabilities might not be found. - measure: Usage of multiple spiders and scanner enhance the coverage and the - vulnerabilities. + Dynamic depth for infrastructure: + Test for exposed services: + uuid: a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 + risk: Standard network segmentation and firewalling has not been performed, + leading to world open cluster management ports. + measure: With the help of tools the network configuration of unintentional exposed + cluster(s) are tested. To identify clusters, all subdomains might need to + be identified with a tool like OWASP Amass to perform port scans based o the + result. difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 5 - usefulness: 1 - level: 4 + knowledge: 1 + time: 1 + resources: 2 dependsOn: - - Usage of different roles + - 4ce24abd-8ba6-494c-828d-4d193e28e4a1 # Isolated networks for virtual environments + usefulness: 2 + level: 2 implementation: - - uuid: f220b299-0917-4750-96c5-d81cd402b4df - name: OWASP secureCodeBox - tags: - - vulnerability - - scanner-orchestration - url: https://github.com/secureCodeBox/secureCodeBox - description: | - secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. + - uuid: 08111dc3-bdc4-47d8-8f2e-10bb50a86882 + name: nmap + tags: [] + url: https://nmap.org/ + - uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a + name: OWASP Amass + tags: [] + url: https://github.com/OWASP/Amass references: samm2: - - V-ST-2-A + - V-ST-A-1 iso27001-2017: - - 12.6.1 - - 14.2.5 + - 13.1.3 + - 14.2.3 + - 14.2.8 iso27001-2022: - - 8.8 - - 8.27 + - 8.22 + - 8.32 + - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20infrastructure/subsection/Test%20for%20exposed%20services + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Dynamic depth for infrastructure: - Load tests: - uuid: ab5725aa-4d53-47b9-96df-c14b3fa93bcd - risk: As it is unknown how many requests the systems and applications can serve, - due to an unexpected load the availability is disturbed. - measure: Load test against the production system or a production near system - is performed. + Test network segmentation: + uuid: 6d2c3ac6-8afc-4af6-a5e9-6188341aca01 + risk: Wrong or no network segmentation of pods makes it easier for an attacker + to access a database and extract or modify data. + measure: Cluster internal test needs to be performed. Integration of fine granulated + network segmentation (also between pods in the same namespace). difficultyOfImplementation: - knowledge: 3 + knowledge: 2 time: 2 - resources: 5 + resources: 1 usefulness: 3 - level: 4 - implementation: [] + level: 2 + implementation: + - uuid: fffa6fb9-1fae-4852-88dc-c7086961330c + name: netassert + tags: [] + url: https://github.com/controlplaneio/netassert + dependsOn: + - 4ce24abd-8ba6-494c-828d-4d193e28e4a1 # Isolated networks for virtual environments references: samm2: - - V-ST-1-A + - V-ST-A-2 iso27001-2017: - - 12.1.3 + - 13.1.3 - 14.2.3 - 14.2.8 iso27001-2022: - - 8.6 + - 8.22 - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/ab5725aa-4d53-47b9-96df-c14b3fa93bcd + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20infrastructure/subsection/Test%20network%20segmentation comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test for exposed services: - uuid: a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 - risk: Standard network segmentation and firewalling has not been performed, - leading to world open cluster management ports. - measure: With the help of tools the network configuration of unintentional exposed - cluster(s) are tested. To identify clusters, all subdomains might need to - be identified with a tool like OWASP Amass to perform port scans based o the - result. + Test of the configuration of cloud environments: + uuid: 7bb70764-9392-4462-935d-e55b2e148199 + risk: Standard hardening practices for cloud environments are not performed + leading to vulnerabilities. + measure: With the help of tools the configuration of virtual environments are + tested. difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 2 - dependsOn: - - Isolated networks for virtual environments - usefulness: 2 + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 level: 2 implementation: - - uuid: 08111dc3-bdc4-47d8-8f2e-10bb50a86882 - name: nmap + - uuid: 893d9f37-2142-4490-996c-e43b55064d3d + name: kubescape + url: https://github.com/armosec/kubescape + tags: + - kubernetes + - vulnerability + - misconfiguration + description: _Testing if Kubernetes is deployed securely as defined in Kubernetes + Hardening Guidance by to NSA and CISA_ + - uuid: 2af7204c-a25c-4625-9775-889978386407 + name: kube-hunter tags: [] - url: https://nmap.org/ - - uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a - name: OWASP Amass + url: https://github.com/aquasecurity/kube-hunter + - uuid: d45fba7d-f176-4f06-a33c-434b17ec8a8f + name: openVAS tags: [] - url: https://github.com/OWASP/Amass + url: https://www.openvas.org/ references: - samm2: - - V-ST-1-A + samm2: [] iso27001-2017: - - 13.1.3 + - System hardening is not explicitly covered by ISO 27001 - too specific + - 12.6.1 - 14.2.3 - 14.2.8 iso27001-2022: - - 8.22 + - System hardening is not explicitly covered by ISO 27001 - too specific + - 8.8 - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20infrastructure/subsection/Test%20of%20the%20configuration%20of%20cloud%20environments + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Test for unauthorized installation: uuid: dccf1949-b9a8-4ce8-b992-6a4a7f3a623a risk: Unapproved components are used. @@ -7143,16 +6613,76 @@ Test and Verification: - 8.19 - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/dccf1949-b9a8-4ce8-b992-6a4a7f3a623a + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20infrastructure/subsection/Test%20for%20unauthorized%20installation + isImplemented: false + evidence: "" dependsOn: - - Evaluation of the trust of used components + - 0de465a6-55a7-4343-af79-948bb5ff10ba # Evaluation of the trust of used components + tags: + - none + Weak password test: + uuid: 61e10f9c-e126-4ffa-af12-fdbe0d0a831f + risk: Weak passwords in components like applications or systems, specially for + privileged accounts, lead to take over of that account. + measure: Automatic brute force attacks are performed. Specially the usage of + standard accounts like 'admin' and employee user-ids is recommended. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 1 + level: 3 + implementation: + - uuid: b99c9d52-dd1a-4aef-8699-65173cf978ce + name: HTC Hydra + tags: + - password + url: https://www.htc-cs.com/en/products/htc-hydra/ + references: + samm2: + - V-ST-A-2 + iso27001-2017: + - 9.4.3 + iso27001-2022: + - 5.17 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20infrastructure/subsection/Weak%20password%20test + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Load tests: + uuid: ab5725aa-4d53-47b9-96df-c14b3fa93bcd + risk: As it is unknown how many requests the systems and applications can serve, + due to an unexpected load the availability is disturbed. + measure: Load test against the production system or a production near system + is performed. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 5 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - V-RT-AB-1 + iso27001-2017: + - 12.