diff --git a/src/assets/YAML/default/BuildAndDeployment/Build.yaml b/src/assets/YAML/default/BuildAndDeployment/Build.yaml
index 69d18a7..39f7bdd 100755
--- a/src/assets/YAML/default/BuildAndDeployment/Build.yaml
+++ b/src/assets/YAML/default/BuildAndDeployment/Build.yaml
@@ -31,7 +31,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
references:
samm2:
- - I-SB-2-A
+ - I-SB-A-2
iso27001-2017:
- 14.2.6
iso27001-2022:
@@ -72,7 +72,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
references:
samm2:
- - I-SB-1-A
+ - I-SB-A-1
iso27001-2017:
- 12.1.1
- 14.2.2
@@ -105,6 +105,8 @@ Build and Deployment:
resources: 2
usefulness: 3
level: 2
+ tags:
+ - inventory
implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-containers
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/immutable-images
@@ -112,7 +114,7 @@ Build and Deployment:
- Defined build process
references:
samm2:
- - I-SB-1-A
+ - I-SB-B-1
iso27001-2017:
- 14.2.6
iso27001-2022:
@@ -145,7 +147,8 @@ Build and Deployment:
implementation: []
references:
samm2:
- - I-SB-1-A
+ - I-SB-B-1
+ - D-TA-A-1
iso27001-2017:
- 8.1
- 8.2
@@ -183,7 +186,7 @@ Build and Deployment:
- Pinning of artifacts
references:
samm2:
- - I-SB-1-A
+ - I-SB-A-1
iso27001-2017:
- 14.2.6
iso27001-2022:
@@ -210,7 +213,7 @@ Build and Deployment:
- Defined build process
references:
samm2:
- - I-SB-2-A
+ - I-SB-A-2
iso27001-2017:
- 14.2.6
iso27001-2022:
diff --git a/src/assets/YAML/default/BuildAndDeployment/Deployment.yaml b/src/assets/YAML/default/BuildAndDeployment/Deployment.yaml
index 52d4f73..efa825a 100755
--- a/src/assets/YAML/default/BuildAndDeployment/Deployment.yaml
+++ b/src/assets/YAML/default/BuildAndDeployment/Deployment.yaml
@@ -20,7 +20,7 @@ Build and Deployment:
- Smoke Test
references:
samm2:
- - I-SD-2-A
+ - I-SD-A-3
iso27001-2017:
- 17.2.1 # Availability of information processing facilities
- 12.1.1 # Documented operational procedures
@@ -59,7 +59,7 @@ Build and Deployment:
level: 2
references:
samm2:
- - O-OM-2-B
+ - O-OM-B-2
iso27001-2017:
- 11.2.7
iso27001-2022:
@@ -89,7 +89,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
references:
samm2:
- - I-SD-1-A
+ - I-SD-A-1
iso27001-2017:
- 12.1.1
- 14.2.2
@@ -120,7 +120,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/hashicorp-vault
references:
samm2:
- - I-SD-1-B
+ - I-SD-B-1
iso27001-2017:
- 9.4.5
- 14.2.6
@@ -154,7 +154,7 @@ Build and Deployment:
- Environment depending configuration parameters (secrets)
references:
samm2:
- - I-SD-2-B
+ - I-SD-B-2
iso27001-2017:
- 14.1.3
- 13.1.3
@@ -196,9 +196,9 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
references:
samm2:
- - I-SB-3-B
- - I-SB-2-B
- - I-SB-1-B
+ - I-SB-B-3
+ - I-SB-B-2
+ - I-SB-B-1
iso27001-2017:
- 8.1
- 8.2
@@ -230,7 +230,8 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
references:
samm2:
- - I-SB-1-B
+ - I-SB-B-1
+ - D-TA-B-1
iso27001-2017:
- 8.1
- 8.2
@@ -261,7 +262,8 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
references:
samm2:
- - I-SB-1-B
+ - I-SB-B-1
+ - D-TA-B-1
iso27001-2017:
- 8.1
- 8.2
@@ -288,7 +290,8 @@ Build and Deployment:
- Defined deployment process
references:
samm2:
- - I-SD-1-A
+ - I-SD-A-2
+ - I-SD-A-3
iso27001-2017:
- 12.5.1
- 14.2.2
@@ -320,7 +323,8 @@ Build and Deployment:
- Defined build process
references:
samm2:
- - I-SD-2-A
+ - I-SD-A-2
+ - I-SD-A-3
iso27001-2017:
- 14.3.1
- 14.2.8
@@ -353,7 +357,7 @@ Build and Deployment:
- Same artifact for environments
references:
samm2:
- - I-SD-2-A
+ - I-SD-A-2
iso27001-2017:
- 14.3.1
- 14.2.8
@@ -387,7 +391,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/packj
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
diff --git a/src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml b/src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml
index 7264c31..321ac62 100755
--- a/src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml
+++ b/src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml
@@ -17,7 +17,7 @@ Build and Deployment:
implementation: []
references:
samm2:
- - O-EM-1-B
+ - O-EM-B-1
iso27001-2017:
- 12.6.1
- 12.5.1
@@ -58,7 +58,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/renovate
references:
samm2:
- - O-EM-1-B
+ - O-EM-B-1
iso27001-2017:
- 12.6.1
- 14.2.5
@@ -93,7 +93,7 @@ Build and Deployment:
implementation: []
references:
samm2:
- - O-EM-1-B
+ - O-EM-B-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -129,7 +129,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/distroless-usage
references:
samm2:
- - I-SB-2
+ - I-SB-B-2
iso27001-2017:
- hardening is missing in ISO 27001
- 14.2.1
@@ -169,7 +169,7 @@ Build and Deployment:
implementation: []
references:
samm2:
- - O-EM-1-B
+ - O-EM-B-1
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -204,7 +204,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/sample-concept-1
references:
samm2:
- - O-EM-2-B
+ - O-EM-B-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -237,7 +237,7 @@ Build and Deployment:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/renovate
references:
samm2:
- - O-EM-2-B
+ - O-EM-B-2
iso27001-2017:
- 12.6.1
iso27001-2022:
diff --git a/src/assets/YAML/default/CultureAndOrganization/Design.yaml b/src/assets/YAML/default/CultureAndOrganization/Design.yaml
index 057c3bf..5925ae9 100755
--- a/src/assets/YAML/default/CultureAndOrganization/Design.yaml
+++ b/src/assets/YAML/default/CultureAndOrganization/Design.yaml
@@ -40,7 +40,7 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/threat-matrix-for-storage
references:
samm2:
- - D-TA-2-B
+ - D-TA-B-2
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
@@ -71,7 +71,8 @@ Culture and Organization:
implementation: []
references:
samm2:
- - D-TA-2-B
+ - D-TA-B-1