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.6 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20infrastructure/subsection/Load%20tests + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Test for unused Resources: uuid: 6532c1fe-9d23-4228-8722-558ddabca7d4 risk: Unused resources, specially secrets, might be still valid, but are exposing @@ -7178,7 +6708,7 @@ Test and Verification: Hunt Unused Resources In Kubernetes. references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - 13.1.3 - 14.2.3 @@ -7188,143 +6718,173 @@ Test and Verification: - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/6532c1fe-9d23-4228-8722-558ddabca7d4 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Dynamic%20depth%20for%20infrastructure/subsection/Test%20for%20unused%20Resources + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test network segmentation: - uuid: 6d2c3ac6-8afc-4af6-a5e9-6188341aca01 - risk: Wrong or no network segmentation of pods makes it easier for an attacker - to access a database and extract or modify data. - measure: Cluster internal test needs to be performed. Integration of fine granulated - network segmentation (also between pods in the same namespace). + Static depth for applications: + Software Composition Analysis (server side): + uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe + description: Use a tool like trivy and concentrate on application related vulnerabilities. + At this stage, ignore vulnerabilities in container base images used in the + service. + risk: Server side components might have vulnerabilities. + measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware) + are performed. difficultyOfImplementation: - knowledge: 2 - time: 2 + knowledge: 1 + time: 3 resources: 1 - usefulness: 3 + usefulness: 5 level: 2 + dependsOn: + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components implementation: - - uuid: fffa6fb9-1fae-4852-88dc-c7086961330c - name: netassert + - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 + name: OWASP Dependency Check + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://owasp.org/www-project-dependency-check/ + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track + description: | + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 + name: retire.js tags: [] - url: https://github.com/controlplaneio/netassert - dependsOn: - - 4ce24abd-8ba6-494c-828d-4d193e28e4a1 + url: https://github.com/RetireJS/retire.js/ + - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 + name: npm audit + tags: [] + url: https://docs.npmjs.com/cli/audit + - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 + name: Dependabot + tags: + - dependency + - dependency-management + - scm + url: https://github.com/dependabot/dependabot-core + description: | + Dependabot creates pull requests to keep your dependencies secure and up-to-date. + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: https://github.com/aquasecurity/trivy + tags: [] + url: https://github.com/aquasecurity/trivy references: samm2: - - V-ST-2-A + - V-ST-A-2 + - I-SB-B-2 iso27001-2017: - - 13.1.3 - - 14.2.3 - - 14.2.8 + - 12.6.1 iso27001-2022: - - 8.22 - - 8.32 - - 8.29 + - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/6d2c3ac6-8afc-4af6-a5e9-6188341aca01 - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Software%20Composition%20Analysis%20%28server%20side%29 tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test of the configuration of cloud environments: - uuid: 7bb70764-9392-4462-935d-e55b2e148199 - risk: Standard hardening practices for cloud environments are not performed - leading to vulnerabilities. - measure: With the help of tools the configuration of virtual environments are - tested. + - vmm-testing + Test for Time to Patch: + uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f + risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities + in production artifacts. + measure: |- + Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs) + This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. difficultyOfImplementation: - knowledge: 2 - time: 2 + knowledge: 1 + time: 1 resources: 1 - usefulness: 4 + usefulness: 3 level: 2 implementation: - - uuid: 893d9f37-2142-4490-996c-e43b55064d3d - name: kubescape - url: https://github.com/armosec/kubescape + - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 + name: dependabot tags: - - kubernetes - - vulnerability - - misconfiguration - description: _Testing if Kubernetes is deployed securely as defined in Kubernetes - Hardening Guidance by to NSA and CISA_ - - uuid: 2af7204c-a25c-4625-9775-889978386407 - name: kube-hunter - tags: [] - url: https://github.com/aquasecurity/kube-hunter - - uuid: d45fba7d-f176-4f06-a33c-434b17ec8a8f - name: openVAS - tags: [] - url: https://www.openvas.org/ + - auto-pr + - patching + url: https://dependabot.com/ + - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 + name: renovate + tags: + - auto-pr + - patching + url: https://github.com/renovatebot/renovate + dependsOn: + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches references: - samm2: [] + samm2: + - V-ST-A-2 iso27001-2017: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 12.6.1 - - 14.2.3 - - 14.2.8 + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 iso27001-2022: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 8.8 - - 8.32 - - 8.29 + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/7bb70764-9392-4462-935d-e55b2e148199 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Test%20for%20Time%20to%20Patch comments: "" + meta: + implementationGuide: Usage of a version control platform API (e.g. github + API) can be used to fetch the information. Consider that `Measure libyears` + might be an alternative to this activity. tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Weak password test: - uuid: 61e10f9c-e126-4ffa-af12-fdbe0d0a831f - risk: Weak passwords in components like applications or systems, specially for - privileged accounts, lead to take over of that account. - measure: Automatic brute force attacks are performed. Specially the usage of - standard accounts like 'admin' and employee user-ids is recommended. + - patching + Test libyear: + uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad + risk: Vulnerabilities in running artifacts stay for long and might get exploited. + measure: Test `libyear`, which provides a good insight how good patch management + is. difficultyOfImplementation: - knowledge: 2 + knowledge: 1 time: 1 resources: 1 - usefulness: 1 - level: 3 + usefulness: 3 + level: 2 implementation: - - uuid: b99c9d52-dd1a-4aef-8699-65173cf978ce - name: HTC Hydra + - uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33 + name: libyear tags: - - password - url: https://www.htc-cs.com/en/products/htc-hydra/ + - patching + - build + url: https://libyear.com/ + description: A simple measure of software dependency freshness. It is a single + number telling you how up-to-date your dependencies are. + dependsOn: + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - - 9.4.3 + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 iso27001-2022: - - 5.17 + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/61e10f9c-e126-4ffa-af12-fdbe0d0a831f + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Test%20libyear comments: "" + meta: + implementationGuide: | + `libyear` can be integrated into the build process and flag or even better break the build in case the defined threshold (e.g. 30 years) is reached. + An alternative approach is to determine `libyear` based on deployed artifacts (which requires more effort in implementation). tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Static depth for applications: + - patching API design validation: uuid: 017d9e26-42b5-49a4-b945-9f59b308fb99 risk: Creation of insecure or non-compliant API. @@ -7361,7 +6921,7 @@ Test and Verification: on API best practices. references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - 14.2.1 - 14.2.5 @@ -7370,97 +6930,20 @@ Test and Verification: - 8.27 - 8.28 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99 - dependsOn: - - 2a44b708-734f-4463-b0cb-86dc46344b2f - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Dead code elimination: - uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d - risk: Dead code increases the attack surface (use of hard coded credentials - and variables, sensitive information) - measure: Collection of unused code and then manual removal of unused code. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 5 - implementation: - - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb - name: PMD - tags: [] - dependsOn: - - Defined build process - references: - samm2: - - V-ST-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Exclusion of source code duplicates: - uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 - risk: Duplicates in source code might influence the stability of the application. - measure: Automatic Detection and manual removal of duplicates in source code. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 5 - implementation: - - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb - name: PMD - tags: [] + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/API%20design%20validation + isImplemented: false dependsOn: - - Defined build process - references: - samm2: - - V-ST-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 - comments: "" + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components tags: - none - teamsImplemented: - Default: false - B: false - C: false Exploit likelihood estimation: uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad risk: Without proper prioritization, organizations may waste time and effort on low-risk vulnerabilities while neglecting critical ones. measure: Estimate the likelihood of exploitation by using data (CISA KEV) from - the past or prediction models (EPSS). + the past or prediction models (e.g. Exploit Prediction Scoring System, EPSS). + description: Severity-based vulnerability triage alone generates a lot false + positives, requiring a more refined approach. difficultyOfImplementation: knowledge: 2 time: 2 @@ -7468,7 +6951,7 @@ Test and Verification: usefulness: 4 level: 3 dependsOn: - - d918cd44-a972-43e9-a974-eff3f4a5dcfe + - d918cd44-a972-43e9-a974-eff3f4a5dcfe # Software Composition Analysis (server side) implementation: - uuid: aa507341-9531-42cd-95cf-d7b51af47086 name: Known Exploited Vulnerabilities @@ -7485,21 +6968,16 @@ Test and Verification: exploited. references: samm2: - - V-ST-2-A - - I-SB-3-B + - V-ST-A-2 + - I-SB-B-3 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/f2f0f274-c1a0-4501-92fe-7fc4452bc8ad + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Exploit%20likelihood%20estimation tags: - none - teamsImplemented: - Default: false - B: false - C: false Local development security checks performed: uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b risk: Creating and developing code contains code smells and quality issues. @@ -7543,7 +7021,7 @@ Test and Verification: - pre-commit references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - Hardening is not explicitly covered by ISO 27001 - too specific - 13.1.3 @@ -7551,15 +7029,12 @@ Test and Verification: - Hardening is not explicitly covered by ISO 27001 - too specific - 8.22 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/6e180abc-7c98-4265-b4e9-852cb91b067b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Local%20development%20security%20checks%20performed + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Software Composition Analysis (client side): uuid: 07fe8c4f-ae33-4409-b1b2-cf64cfccea86 risk: Client side components might have vulnerabilities. @@ -7572,9 +7047,9 @@ Test and Verification: usefulness: 2 level: 3 dependsOn: - - Defined build process - - 2a44b708-734f-4463-b0cb-86dc46344b2f - - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components + - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # Exploit likelihood estimation implementation: - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 name: retire.js @@ -7585,75 +7060,9 @@ Test and Verification: tags: [] url: https://docs.npmjs.com/cli/audit - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 - name: Dependabot - tags: - - dependency - - dependency-management - - scm - url: https://github.com/dependabot/dependabot-core + name: Dependency-Track description: | - Dependabot creates pull requests to keep your dependencies secure and up-to-date. - references: - samm2: - - V-ST-2-A - - I-SB-2-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/07fe8c4f-ae33-4409-b1b2-cf64cfccea86 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Software Composition Analysis (server side): - uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe - description: Use a tool like trivy and concentrate on application related vulnerabilities. - At this stage, ignore vulnerabilities in container base images used in the - service. - risk: Server side components might have vulnerabilities. - measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware) - are performed. - difficultyOfImplementation: - knowledge: 1 - time: 3 - resources: 1 - usefulness: 5 - level: 2 - dependsOn: - - Defined build process - - 2a44b708-734f-4463-b0cb-86dc46344b2f - implementation: - - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 - name: OWASP Dependency Check - tags: - - OpenSource - - Supply Chain - - vulnerability - url: https://owasp.org/www-project-dependency-check/ - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). url: https://github.com/DependencyTrack/dependency-track tags: - sca @@ -7662,14 +7071,6 @@ Test and Verification: - Supply Chain - vulnerability - inventory - - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 - name: retire.js - tags: [] - url: https://github.com/RetireJS/retire.js/ - - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 - name: npm audit - tags: [] - url: https://docs.npmjs.com/cli/audit - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 name: Dependabot tags: @@ -7679,72 +7080,33 @@ Test and Verification: url: https://github.com/dependabot/dependabot-core description: | Dependabot creates pull requests to keep your dependencies secure and up-to-date. - - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: Trivy - tags: [] - url: https://github.com/aquasecurity/trivy - references: - samm2: - - V-ST-2-A - - I-SB-2-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d918cd44-a972-43e9-a974-eff3f4a5dcfe - tags: - - vmm-testing - teamsImplemented: - Default: false - B: false - C: false - Static analysis for all components/libraries: - uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 - risk: Used components like libraries and legacy applications might have vulnerabilities - measure: Usage of a static analysis for all used components. - difficultyOfImplementation: - knowledge: 2 - time: 4 - resources: 2 - usefulness: 3 - level: 5 - dependsOn: - - Static analysis for important client side components - - Static analysis for important server side components - - 2a44b708-734f-4463-b0cb-86dc46344b2f - implementation: [] references: samm2: - - V-ST-2-A - - I-SB-3-B + - V-ST-A-2 + - I-SB-B-2 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Software%20Composition%20Analysis%20%28client%20side%29 + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Static analysis for all self written components: - uuid: ee68331f-9b1d-4f61-844b-b2ea04753a84 - risk: Parts in the source code of the frontend or middleware have vulnerabilities. - measure: Usage of static analysis tools for all parts of the middleware and - frontend. Static analysis uses for example string matching algorithms and/or + Static analysis for important client side components: + uuid: e237176b-bec5-447d-a926-e37d6dd60e4b + risk: Important parts in the source code of the frontend have vulnerabilities. + measure: Usage of static analysis tools for important parts of the frontend + are used. Static analysis uses for example string matching algorithms and/or dataflow analysis. difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 - usefulness: 4 - level: 4 + usefulness: 3 + level: 3 implementation: - uuid: 6a0948a7-4781-4858-9766-f4303971b28b name: eslint @@ -7757,6 +7119,11 @@ Test and Verification: name: jsprime tags: [] url: https://github.com/dpnishant/jsprime + - uuid: 3a8ba0ea-37dc-4124-983b-bbf9b4443d75 + name: '[bdd-mobile-security' + tags: [] + url: https://github.com/ing-bank/bdd-mobile-security-automation-framework + description: '[bdd-mobile-security-automation-framework](https://github.com/ing-bank/bdd-mobile-security-automation-framework)' - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 name: Fortify Extension for Visual Studio Code url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code @@ -7776,38 +7143,33 @@ Test and Verification: - ide - sast dependsOn: - - Static analysis for important client side components - - Static analysis for important server side components - - 2a44b708-734f-4463-b0cb-86dc46344b2f + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components references: samm2: - - V-ST-2-A - - I-SB-3-B + - V-ST-A-2 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/ee68331f-9b1d-4f61-844b-b2ea04753a84 