+ - D-TA-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
@@ -151,7 +152,7 @@ Culture and Organization:
Source: OWASP Project Integration Project
references:
samm2:
- - D-TA-2-B
+ - D-TA-B-2
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
@@ -184,7 +185,8 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/don-t-forget-evil-user-stories
references:
samm2:
- - D-TA-2-B
+ - D-TA-B-2
+ - V-RT-B-2
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of project management
@@ -219,7 +221,7 @@ Culture and Organization:
- Creation of threat modeling processes and standards
references:
samm2:
- - D-TA-2-B
+ - D-TA-B-2
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of project management
@@ -256,7 +258,8 @@ Culture and Organization:
- Conduction of simple threat modeling on technical level
references:
samm2:
- - D-TA-3-B
+ - D-TA-B-3
+ - D-TA-B-2
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
@@ -288,7 +291,7 @@ Culture and Organization:
implementation: []
references:
samm2:
- - G-PS-2
+ - G-SM-A-2
iso27001-2017:
- 5.1.1
- 7.2.1
diff --git a/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml b/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml
index cccb6db..3e1cd42 100755
--- a/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml
+++ b/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml
@@ -22,7 +22,7 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-cheatsheet-series
references:
samm2:
- - G-EG-1-A
+ - G-EG-A-1
iso27001-2017:
- 7.2.2
iso27001-2022:
@@ -42,7 +42,7 @@ Culture and Organization:
implementation:
references:
samm2:
- - G-EG-1-A
+ - G-EG-A-1
iso27001-2017:
- 7.2.2
iso27001-2022:
@@ -61,7 +61,7 @@ Culture and Organization:
level: 3
references:
samm2:
- - G-EG-3-B
+ - G-EG-B-3
iso27001-2017:
- 7.1.1
iso27001-2022:
@@ -88,7 +88,7 @@ Culture and Organization:
level: 4
references:
samm2:
- - G-EG-3-B
+ - G-EG-B-3
iso27001-2017:
- 7.1.1
iso27001-2022:
@@ -116,7 +116,7 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/build-it-break-it-fi
references:
samm2:
- - G-EG-2-A
+ - G-EG-A-2
iso27001-2017:
- 7.2.2
iso27001-2022:
@@ -142,7 +142,8 @@ Culture and Organization:
implementation: []
references:
samm2:
- - G-EG-2-A
+ - G-EG-A-2
+ - G-EG-B-2
iso27001-2017:
- Mutual review of source code is not explicitly required in ISO 27001 may
be
@@ -173,8 +174,8 @@ Culture and Organization:
implementation: []
references:
samm2:
- - G-EG-1-A
- - G-EG-2-A
+ - G-EG-A-1
+ - G-EG-A-2
iso27001-2017:
- Mutual security testing is not explicitly required in ISO 27001 may be
- 7.2.2
@@ -200,7 +201,8 @@ Culture and Organization:
implementation: []
references:
samm2:
- - G-EG-2-A
+ - G-EG-A-2
+ - O-IM-B-2
iso27001-2017:
- War games are not explicitly required in ISO 27001 may be
- 7.2.2
@@ -238,8 +240,8 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-security-champ
references:
samm2:
- - G-EG-1-B
- - G-EG-2-B
+ - G-EG-B-1
+ - G-EG-B-2
iso27001-2017:
- Security champions are missing in ISO 27001 most likely
- 7.2.1
@@ -276,7 +278,7 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-cheatsheet-series
references:
samm2:
- - G-EG-1-A
+ - G-EG-A-1
iso27001-2017:
- 7.2.2
iso27001-2022:
@@ -301,7 +303,7 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-cheatsheet-series
references:
samm2:
- - G-EG-3-A
+ - G-EG-A-2
iso27001-2017:
- 7.2.2
iso27001-2022:
@@ -328,8 +330,8 @@ Culture and Organization:
- Each team has a security champion
references:
samm2:
- - D-TA-2-B
- - G-EG-1-A
+ - D-TA-B-2
+ - G-EG-A-1
iso27001-2017:
- Security champions are missing in ISO 27001
- 7.2.2
@@ -357,7 +359,7 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-top-10-maturit
references:
samm2:
- - G-EG-1-B
+ - G-EG-B-1
iso27001-2017:
- not required by ISO 27001
- interestingly enough A7.2.3 is requiring a process to handle misconduct
@@ -397,7 +399,7 @@ Culture and Organization:
AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
references:
samm2:
- - V-ST-1-B
+ - V-ST-B-1
iso27001-2017:
- ISO 27001:2017 mapping is missing
iso27001-2022:
@@ -423,7 +425,8 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-cheatsheet-series
references:
samm2:
- - G-EG-1-A
+ - G-EG-A-1
+ - G-EG-B-1
iso27001-2017:
- security consulting is missing in ISO 27001 may be
- 6.1.1
@@ -453,7 +456,8 @@ Culture and Organization:
implementation: []
references:
samm2:
- - O-IM-3-B
+ - G-EG-B-3
+ - O-IM-B-3
iso27001-2017:
- 16.1.6
iso27001-2022:
@@ -493,7 +497,7 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/damn-vulnerable-web
references:
samm2:
- - G-EG-1-A
+ - G-EG-A-2
iso27001-2017:
- 7.2.2
iso27001-2022:
diff --git a/src/assets/YAML/default/CultureAndOrganization/Process.yaml b/src/assets/YAML/default/CultureAndOrganization/Process.yaml
index ce8292b..2769b16 100755
--- a/src/assets/YAML/default/CultureAndOrganization/Process.yaml
+++ b/src/assets/YAML/default/CultureAndOrganization/Process.yaml
@@ -78,7 +78,8 @@ Culture and Organization:
level: 1
implementation: []
references:
- samm2: []
+ samm2:
+ - O-IM-B-2
iso27001-2017:
- 17.1.1
iso27001-2022:
@@ -110,7 +111,8 @@ Culture and Organization:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
references:
samm2:
- - I-DM-3-B
+ - O-OM-A-2
+ - G-PC-B-2
iso27001-2022:
- 5.25
- 5.12
diff --git a/src/assets/YAML/default/Implementation/ApplicationHardening.yaml b/src/assets/YAML/default/Implementation/ApplicationHardening.yaml
index 3a9e6f2..d1e9555 100755
--- a/src/assets/YAML/default/Implementation/ApplicationHardening.yaml
+++ b/src/assets/YAML/default/Implementation/ApplicationHardening.yaml
@@ -42,7 +42,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/apimaturity
references:
samm2:
- - D-SR-1-A
+ - D-SR-A-2
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -65,7 +65,7 @@ Implementation:
Click me
- ```
+ ```
risk:
If an attacker manages to slip though your input validation, the attacker may gain control over the user session or execute arbitrary actions.
measure: |
@@ -83,7 +83,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/cwe-838
references:
samm2:
- - D-SR-1-A
+ - D-SR-A-1
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -107,7 +107,7 @@ Implementation:
Systems vulnerable to injections may lead to data breaches, loss of data,
unauthorized alteration of data, or complete database compromise or downtime.
- This applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc.
+ This applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc.
measure: |
* Identify which of the types your application is using. Check that you use:
* Use _parametrized queries_ (or _prepared statements_)
@@ -120,11 +120,11 @@ Implementation:
resources: 1
usefulness: 3
level: 1
- implementation:
+ implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-parameterization-cheats
references:
samm2:
- - D-SR-1-A
+ - D-SR-A-1
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -174,7 +174,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/apimaturity
references:
samm2:
- - D-SR-1-A
+ - D-SR-A-3
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -204,7 +204,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
references:
samm2:
- - D-SR-2-A
+ - D-SR-A-3
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -237,7 +237,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
references:
samm2:
- - D-SR-2-A
+ - D-SR-A-2
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -270,7 +270,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
references:
samm2:
- - D-SR-3-A
+ - D-SR-A-3
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -319,7 +319,7 @@ Implementation:
- Referrer-Policy: Control information in the Referrer header
references:
samm2:
- - D-SR-3-A
+ - O-EM-A-2
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -377,10 +377,10 @@ Implementation:
implementation: []
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 8.22
\ No newline at end of file
+ - 8.22
diff --git a/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml b/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml
index 3005ec0..6c497cd 100755
--- a/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml
+++ b/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml
@@ -19,7 +19,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/sonarqube
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- ISO 27001:2017 mapping is missing
iso27001-2022:
@@ -47,7 +47,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 6.1.2
@@ -75,7 +75,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits-protection
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 6.1.2
@@ -87,9 +87,10 @@ Implementation:
Versioning:
uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f
risk: Deployment of untracked artifacts.
+ description: Use a version control system platform like Github, Gitlab, Bitbucket, gittea,... to version your code.
measure: >-
Version artifacts in order to identify deployed features and issues.
- This includes application and infrastructure code, jenkins configuration, container and virtual machine images.
+ This includes application and infrastructure code, jenkins configuration, container and virtual machine images definitions.
difficultyOfImplementation:
knowledge: 3
time: 3
@@ -101,7 +102,8 @@ Implementation:
implementation: []
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
+ - I-SB-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.1
@@ -126,7 +128,7 @@ Implementation:
implementation: []
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.1
@@ -155,7 +157,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits-protection
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- 6.1.2
- 14.2.1
@@ -186,7 +188,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- 6.1.2
- 14.2.1
diff --git a/src/assets/YAML/default/Implementation/InfrastructureHardening.yaml b/src/assets/YAML/default/Implementation/InfrastructureHardening.yaml
index acb7295..ab2f023 100755
--- a/src/assets/YAML/default/Implementation/InfrastructureHardening.yaml
+++ b/src/assets/YAML/default/Implementation/InfrastructureHardening.yaml
@@ -22,7 +22,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/totp
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- 9.2.4
- 6.1.2 # Segregation of duties.
@@ -58,7 +58,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/totp
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- 9.2.4
- 6.1.2 # Segregation of duties.
@@ -87,7 +87,7 @@ Implementation:
implementation: []
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -144,7 +144,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/firewalls
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -170,7 +170,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/remove-direct-access
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 17.2.1
@@ -203,7 +203,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/jenkinsfile
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.1
@@ -237,7 +237,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/firewalls
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -266,7 +266,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/falco
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- System hardening is not explicitly covered by ISO 27001 - too specific
iso27001-2022:
@@ -274,29 +274,6 @@ Implementation:
isImplemented: false
evidence: ""
comments: ""
- Microservice-architecture:
- uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a
- risk: Monolithic applications are hard to test.