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Static%20analysis%20for%20important%20client%20side%20components + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Static analysis for important client side components: - uuid: e237176b-bec5-447d-a926-e37d6dd60e4b - risk: Important parts in the source code of the frontend have vulnerabilities. - measure: Usage of static analysis tools for important parts of the frontend + Static analysis for important server side components: + uuid: 6c05c837-8c99-46e2-828b-7c903e27dba4 + risk: Important parts in the source code of the middleware have vulnerabilities. + measure: Usage of static analysis tools for important parts of the middleware are used. Static analysis uses for example string matching algorithms and/or dataflow analysis. difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 - usefulness: 3 + usefulness: 4 level: 3 implementation: - uuid: 6a0948a7-4781-4858-9766-f4303971b28b @@ -7821,11 +7183,6 @@ Test and Verification: name: jsprime tags: [] url: https://github.com/dpnishant/jsprime - - uuid: 3a8ba0ea-37dc-4124-983b-bbf9b4443d75 - name: '[bdd-mobile-security' - tags: [] - url: https://github.com/ing-bank/bdd-mobile-security-automation-framework - description: '[bdd-mobile-security-automation-framework](https://github.com/ing-bank/bdd-mobile-security-automation-framework)' - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 name: Fortify Extension for Visual Studio Code url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code @@ -7845,37 +7202,75 @@ Test and Verification: - ide - sast dependsOn: - - Defined build process - - 2a44b708-734f-4463-b0cb-86dc46344b2f + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components references: samm2: - - V-ST-2-A + - V-ST-A-2 + - I-SB-B-3 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/e237176b-bec5-447d-a926-e37d6dd60e4b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Static%20analysis%20for%20important%20server%20side%20components + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Static analysis for important server side components: - uuid: 6c05c837-8c99-46e2-828b-7c903e27dba4 - risk: Important parts in the source code of the middleware have vulnerabilities. - measure: Usage of static analysis tools for important parts of the middleware - are used. Static analysis uses for example string matching algorithms and/or + Test for Patch Deployment Time: + uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 + risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities + in production artifacts. + measure: | + Test of the Patch Deployment Time. + This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + dependsOn: + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process + references: + samm2: + - V-ST-A-2 + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Test%20for%20Patch%20Deployment%20Time + comments: "" + meta: + implementationGuide: Self implementation. This activity is not repeated in + the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure + as well. + tags: + - patching + Static analysis for all self written components: + uuid: ee68331f-9b1d-4f61-844b-b2ea04753a84 + risk: Parts in the source code of the frontend or middleware have vulnerabilities. + measure: Usage of static analysis tools for all parts of the middleware and + frontend. Static analysis uses for example string matching algorithms and/or dataflow analysis. difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 usefulness: 4 - level: 3 + level: 4 implementation: - uuid: 6a0948a7-4781-4858-9766-f4303971b28b name: eslint @@ -7907,64 +7302,43 @@ Test and Verification: - ide - sast dependsOn: - - Defined build process - - 2a44b708-734f-4463-b0cb-86dc46344b2f + - e237176b-bec5-447d-a926-e37d6dd60e4b # Static analysis for important client side components + - 6c05c837-8c99-46e2-828b-7c903e27dba4 # Static analysis for important server side components + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components references: samm2: - - V-ST-2-A - - I-SB-3-B + - V-ST-A-2 + - I-SB-B-3 iso27001-2017: - 12.6.1 iso27001-2022: - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/6c05c837-8c99-46e2-828b-7c903e27dba4 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Static%20analysis%20for%20all%20self%20written%20components + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Stylistic analysis: - uuid: efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 - risk: Unclear or obfuscated code might have unexpected behavior. - measure: Analysis of compliance to style guides of the source code ensures that - source code formatting rules are met (e.g. indentation, loops, ...). + Usage of multiple analyzers: + uuid: 297be001-8d94-41ee-ab29-207020d423c0 + risk: Each vulnerability analyzer has different opportunities. By using just + one analyzer, some vulnerabilities might not be found. + measure: Usage of multiple static tools to find more vulnerabilities. difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 + knowledge: 3 + time: 3 + resources: 5 usefulness: 1 - level: 5 - implementation: - - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb - name: PMD - tags: [] - - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe - name: How to enforce a consistent coding style in your projects - url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm - tags: - - ide - - linting - - uuid: aa5ded61-5380-4da6-9474-afc36a397682 - name: In-Depth Linting of Your TypeScript While Coding - url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding - tags: - - ide - - linting - - uuid: 94a7a85e-8064-46b4-929a-9e03fa292a9f - name: Super-Linter - tags: - - linting - - scm - url: https://github.com/github/super-linter - description: | - Lint code bases to catch common errors and enforce code style + level: 4 + dependsOn: + - d918cd44-a972-43e9-a974-eff3f4a5dcfe # Software Composition Analysis (server side) + - 07fe8c4f-ae33-4409-b1b2-cf64cfccea86 # Software Composition Analysis (client side) + - ee68331f-9b1d-4f61-844b-b2ea04753a84 # Static analysis for all self written components + implementation: [] references: samm2: - - V-ST-2-A + - V-ST-A-3 iso27001-2017: - 12.6.1 - 14.2.1 @@ -7974,38 +7348,32 @@ Test and Verification: - 8.25 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Usage%20of%20multiple%20analyzers + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test for Patch Deployment Time: - uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 - risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities - in production artifacts. - measure: | - Test of the Patch Deployment Time. - This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. + Dead code elimination: + uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d + risk: Dead code increases the attack surface (use of hard coded credentials + and variables, sensitive information) + measure: Collection of unused code and then manual removal of unused code. difficultyOfImplementation: - knowledge: 2 - time: 2 + knowledge: 1 + time: 1 resources: 1 - usefulness: 3 - level: 3 + usefulness: 1 + level: 5 implementation: - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb name: PMD tags: [] dependsOn: - - Automated PRs for patches - - Defined build process + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 14.2.1 @@ -8015,50 +7383,29 @@ Test and Verification: - 8.25 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Dead%20code%20elimination comments: "" - meta: - implementationGuide: Self implementation. This activity is not repeated in - the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure - as well. tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Test for Time to Patch: - uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f - risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities - in production artifacts. - measure: |- - Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs) - This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. + - none + Exclusion of source code duplicates: + uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 + risk: Duplicates in source code might influence the stability of the application. + measure: Automatic Detection and manual removal of duplicates in source code. difficultyOfImplementation: knowledge: 1 time: 1 resources: 1 - usefulness: 3 - level: 2 + usefulness: 1 + level: 5 implementation: - - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 - name: dependabot - tags: - - auto-pr - - patching - url: https://dependabot.com/ - - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 - name: renovate - tags: - - auto-pr - - patching - url: https://github.com/renovatebot/renovate + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] dependsOn: - - Automated PRs for patches + - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 14.2.1 @@ -8068,85 +7415,78 @@ Test and Verification: - 8.25 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/13af1227-3dd1-4d4f-a9e9-53deb793c18f + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Exclusion%20of%20source%20code%20duplicates comments: "" - meta: - implementationGuide: Usage of a version control platform API (e.g. github - API) can be used to fetch the information. Consider that `Measure libyears` - might be an alternative to this activity. tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Test libyear: - uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad - risk: Vulnerabilities in running artifacts stay for long and might get exploited. - measure: Test `libyear`, which provides a good insight how good patch management - is. + - none + Static analysis for all components/libraries: + uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 + risk: Used components like libraries and legacy applications might have vulnerabilities + measure: Usage of a static analysis for all used components. difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 + knowledge: 2 + time: 4 + resources: 2 usefulness: 3 - level: 2 - implementation: - - uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33 - name: libyear - tags: - - patching - - build - url: https://libyear.com/ - description: A simple measure of software dependency freshness. It is a single - number telling you how up-to-date your dependencies are. + level: 5 dependsOn: - - Defined build process + - e237176b-bec5-447d-a926-e37d6dd60e4b # Static analysis for important client side components + - 6c05c837-8c99-46e2-828b-7c903e27dba4 # Static analysis for important server side components + - 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components + implementation: [] references: samm2: - - V-ST-2-A + - V-ST-A-2 + - I-SB-B-3 iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 + - 12.6.1 iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 + - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/87b54313-fafd-4860-930f-5ef132b3e4ad + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Static%20analysis%20for%20all%20components%2Flibraries + isImplemented: false + evidence: "" comments: "" - meta: - implementationGuide: | - `libyear` can be integrated into the build process and flag or even better break the build in case the defined threshold (e.g. 30 years) is reached. - An alternative approach is to determine `libyear` based on deployed artifacts (which requires more effort in implementation). tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Usage of multiple analyzers: - uuid: 297be001-8d94-41ee-ab29-207020d423c0 - risk: Each vulnerability analyzer has different opportunities. By using just - one analyzer, some vulnerabilities might not be found. - measure: Usage of multiple static tools to find more vulnerabilities. + - none + Stylistic analysis: + uuid: efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 + risk: Unclear or obfuscated code might have unexpected behavior. + measure: Analysis of compliance to style guides of the source code ensures that + source code formatting rules are met (e.g. indentation, loops, ...). difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 5 + knowledge: 1 + time: 1 + resources: 1 usefulness: 1 - level: 4 - dependsOn: - - Software Composition Analysis (server side) - - Software Composition Analysis (client side) - - Static analysis for all self written components - implementation: [] + level: 5 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe + name: How to enforce a consistent coding style in your projects + url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm + tags: + - ide + - linting + - uuid: aa5ded61-5380-4da6-9474-afc36a397682 + name: In-Depth Linting of Your TypeScript While Coding + url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding + tags: + - ide + - linting + - uuid: 94a7a85e-8064-46b4-929a-9e03fa292a9f + name: Super-Linter + tags: + - linting + - scm + url: https://github.com/github/super-linter + description: | + Lint code bases to catch common errors and enforce code style references: samm2: - - V-ST-3-A + - V-ST-A-2 iso27001-2017: - 12.6.1 - 14.2.1 @@ -8156,149 +7496,89 @@ Test and Verification: - 8.25 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/297be001-8d94-41ee-ab29-207020d423c0 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Stylistic%20analysis + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Static depth for infrastructure: - Analyze logs: - uuid: b217c8bb-5d61-4b41-a675-1083993f83b1 - risk: Not aware of attacks happening. - measure: Check logs for keywords. + Test for stored secrets in build artifacts: + uuid: d5e6303c-d5c6-4d59-b258-a3b9de38a07f + risk: Stored secrets in container images or other build artifacts shouldn't + exists because they might be exposed to unauthorized parties. + measure: Test for secrets in container images and other artifacts difficultyOfImplementation: knowledge: 2 - time: 2 + time: 1 resources: 2 - usefulness: 3 - level: 3 - implementation: - - uuid: 1adf1ac0-8572-407b-a358-3976d9a225e2 - name: SigmaHQ - tags: [] - url: https://github.com/SigmaHQ/sigma - references: - samm2: [] - iso27001-2017: - - ISO 27001:2017 mapping is missing - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/b217c8bb-5d61-4b41-a675-1083993f83b1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Correlate known vulnerabilities in infrastructure with new image versions: - uuid: 7de0ae33-6538-45cd-8222-a1475647ba58 - risk: TODO. - measure: TODO - difficultyOfImplementation: - knowledge: 2 - time: 5 - resources: 4 - usefulness: 1 - level: 4 - dependsOn: - - Usage of a maximum lifetime for images - implementation: - - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc - name: Anchore.io - tags: [] - url: https://anchore.com/ - - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 - name: Clair - tags: [] - url: https://github.com/quay/clair - - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 - name: OpenSCAP + usefulness: 2 + level: 1 + implementation: + - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 + name: truffleHog tags: [] - url: https://www.open-scap.org/ - - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 - name: Vuls + url: https://github.com/dxa4481/truffleHog + - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 + name: go-pillage-registries tags: [] - url: https://github.com/future-architect/vuls + url: https://github.com/nccgroup/go-pillage-registries references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - - 12.6.1 - - 14.2.1 + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 9.4.3 + - 10.1.2 iso27001-2022: - - 8.8 - - 8.25 + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 5.17 + - 8.24 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/7de0ae33-6538-45cd-8222-a1475647ba58 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20for%20stored%20secrets%20in%20build%20artifacts + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Software Composition Analysis: - uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad - risk: Known vulnerabilities in infrastructure components like container images - might get exploited. - measure: Check for known vulnerabilities + Test for stored secrets in code: + uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c + risk: Stored secrets in git history or directly in code shouldn't exists because + they might be exposed to unauthorized parties. + measure: Test for secrets in code and git