- measure:
- A microservice-architecture helps to have small components, which are
- more easy to test.
- difficultyOfImplementation:
- knowledge: 4
- time: 5
- resources: 5
- usefulness: 1
- level: 5
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- isImplemented: false
- evidence: ""
- comments: ""
Production near environments are used by developers:
uuid: e14de741-94b3-447c-8b07-eea947d82e61
risk:
@@ -320,7 +297,7 @@ Implementation:
implementation: []
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- 12.1.4
- 17.2.1
@@ -337,7 +314,7 @@ Implementation:
or to modify information unauthorized on systems.
measure:
The usage of a (role based) access control helps to restrict system
- access to authorized users.
+ access to authorized users. And enhancement is to use attribute based access control.
difficultyOfImplementation:
knowledge: 2
time: 3
@@ -352,7 +329,7 @@ Implementation:
- Defined build process
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- 9.4.1
iso27001-2022:
@@ -377,7 +354,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/vpn
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- 9.4.1
iso27001-2022:
@@ -409,7 +386,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defend-the-core-kubernetes
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- system hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -442,7 +419,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defend-the-core-kubernetes
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -471,7 +448,7 @@ Implementation:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/chaosmonkey
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-3
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 17.1.3
@@ -497,7 +474,7 @@ Implementation:
implementation: ""
references:
samm2:
- - I-SD-2-B
+ - I-SD-B-2
iso27001-2017:
- 10.1
iso27001-2022:
@@ -524,7 +501,7 @@ Implementation:
implementation: ""
references:
samm2:
- - I-SD-2-B
+ - I-SD-B-2
iso27001-2017:
- 10.1
iso27001-2022:
@@ -549,7 +526,7 @@ Implementation:
implementation: ""
references:
samm2:
- - I-SD-2-B
+ - I-SD-B-2
iso27001-2017:
- 10.1
iso27001-2022:
@@ -575,7 +552,7 @@ Implementation:
implementation: ""
references:
samm2:
- - I-SD-2-B
+ - I-SD-B-2
iso27001-2017:
- 10.1
iso27001-2022:
@@ -605,7 +582,7 @@ Implementation:
- Defined build process
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-2
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
@@ -630,7 +607,7 @@ Implementation:
implementation: []
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.4
@@ -661,7 +638,7 @@ Implementation:
implementation: []
references:
samm2:
- - O-EM-1-A
+ - O-EM-A-1
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 12.1.3
@@ -674,13 +651,15 @@ Implementation:
- 8.14
isImplemented: false
evidence: ""
- comments: ""
+ comments: ""
WAF baseline:
uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b
risk:
Vulnerable input, such as exploits, can infiltrate the application via numerous entry points, posing a significant security threat.
measure:
Implementing a web application firewall (WAF) is a critical security control. At a baseline level, the objective is to finely balance the reduction of false positives, maintaining user experience, against a potential increase in the less noticeable false negatives.
+
+ Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic.
description: |
A baseline WAF configuration provides essential defense against common vulnerabilities, acting as a first line of automated threat detection and response.
Steps:
@@ -697,27 +676,27 @@ Implementation:
resources: 3
usefulness: 3
level: 3
- description: |
- Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic.
dependsOn:
- Context-aware output encoding
implementation: []
references:
samm2:
- - D-SR-3-A
+ - O-EM-A-1
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
- comments:
+ comments:
WAF medium:
uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium
risk:
The threat from malicious inputs remains high, with exploits seeking to exploit any vulnerabilities present at the various points of entry to the application.
measure:
A WAF deployed with a medium level of protection strengthens the security posture by striking a more advanced balance between the detection of genuine threats and the minimization of false alarms.
+
+ Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic.
description: |
A medium-level WAF configuration builds upon the baseline to offer a more nuanced and responsive defense mechanism against a wider array of threats.
@@ -735,28 +714,28 @@ Implementation:
resources: 4
usefulness: 3
level: 4
- description: |
- Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic.
dependsOn:
- WAF baseline
implementation: []
references:
samm2:
- - D-SR-3-A
+ - O-EM-A-2
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
- comments:
-
+ comments:
+
WAF Advanced:
uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced
risk:
The presence of sophisticated threats necessitates a robust defense strategy where application inputs are meticulously scrutinized for security breaches, including advanced persistent threats and zero-day vulnerabilities.
measure:
An advanced WAF protection level includes rigorous input validation, rejecting any parameters not explicitly required, and custom rule sets that are dynamically updated in response to emerging threats.
+
+ The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape.
description: |
This advanced configuration goes beyond typical WAF implementations by enforcing strict input format checks and parameter validation to prevent any unauthorized or malformed data from compromising the application.
@@ -778,22 +757,20 @@ Implementation:
resources: 5
usefulness: 4
level: 5
- description: |
- The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape.
dependsOn:
- WAF medium
implementation: []
references:
samm2:
- - D-SR-3-A
+ - O-EM-A-2
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
- comments:
-
+ comments:
+
diff --git a/src/assets/YAML/default/InformationGathering/Logging.yaml b/src/assets/YAML/default/InformationGathering/Logging.yaml
index a92a76f..75d889e 100755
--- a/src/assets/YAML/default/InformationGathering/Logging.yaml
+++ b/src/assets/YAML/default/InformationGathering/Logging.yaml
@@ -22,7 +22,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
@@ -49,7 +49,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/logstash
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
@@ -79,7 +79,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
@@ -120,7 +120,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-logging-cheats
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- 12.4.1
iso27001-2022:
@@ -150,7 +150,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/bash
references:
samm2:
- - O-IM-1-A
+ - O-OM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
@@ -185,7 +185,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/elk-stack
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
@@ -195,3 +195,22 @@ Information Gathering:
isImplemented: false
evidence: ""
comments: ""
+ Analyze logs:
+ uuid: b217c8bb-5d61-4b41-a675-1083993f83b1
+ risk: Not aware of attacks happening.