history difficultyOfImplementation: knowledge: 2 time: 1 - resources: 1 - usefulness: 4 - level: 4 - description: Subscribing to Github projects and reading release notes might - help. Software Composition Analysis for infrastructure might help, but is - often too fine-granular. + resources: 2 + usefulness: 2 + level: 1 implementation: - - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: Trivy + - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 + name: truffleHog tags: [] - url: https://github.com/aquasecurity/trivy - - uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57 - name: Registries like quay + url: https://github.com/dxa4481/truffleHog + - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 + name: go-pillage-registries tags: [] - description: Registries like quay, dockerhub provide (commercial) offerings, - often not suitable for distroless images - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory + url: https://github.com/nccgroup/go-pillage-registries references: samm2: - - V-ST-2-A + - V-ST-A-1 iso27001-2017: - - 12.6.1 + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 9.4.3 + - 10.1.2 iso27001-2022: - - 8.8 + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 5.17 + - 8.24 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/26e1c6d5-5632-4ec7-80d2-e564b98732ad + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20for%20stored%20secrets%20in%20code + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Test cluster deployment resources: uuid: 621fb6a5-5c0a-4408-826a-068868bb031b risk: The deployment configuration (e.g. kubernetes deployment resources) might @@ -8318,7 +7598,7 @@ Test and Verification: url: https://kubesec.io references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - System hardening is not explicitly covered by ISO 27001 - too specific - 12.6.1 @@ -8330,15 +7610,12 @@ Test and Verification: - 8.32 - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/621fb6a5-5c0a-4408-826a-068868bb031b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20cluster%20deployment%20resources + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Test for image lifetime: uuid: ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b risk: Old container images in production indicate that patch management is not @@ -8366,7 +7643,7 @@ Test and Verification: in production environments. references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - 12.6.1 - 14.2.5 @@ -8374,29 +7651,28 @@ Test and Verification: - 8.8 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20for%20image%20lifetime + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test for malware: - uuid: 837f8f90-adc2-4e6b-9ebb-60c2ee29494d - risk: Third party might include malware. Ether due to the maintainer (e.g. - typo squatting of an image name and using the wrong image) or by an attacker - on behalf of the maintainer with stolen credentials. - measure: Check for malware in components (e.g. container images, VM baseline - images, libraries). + Test of virtualized environments: + uuid: 58825d22-1ce6-4748-af81-0ec9956e4129 + risk: Virtualized environments (e.g. via Container Images) might contains + unsecure configurations. + measure: Test virtualized environments for unsecured configurations. difficultyOfImplementation: knowledge: 2 - time: 2 + time: 1 resources: 2 usefulness: 3 - level: 3 + level: 2 implementation: + - uuid: 73419fb5-b13d-4242-83ec-86f36c7d73d5 + name: Dive to inspect a container images + tags: [] + url: https://github.com/wagoodman/dive - url: https://github.com/SDA-SE/clusterscanner uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f name: ClusterScanner @@ -8412,151 +7688,191 @@ Test and Verification: in production environments. references: samm2: - - V-ST-2-A + - V-ST-A-1 iso27001-2017: - - 12.2.1 + - ISO 27001:2017 mapping is missing iso27001-2022: - - 8.7 + - ISO 27001:2022 mapping is missing openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/837f8f90-adc2-4e6b-9ebb-60c2ee29494d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20of%20virtualized%20environments + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test for new image version: - uuid: cb6321aa-0fbf-4996-9e08-05ab26ef4c1e - risk: When a new version of an image is available, it might fix security vulnerabilities. - measure: Check for new images of containers in production. + Test the cloud configuration: + uuid: 46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc + risk: Standard hardening practices for cloud environments are not performed + leading to vulnerabilities. + measure: With the help of tools, the configuration of virtual environments are + tested. difficultyOfImplementation: - knowledge: 3 - time: 3 + knowledge: 2 + time: 2 resources: 1 - usefulness: 2 - level: 3 - implementation: [] + usefulness: 4 + level: 2 + implementation: + - uuid: 8aeefd29-6220-45bf-aead-83eba2e9d055 + name: kube-bench + tags: [] + url: https://github.com/aquasecurity/kube-bench references: samm2: - - V-ST-2-A + - V-ST-A-1 iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific - 12.6.1 - - 14.2.5 - - 12.2.1 + - 14.2.3 + - 14.2.8 iso27001-2022: + - System hardening is not explicitly covered by ISO 27001 - too specific - 8.8 - - 8.7 - - 8.27 + - 8.32 + - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/cb6321aa-0fbf-4996-9e08-05ab26ef4c1e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20the%20cloud%20configuration + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test for stored secrets in build artifacts: - uuid: d5e6303c-d5c6-4d59-b258-a3b9de38a07f - risk: Stored secrets in container images or other build artifacts shouldn't - exists because they might be exposed to unauthorized parties. - measure: Test for secrets in container images and other artifacts + Test the definition of virtualized environments: + uuid: 8fc3de67-7b8d-420b-8d24-f35928cfed6e + risk: The definition of virtualized environments (e.g. via Dockerfile) + might contain unsecure configurations. + measure: Test the definition of virtualized environments for unsecured configurations. difficultyOfImplementation: knowledge: 2 time: 1 resources: 2 - usefulness: 2 - level: 1 + usefulness: 3 + level: 2 + meta: + implementationGuide: For containier (images), test that the images are following + best practices like distroless or non-root. implementation: - - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 - name: truffleHog + - uuid: 94d993ad-ef6e-4d9f-b7a8-27ea68dc3005 + name: Dockerfile with hadolint tags: [] - url: https://github.com/dxa4481/truffleHog - - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 - name: go-pillage-registries + url: https://github.com/hadolint/hadolint + - uuid: 95b717cd-5ad3-40b5-993b-13a63c382b1b + name: Deployment with kube-score tags: [] - url: https://github.com/nccgroup/go-pillage-registries + url: https://github.com/zegl/kube-score + - uuid: eba2685d-2d25-4961-8e4e-2957e7c07c30 + name: dockerfilelint + tags: + - sast + - docker + - dockerfile + url: https://github.com/replicatedhq/dockerfilelint + description: dockerfilelint is an node module that analyzes a Dockerfile and + looks for common traps, mistakes and helps enforce best practices. references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - - vcs usage is not explicitly covered by ISO 27001 - too specific - - 9.4.3 - - 10.1.2 + - System hardening, virtual environments are not explicitly covered by ISO + 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + - 14.2.1 iso27001-2022: - - vcs usage is not explicitly covered by ISO 27001 - too specific - - 5.17 - - 8.24 + - System hardening, virtual environments are not explicitly covered by ISO + 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/d5e6303c-d5c6-4d59-b258-a3b9de38a07f - comments: "" + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20the%20definition%20of%20virtualized%20environments + isImplemented: false tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test for stored secrets in code: - uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c - risk: Stored secrets in git history or directly in code shouldn't exists because - they might be exposed to unauthorized parties. - measure: Test for secrets in code and git history + Test for malware: + uuid: 837f8f90-adc2-4e6b-9ebb-60c2ee29494d + risk: Third party might include malware. Ether due to the maintainer (e.g. + typo squatting of an image name and using the wrong image) or by an attacker + on behalf of the maintainer with stolen credentials. + measure: Check for malware in components (e.g. container images, VM baseline + images, libraries). difficultyOfImplementation: knowledge: 2 - time: 1 + time: 2 resources: 2 - usefulness: 2 - level: 1 + usefulness: 3 + level: 3 implementation: - - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 - name: truffleHog - tags: [] - url: https://github.com/dxa4481/truffleHog - - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 - name: go-pillage-registries - tags: [] - url: https://github.com/nccgroup/go-pillage-registries + - url: https://github.com/SDA-SE/clusterscanner + uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f + name: ClusterScanner + tags: + - docker + - image + - container + - vulnerability + - misconfiguration + - security-tools + - scanning + description: Discover vulnerabilities and container image misconfiguration + in production environments. references: samm2: - - V-ST-1-A + - V-ST-A-2 iso27001-2017: - - vcs usage is not explicitly covered by ISO 27001 - too specific - - 9.4.3 - - 10.1.2 + - 12.2.1 iso27001-2022: - - vcs usage is not explicitly covered by ISO 27001 - too specific - - 5.17 - - 8.24 + - 8.7 + openCRE: + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20for%20malware + isImplemented: false + evidence: "" + comments: "" + tags: + - none + Test for new image version: + uuid: cb6321aa-0fbf-4996-9e08-05ab26ef4c1e + risk: When a new version of an image is available, it might fix security vulnerabilities. + measure: Check for new images of containers in production. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 2 + level: 3 + implementation: [] + references: + samm2: + - V-ST-A-2 + iso27001-2017: + - 12.6.1 + - 14.2.5 + - 12.2.1 + iso27001-2022: + - 8.8 + - 8.7 + - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/c6e3c812-56e2-41b0-ae01-b7afc41a004c + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20for%20new%20image%20version + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test of infrastructure components for known vulnerabilities: - uuid: 13367d8f-e37f-4197-a610-9ffca4fde261 - risk: Infrastructure components might have vulnerabilities. - measure: Test for known vulnerabilities in infrastructure components. Often, - the only way to respond to known vulnerabilities in operating system packages - is to accept the risk and wait for a patch. As the patch needs to be applied - fast when it is available, this activity depends on 'Usage of a maximum life - for images'. + Correlate known vulnerabilities in infrastructure with new image versions: + uuid: 7de0ae33-6538-45cd-8222-a1475647ba58 + risk: TODO. + measure: TODO difficultyOfImplementation: knowledge: 2 time: 5 - resources: 2 + resources: 4 usefulness: 1 level: 4 dependsOn: - - Usage of a maximum lifetime for images + - 485a3383-7f2e-4dba-bb84-479377070904 # Usage of a maximum lifetime for images implementation: - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc name: Anchore.io @@ -8576,7 +7892,7 @@ Test and Verification: url: https://github.com/future-architect/vuls references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - 12.6.1 - 14.2.1 @@ -8584,197 +7900,173 @@ Test and Verification: - 8.8 - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/13367d8f-e37f-4197-a610-9ffca4fde261 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Correlate%20known%20vulnerabilities%20in%20infrastructure%20with%20new%20image%20versions + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test of virtualized environments: - uuid: 58825d22-1ce6-4748-af81-0ec9956e4129 - risk: Virtualized environments (e.g. via Container Images) might contains - unsecure configurations. - measure: Test virtualized environments for unsecured configurations. + Software Composition Analysis: + uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad + risk: Known vulnerabilities in infrastructure components like container images + might get exploited. + measure: Check for known vulnerabilities difficultyOfImplementation: knowledge: 2 time: 1 - resources: 2 - usefulness: 3 - level: 2 + resources: 1 + usefulness: 4 + level: 4 + description: Subscribing to Github projects and reading release notes might + help. Software Composition Analysis for infrastructure might help, but is + often too fine-granular. implementation: - - uuid: 73419fb5-b13d-4242-83ec-86f36c7d73d5 - name: Dive to inspect a container images + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: https://github.com/aquasecurity/trivy tags: [] - url: https://github.com/wagoodman/dive - - url: https://github.com/SDA-SE/clusterscanner - uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f - name: ClusterScanner + url: https://github.com/aquasecurity/trivy + - uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57 + name: Registries like quay + tags: [] + description: Registries like quay, dockerhub provide (commercial) offerings, + often not suitable for distroless images + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track + description: | + Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track tags: - - docker - - image - - container + - sca + - inventory + - OpenSource + - Supply Chain - vulnerability - - misconfiguration - - security-tools - - scanning - description: Discover vulnerabilities and container image misconfiguration - in production environments. + - inventory references: samm2: - - V-ST-1-A + - V-ST-A-2 iso27001-2017: - - ISO 27001:2017 mapping is missing + - 12.6.1 iso27001-2022: - - ISO 27001:2022 mapping is missing + - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/58825d22-1ce6-4748-af81-0ec9956e4129 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Software%20Composition%20Analysis + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test the cloud configuration: - uuid: 46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc - risk: Standard hardening practices for cloud environments are not performed - leading to vulnerabilities. - measure: With the help of tools, the configuration of virtual environments are - tested. + Test of infrastructure components for known vulnerabilities: + uuid: 13367d8f-e37f-4197-a610-9ffca4fde261 + risk: Infrastructure components might have vulnerabilities. + measure: Test for known vulnerabilities in infrastructure components. Often, + the only way to respond to known vulnerabilities in operating system packages + is to accept the risk and wait for a patch. As the patch needs to be applied + fast when it is available, this activity depends on 'Usage of a maximum life + for images'. difficultyOfImplementation: knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 2 + time: 5 + resources: 2 + usefulness: 1 + level: 4 + dependsOn: + - 485a3383-7f2e-4dba-bb84-479377070904 # Usage of a maximum lifetime for images implementation: - - uuid: 8aeefd29-6220-45bf-aead-83eba2e9d055 - name: kube-bench + - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc + name: Anchore.io tags: [] - url: https://github.com/aquasecurity/kube-bench + url: https://anchore.com/ + - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 + name: Clair + tags: [] + url: https://github.com/quay/clair + - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 + name: OpenSCAP + tags: [] + url: https://www.open-scap.org/ + - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 + name: Vuls + tags: [] + url: https://github.com/future-architect/vuls references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - - System hardening is not explicitly covered by ISO 27001 - too specific - 12.6.1 - - 14.2.3 - - 14.2.8 + - 14.2.1 iso27001-2022: - - System hardening is not explicitly covered by ISO 27001 - too specific - 8.8 - - 8.32 - - 8.29 + - 8.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Test%20of%20infrastructure%20components%20for%20known%20vulnerabilities + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test the definition of virtualized environments: - uuid: 8fc3de67-7b8d-420b-8d24-f35928cfed6e - risk: The definition of virtualized environments (e.g. via Dockerfile) - might contain unsecure configurations. - measure: Test the definition of virtualized environments for unsecured configurations. + Test-Intensity: + Default settings for intensity: + uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d + risk: Time pressure and ignorance might lead to false predictions for the test + intensity. + measure: The intensity of the used tools are not modified to save time. difficultyOfImplementation: - knowledge: 2 + knowledge: 1 time: 1 - resources: 2 - usefulness: 3 - level: 2 - meta: - implementationGuide: For containier (images), test that the images are following - best practices like distroless or non-root. - implementation: - - uuid: 94d993ad-ef6e-4d9f-b7a8-27ea68dc3005 - name: Dockerfile with hadolint - tags: [] - url: https://github.com/hadolint/hadolint - - uuid: 95b717cd-5ad3-40b5-993b-13a63c382b1b - name: Deployment with kube-score - tags: [] - url: https://github.com/zegl/kube-score - - uuid: eba2685d-2d25-4961-8e4e-2957e7c07c30 - name: dockerfilelint - tags: - - sast - - docker - - dockerfile - url: https://github.com/replicatedhq/dockerfilelint - description: dockerfilelint is an node module that analyzes a Dockerfile and - looks for common traps, mistakes and helps enforce best practices. + resources: 1 + usefulness: 1 + level: 1 + implementation: [] references: samm2: - - V-ST-1-A + - V-ST-A-1 iso27001-2017: - - System hardening, virtual environments are not explicitly covered by ISO - 27001 - too specific - 12.6.1 - - 14.2.3 - - 14.2.8 - 14.2.1 + - 14.2.5 iso27001-2022: - - System hardening, virtual environments are not explicitly covered by ISO - 27001 - too specific - 8.8 - - 8.32 - - 8.29 - 8.25 + - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/8fc3de67-7b8d-420b-8d24-f35928cfed6e + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Default%20settings%20for%20intensity + isImplemented: false + evidence: "" + comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Test-Intensity: - Creation and application of a testing concept: - uuid: 79ef8103-e1ed-4055-8df8-fd2b2015bebe - risk: Scans might use a too small or too high test intensity. - measure: A testing concept considering the amount of time per scan/intensity - is created and applied. A dynamic analysis needs more time than a static analysis. - The dynamic scan, depending on the test intensity might be performed on every - commit, every night, every week or once in a month. + Regular automated tests: + uuid: 598897a2-358e-441f-984c-e12ec4f6110a + risk: After pushing source code to the version control system, any delay in + receiving feedback on defects makes them harder for the developer to remediate. + measure: On each push and/or at given intervals automatic security tests are + performed. difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 + knowledge: 1 + time: 1 + resources: 1 usefulness: 2 - level: 4 + level: 2 implementation: [] references: samm2: - - V-ST-2-A + - I-SB-A-3 + - V-ST-A-3 iso27001-2017: - - 14.2.2 - 14.2.3 - - 14.2.1 - - 14.2.5 - - 12.6.1 + - 14.2.8 + - 14.2.9 iso27001-2022: - - 8.25 - 8.32 - - 8.27 - - 8.8 + - 8.29 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/79ef8103-e1ed-4055-8df8-fd2b2015bebe + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Regular%20automated%20tests + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false Deactivating of unneeded tests: uuid: 1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 risk: As tools cover a wide range of different vulnerability tests, they might @@ -8792,39 +8084,7 @@ Test and Verification: implementation: [] references: samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Default settings for intensity: - uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d - risk: Time pressure and ignorance might lead to false predictions for the test - intensity. - measure: The intensity of the used tools are not modified to save time. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 1 - implementation: [] - references: - samm2: - - V-ST-1-A + - V-ST-A-2 iso27001-2017: - 12.6.1 - 14.2.1 @@ -8834,14 +8094,12 @@ Test and Verification: - 8.25 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/ab0a4b51-3b18-43f1-a6fc-a98e4b28453d + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Deactivating%20of%20unneeded%20tests + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false High test intensity: uuid: 2ebfc421-8c76-415c-a3b0-fa518915bd10 risk: A too small intensity or a too high confidence might lead to not visible @@ -8857,7 +8115,7 @@ Test and Verification: implementation: [] references: samm2: - - V-ST-2-A + - V-ST-A-2 iso27001-2017: - 12.6.1 - 14.2.1 @@ -8867,45 +8125,45 @@ Test and Verification: - 8.25 - 8.27 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/2ebfc421-8c76-415c-a3b0-fa518915bd10 + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/High%20test%20intensity + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false - Regular automated tests: - uuid: 598897a2-358e-441f-984c-e12ec4f6110a - risk: After pushing source code to the version control system, any delay in - receiving feedback on defects makes them harder for the developer to remediate. - measure: On each push and/or at given intervals automatic security tests are - performed. + Creation and application of a testing concept: + uuid: 79ef8103-e1ed-4055-8df8-fd2b2015bebe + risk: Scans might use a too small or too high test intensity. + measure: A testing concept considering the amount of time per scan/intensity + is created and applied. A dynamic analysis needs more time than a static analysis. + The dynamic scan, depending on the test intensity might be performed on every + commit, every night, every week or once in a month. difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 + knowledge: 3 + time: 3 + resources: 3 usefulness: 2 - level: 2 + level: 4 implementation: [] references: samm2: - - I-SB-3-A - - V-ST-3-A + - V-ST-A-2 iso27001-2017: + - 14.2.2 - 14.2.3 - - 14.2.8 - - 14.2.9 + - 14.2.1 + - 14.2.5 + - 12.6.1 iso27001-2022: + - 8.25 - 8.32 - - 8.29 + - 8.27 + - 8.8 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/598897a2-358e-441f-984c-e12ec4f6110a + - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Creation%20and%20application%20of%20a%20testing%20concept + isImplemented: false + evidence: "" comments: "" tags: - none - teamsImplemented: - Default: false - B: false - C: false ... From fd37dd3495526187376124f6eea4753b7e2771cb Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Mon, 15 Dec 2025 11:54:25 +0100 Subject: [PATCH 2/2] Linting --- src/app/model/activity-store.ts | 2 +- src/app/service/loader/data-loader.service.ts | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/app/model/activity-store.ts b/src/app/model/activity-store.ts index 0d494078..31008261 100644 --- a/src/app/model/activity-store.ts +++ b/src/app/model/activity-store.ts @@ -20,7 +20,7 @@ export class ActivityFileMeta { getDsommVersion(): string | null { if (this.publisher && this.publisher.startsWith(ActivityFileMeta.DSOMM_PUBLISHER)) { - return (this.version?.startsWith('v')) ? this.version : `v${this.version}`; + return this.version?.startsWith('v') ? this.version : `v${this.version}`; } return null; } diff --git a/src/app/service/loader/data-loader.service.ts b/src/app/service/loader/data-loader.service.ts index 22bb38a0..79c49ddc 100644 --- a/src/app/service/loader/data-loader.service.ts +++ b/src/app/service/loader/data-loader.service.ts @@ -91,7 +91,8 @@ export class LoaderService { if (err instanceof FileNotFoundError) { console.error(`${perfNow()}: Missing model file: ${err?.filename || err}`); if (err.filename && err.filename.endsWith('default/model.yaml')) { - let msg: string = `No DSOMM Model file found.\n\n` + + let msg: string = + `No DSOMM Model file found.\n\n` + `Please download \`model.yaml\` from [DSOMM-data](${this.DSOMM_MODEL_URL}) on GitHub, \\\n` + `and place it in the \`src\\assets\\default\` folder.`; this.notificationService.notify('Loading error', msg);