+ measure: Check logs for keywords.
+ difficultyOfImplementation:
+ knowledge: 2
+ time: 2
+ resources: 2
+ usefulness: 3
+ level: 3
+ implementation:
+ - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sigmahq
+ references:
+ samm2:
+ - O-IM-A-1
+ iso27001-2017:
+ - ISO 27001:2017 mapping is missing
+ iso27001-2022:
+ - ISO 27001:2022 mapping is missing
diff --git a/src/assets/YAML/default/InformationGathering/Monitoring.yaml b/src/assets/YAML/default/InformationGathering/Monitoring.yaml
index f326543..c1e4fce 100755
--- a/src/assets/YAML/default/InformationGathering/Monitoring.yaml
+++ b/src/assets/YAML/default/InformationGathering/Monitoring.yaml
@@ -20,7 +20,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- 12.1.3
iso27001-2022:
@@ -46,7 +46,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -70,7 +70,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/falco
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -94,8 +94,8 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
- - I-DM-3-A
+ - O-IM-A-2
+ - I-DM-A-3
iso27001-2017:
- 16.1.2
- 16.1.4
@@ -131,7 +131,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/https-ht-transpare
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
@@ -154,7 +154,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.3
@@ -184,7 +184,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- 12.4.1
- 13.1.1
@@ -207,7 +207,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.3
@@ -232,7 +232,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- not explicitly covered by ISO 27001
iso27001-2022:
@@ -260,7 +260,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- 12.1.3
iso27001-2022:
@@ -285,7 +285,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.5
@@ -319,7 +319,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/prometheus
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- 12.4.1
iso27001-2022:
@@ -343,7 +343,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/collected
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- 12.1.3
iso27001-2022:
@@ -372,7 +372,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/collected
references:
samm2:
- - O-IM-1-A
+ - O-IM-A-1
iso27001-2017:
- 12.1.3
iso27001-2022:
@@ -399,8 +399,8 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
- - I-DM-3-A
+ - O-IM-A-2
+ - I-DM-A-3
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.5
@@ -426,7 +426,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - O-IM-2-A
+ - O-IM-A-2
iso27001-2017:
- 12.1.3
iso27001-2022:
diff --git a/src/assets/YAML/default/InformationGathering/TestKPI.yaml b/src/assets/YAML/default/InformationGathering/TestKPI.yaml
index 5618c45..80cc016 100644
--- a/src/assets/YAML/default/InformationGathering/TestKPI.yaml
+++ b/src/assets/YAML/default/InformationGathering/TestKPI.yaml
@@ -23,8 +23,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - I-DM-3-B
- - I-SB-3-B
+ - I-DM-B-2
iso27001-2022:
- 5.25
- 5.12
@@ -64,8 +63,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - I-DM-3-B
- - I-SB-3-B
+ - I-DM-B-2
iso27001-2022:
- 5.25
- 5.12
@@ -96,7 +94,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - I-DM-3-B
+ - I-DM-B-2
iso27001-2022:
- 5.25
- 5.12
@@ -129,8 +127,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
references:
samm2:
- - I-DM-3-B
- - I-SB-3-B
+ - I-DM-B-2
iso27001-2022:
- 5.25
- 5.12
@@ -159,7 +156,7 @@ Information Gathering:
implementation: []
references:
samm2:
- - I-DM-3-B
+ - I-DM-B-2
iso27001-2017:
- 16.1.4
iso27001-2022:
@@ -187,8 +184,8 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
references:
samm2:
- - I-DM-2-B
- - I-SB-3-B
+ - I-DM-B-2
+ - I-SB-B-3
iso27001-2017:
- 16.1.4
- 8.2.3
@@ -221,8 +218,7 @@ Information Gathering:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
references:
samm2:
- - I-DM-3-B
- - I-SB-3-B
+ - I-DM-B-2
iso27001-2022:
- 5.25
- 5.12
diff --git a/src/assets/YAML/default/TestAndVerification/ApplicationTests.yaml b/src/assets/YAML/default/TestAndVerification/ApplicationTests.yaml
index 4efbe99..b4bb808 100755
--- a/src/assets/YAML/default/TestAndVerification/ApplicationTests.yaml
+++ b/src/assets/YAML/default/TestAndVerification/ApplicationTests.yaml
@@ -19,7 +19,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-3-B
+ - V-RT-B-3
iso27001-2017:
- 14.2.3
- 14.2.8
@@ -45,7 +45,7 @@ Test and Verification:
level: 3
references:
samm2:
- - V-ST-3-B
+ - V-RT-A-3
iso27001-2017:
- 14.2.3
- 14.2.8
@@ -75,7 +75,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/karma
references:
samm2:
- - V-ST-3-B
+ - V-RT-A-3
iso27001-2017:
- 14.2.3
- 14.2.8
@@ -103,7 +103,7 @@ Test and Verification:
- Defined deployment process
references:
samm2:
- - V-ST-3-B
+ - V-RT-A-3
iso27001-2017:
- 14.2.3
- 14.2.8
diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml
index 297fee3..fd67896 100755
--- a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml
+++ b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml
@@ -27,8 +27,7 @@ Test and Verification:
implementation:
references:
samm2:
- - I-DM-3-B
- - I-SB-3-B
+ - I-DM-A-3
iso27001-2017:
- 16.1.4
- 8.2.1
@@ -58,7 +57,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/business-friendly-vulnerability-metrics
references:
samm2:
- - I-DM-3-B
+ - I-DM-A-3
iso27001-2017:
- 16.1.4
- 8.2.1
@@ -90,7 +89,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/dast
references:
samm2:
- - I-DM-2-B
+ - I-DM-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.4
@@ -122,8 +121,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - I-DM-2-B
- - I-SB-3-B
+ - I-DM-A-2
iso27001-2017:
- 16.1.4
- 8.2.1
@@ -165,7 +163,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify
references:
samm2:
- - I-DM-2-A
+ - I-DM-A-1
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.6
@@ -205,9 +203,9 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
references:
samm2:
- - I-DM-2-A
- - I-DM-2-B
- - I-SB-3-B
+ - I-DM-A-2
+ - I-DM-B-2
+ - I-SB-B-3
iso27001-2017:
- 16.1.4
- 16.1.6
@@ -235,7 +233,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify
references:
samm2:
- - I-DM-1-B
+ - I-DM-A-2
iso27001-2017:
- 16.1.4
- 8.2.1
@@ -262,8 +260,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - I-DM-2-B
- - I-SB-3-B
+ - I-DM-A-2
iso27001-2017:
- 16.1.4
- 12.6.1
@@ -287,7 +284,7 @@ Test and Verification:
comments: False positive analysis, specially for static analysis, is time consuming.
references:
samm2:
- - I-DM-2-B
+ - I-DM-A-2
iso27001-2017:
- 16.1.4
- 12.6.1
@@ -310,8 +307,7 @@ Test and Verification:
comments: False positive analysis, specially for static analysis, is time consuming.
references:
samm2:
- - I-DM-2-B
- - I-SB-3-B
+ - I-DM-A-2
iso27001-2017:
- 16.1.4
- 12.6.1
@@ -350,9 +346,9 @@ Test and Verification:
implementation:
references:
samm2:
- - I-DM-2-B
- - I-DM-3-A
- - I-SB-3-B
+ - I-DM-B-2
+ - I-DM-A-3
+ - I-SB-B-3
iso27001-2017:
- 16.1.3
- 16.1.4
@@ -391,9 +387,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/SecObserve
references:
samm2:
- - I-DM-1-B
- - I-SB-2-B
- - I-SB-3-B
+ - I-DM-A-3
iso27001-2017:
- 12.6.1
- 16.1.3
@@ -444,7 +438,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
references:
samm2:
- - I-DM-3-B
+ - I-DM-A-2
iso27001-2022:
- 5.25
- 5.12
@@ -482,7 +476,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
references:
samm2:
- - I-DM-3-B
+ - I-DM-A-2
iso27001-2022:
- 5.25
- 5.12
diff --git a/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml
index daa188f..c3cded1 100755
--- a/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml
+++ b/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml
@@ -17,7 +17,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/coveragepy
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
- part of periodic review, PDCA
@@ -46,7 +46,7 @@ Test and Verification:
- Usage of different roles
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 14.2.3
- 14.2.8
@@ -79,7 +79,7 @@ Test and Verification:
- Usage of different roles
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
@@ -106,7 +106,7 @@ Test and Verification:
- Usage of different roles
references:
samm2:
- - V-ST-2-A
+ - V-RT-B-1
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
@@ -136,7 +136,7 @@ Test and Verification:
- Usage of different roles
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 14.2.8
- 14.2.3
@@ -160,7 +160,7 @@ Test and Verification:
- Simple Scan
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 14.2.3
- 14.2.8
@@ -195,7 +195,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/arachni
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 14.2.3
- 14.2.8
@@ -221,7 +221,7 @@ Test and Verification:
- Simple Scan
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
- 14.2.3
@@ -255,7 +255,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-securecodebox
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.6.1
- 14.2.5
diff --git a/src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml b/src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml
index 362c570..d8b921c 100755
--- a/src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml
+++ b/src/assets/YAML/default/TestAndVerification/DynamicDepthForInfrastructure.yaml
@@ -19,7 +19,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-1-A
+ - V-RT-AB-1
iso27001-2017:
- 12.1.3
- 14.2.3
@@ -54,7 +54,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-amass
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 13.1.3
- 14.2.3
@@ -113,7 +113,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/k8spurger
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 13.1.3
- 14.2.3
@@ -145,7 +145,7 @@ Test and Verification:
- uuid:4ce24abd-8ba6-494c-828d-4d193e28e4a1 # Isolated networks for virtual environments
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 13.1.3
- 14.2.3
@@ -206,7 +206,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/htc-hydra
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 9.4.3
iso27001-2022:
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml
index df7da59..2009526 100755
--- a/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml
+++ b/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml
@@ -18,7 +18,7 @@ Test and Verification:
- Defined build process
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
@@ -121,7 +121,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/pre-commit-synopsis
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
@@ -149,7 +149,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/api-oas-checker
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 14.2.1
- 14.2.5
@@ -177,8 +177,8 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-2-A
- - I-SB-3-B
+ - V-ST-A-2
+ - I-SB-B-3
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -212,8 +212,8 @@ Test and Verification:
- uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
references:
samm2:
- - V-ST-2-A
- - I-SB-3-B
+ - V-ST-A-2
+ - I-SB-B-3
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -247,7 +247,7 @@ Test and Verification:
- uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -280,8 +280,8 @@ Test and Verification:
- uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
references:
samm2:
- - V-ST-2-A
- - I-SB-3-B
+ - V-ST-A-2
+ - I-SB-B-3
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -308,7 +308,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-super-linter
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.6.1
- 14.2.1
@@ -324,7 +324,8 @@ Test and Verification:
uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
risk: |-
Without proper prioritization, organizations may waste time and effort on low-risk vulnerabilities while neglecting critical ones.
- measure: Estimate the likelihood of exploitation by using data (CISA KEV) from the past or prediction models (EPSS).
+ measure: Estimate the likelihood of exploitation by using data (CISA KEV) from the past or prediction models (e.g. Exploit Prediction Scoring System, EPSS).
+ description: Severity-based vulnerability triage alone generates a lot false positives, requiring a more refined approach.
difficultyOfImplementation:
knowledge: 2
time: 2
@@ -338,8 +339,8 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/epss
references:
samm2:
- - V-ST-2-A
- - I-SB-3-B
+ - V-ST-A-2
+ - I-SB-B-3
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -365,8 +366,8 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-dependabot
references:
samm2:
- - V-ST-2-A
- - I-SB-2-B
+ - V-ST-A-2
+ - I-SB-B-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -399,8 +400,8 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/trivy
references:
samm2:
- - V-ST-2-A
- - I-SB-2-B
+ - V-ST-A-2
+ - I-SB-B-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -426,7 +427,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-3-A
+ - V-ST-A-3
iso27001-2017:
- 12.6.1
- 14.2.1
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml
index 780f01a..c0d569d 100755
--- a/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml
+++ b/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml
@@ -2,27 +2,6 @@
---
Test and Verification:
Static depth for infrastructure:
- Analyze logs:
- uuid: b217c8bb-5d61-4b41-a675-1083993f83b1
- risk: Not aware of attacks happening.
- measure: Check logs for keywords.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- implementation:
- - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sigmahq
- references:
- samm2: []
- iso27001-2017:
- - ISO 27001:2017 mapping is missing
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- isImplemented: false
- evidence: ""
- comments: ""
Test for image lifetime:
uuid: ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b
risk:
@@ -39,7 +18,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/clusterscanner
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 12.6.1
- 14.2.5
@@ -68,7 +47,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.6.1
iso27001-2022:
@@ -95,7 +74,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/clusterscanner
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.2.1
iso27001-2022:
@@ -116,7 +95,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.6.1
- 14.2.5
@@ -147,7 +126,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/vuls
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 12.6.1
- 14.2.1
@@ -174,7 +153,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/go-pillage-registrie
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- vcs usage is not explicitly covered by ISO 27001 - too specific
- 9.4.3
@@ -185,7 +164,7 @@ Test and Verification:
- 8.24
isImplemented: false
evidence: ""
- comments: ""
+ comments: ""
Test for stored secrets in build artifacts:
uuid: d5e6303c-d5c6-4d59-b258-a3b9de38a07f
risk:
@@ -203,7 +182,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/go-pillage-registrie
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- vcs usage is not explicitly covered by ISO 27001 - too specific
- 9.4.3
@@ -233,7 +212,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/kubesec
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
@@ -271,7 +250,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/vuls
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 12.6.1
- 14.2.1
@@ -298,7 +277,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/clusterscanner
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- ISO 27001:2017 mapping is missing
iso27001-2022:
@@ -324,7 +303,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/kube-bench
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
@@ -360,7 +339,7 @@ Test and Verification:
- $ref: src/assets/YAML/default/implementations.yaml#/implementations/dockerfilelint
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- System hardening, virtual environments are not explicitly covered by ISO
27001 - too specific
diff --git a/src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml b/src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml
index c8b0c89..d9f1566 100755
--- a/src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml
+++ b/src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml
@@ -19,7 +19,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 14.2.2
- 14.2.3
@@ -53,7 +53,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.6.1
- 14.2.1
@@ -80,7 +80,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-1-A
+ - V-ST-A-1
iso27001-2017:
- 12.6.1
- 14.2.1
@@ -109,7 +109,7 @@ Test and Verification:
implementation: []
references:
samm2:
- - V-ST-2-A
+ - V-ST-A-2
iso27001-2017:
- 12.6.1
- 14.2.1
@@ -138,8 +138,8 @@ Test and Verification:
implementation: []
references:
samm2:
- - I-SB-3-A
- - V-ST-3-A
+ - I-SB-A-3
+ - V-ST-A-3
iso27001-2017:
- 14.2.3
- 14.2.8
diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml
index def6a19..e69de29 100644
--- a/src/assets/YAML/generated/generated.yaml
+++ b/src/assets/YAML/generated/generated.yaml
@@ -1,8787 +0,0 @@
----
-Build and Deployment:
- Build:
- Building and testing of artifacts in virtual environments:
- uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3
- description: |-
- While building and testing artifacts, third party systems, application frameworks
- and 3rd party libraries are used. These might be malicious as a result of
- vulnerable libraries or because they are altered during the delivery phase.
- risk: |-
- While building and testing artifacts, third party systems, application frameworks
- and 3rd party libraries are used. These might be malicious as a result of
- vulnerable libraries or because they are altered during the delivery phase.
- measure: Each step during within the build and testing phase is performed in
- a separate virtual environments, which is destroyed afterward.
- meta:
- implementationGuide: Depending on your environment, usage of virtual machines
- or container technology is a good way. After the build, the filesystem should
- not be used again in other builds.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 2
- level: 2
- implementation:
- - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
- name: CI/CD tools
- tags:
- - ci-cd
- url: https://martinfowler.com/articles/continuousIntegration.html
- description: CI/CD tools such as jenkins, gitlab-ci or github-actions
- - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11
- name: Container technologies and orchestration like Docker, Kubernetes
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/
- references:
- samm2:
- - I-SB-2-A
- iso27001-2017:
- - 14.2.6
- iso27001-2022:
- - 8.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/a340f46b-6360-4cb8-847b-a0d3483d09d3
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Defined build process:
- uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b
- description: "A *build process* include more than just compiling your source
- code. \nIt also includes steps such as managing (third party) dependencies,
- \nenvironment configuration, running the unit tests, etc. \n\nA *defined build
- process* has automated these steps to ensure consistency.\n\nThis can be done
- with a Jenkinsfile, Maven, or similar tools.\n"
- risk: Performing builds without a defined process is error prone; for example,
- as a result of incorrect security related configuration.
- measure: A well defined build process lowers the possibility of errors during
- the build process.
- difficultyOfImplementation:
- knowledge: 2
- time: 3
- resources: 2
- usefulness: 4
- level: 1
- assessment: |
- - Show your build pipeline and an exemplary job (build + test).
- - Show that every team member has access.
- - Show that failed jobs are fixed.
-
- Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
- implementation:
- - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
- name: CI/CD tools
- tags:
- - ci-cd
- url: https://martinfowler.com/articles/continuousIntegration.html
- description: CI/CD tools such as jenkins, gitlab-ci or github-actions
- - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11
- name: Container technologies and orchestration like Docker, Kubernetes
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/
- references:
- samm2:
- - I-SB-1-A
- iso27001-2017:
- - 12.1.1
- - 14.2.2
- iso27001-2022:
- - 5.37
- - 8.32
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f6f7737f-25a9-4317-8de2-09bf59f29b5b
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Pinning of artifacts:
- uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477
- risk: Unauthorized manipulation of artifacts might be difficult to spot. For
- example, this may result in using images with malicious code. Also, intended
- major changes, which are automatically used in an image used might break the
- functionality.
- measure: Pinning of artifacts ensure that changes are performed only when intended.
- comment: The usage of pinning requires a good processes for patching. Therefore,
- choose this activity wisely.
- meta:
- implementationGuide: Pinning artifacts in Dockerfile refers to the practice
- of using specific, immutable versions of base images and dependencies in
- your build process. Instead of using the latest tag for your base image,
- select a specific version or digest. For example, replace FROM node:latest,
- to FROM node@sha256:abcdef12.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 2
- implementation:
- - uuid: 9368abfb-cf37-477a-9091-a804d2de9148
- name: Signing of containers
- tags:
- - signing
- - container
- - build
- url: https://www.aquasec.com/cloud-native-academy/supply-chain-security/container-image-signing/
- description: Container technology automatically creates a hash for images,
- which can be used.
- - uuid: 638b3691-c9a5-45fa-9ba8-e40aeea32766
- name: Immutable images
- tags:
- - deployment
- - container
- - build
- url: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification
- description: Immutable images are an other way, e.g. by using a registry,
- which doesn't allow overriding of images.
- dependsOn:
- - Defined build process
- references:
- samm2:
- - I-SB-1-A
- iso27001-2017:
- - 14.2.6
- iso27001-2022:
- - 8.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f3c4971e-9f4d-4e59-8ed0-f0bdb6262477
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- SBOM of components:
- uuid: 2858ac12-0179-40d9-9acf-1b839c030473
- description: |-
- SBOM (Software Bill of Materials) is a document that lists all components, libraries,
- and dependencies used in a software application or container image. Creating an SBOM
- during the build process can help ensure transparency, security, and license compliance
- for your application.
- risk: In case a vulnerability of severity high or critical exists, it needs
- to be known where an artifacts with that vulnerability is deployed with which
- dependencies.
- measure: Creation of an SBOM of components (e.g. application and container image
- content) during build.
- dependsOn:
- - Defined build process
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 3
- usefulness: 3
- level: 2
- implementation: []
- references:
- samm2:
- - I-SB-1-A
- iso27001-2017:
- - 8.1
- - 8.2
- iso27001-2022:
- - 5.9
- - 5.12
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/2858ac12-0179-40d9-9acf-1b839c030473
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Signing of artifacts:
- uuid: 5786959d-0c6f-46a6-8e1c-a32ff1a50222
- risk: Execution or usage of malicious code or data e.g. via executables, libraries
- or container images.
- measure: Digitally signing artifacts for all steps during the build and especially
- docker images, helps to ensure their integrity and authenticity.
- description: "To perform a push to a GitHub repository, you must be authenticated.
- It's important to note that GitHub does not verify if the authenticated user's
- email address matches the one in the commit.\nTo clearly identify the author
- of a commit for reviewers, commit signing is recommended.\n\nGitHub actions
- such as [semantic-release-action](https://github.com/cycjimmy/semantic-release-action)
- do not automatically sign commits and may encounter issues as a result. \n\nTo
- address this, you can refer to a working configuration example in the [workflow
- folder](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/blob/master/.github/workflows/main.yml)
- of DSOMM, which demonstrates how to use semantic release action in conjunction
- with [planetscale/ghcommit-action](https://github.com/planetscale/ghcommit-action).\nFor
- added security, consider using [Fine-grained personal access tokens](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/)
- provided by your organization for a specific repository. Store the Personal
- Access Token (PAT) as a secret in your project."
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 4
- level: 5
- implementation:
- - uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6
- name: Docker Content Trust
- tags: []
- url: https://docs.docker.com/engine/security/trust/
- - uuid: 6e9d8c14-ba3b-4698-afc3-365b4ab6fb1f
- name: in-toto
- tags: []
- url: https://in-toto.github.io/
- dependsOn:
- - Defined build process
- - Pinning of artifacts
- references:
- samm2:
- - I-SB-1-A
- iso27001-2017:
- - 14.2.6
- iso27001-2022:
- - 8.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/5786959d-0c6f-46a6-8e1c-a32ff1a50222
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Signing of code:
- uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665
- risk: Execution or usage of malicious code or data e.g. via executables, libraries
- or container images.
- measure: Digitally signing commits helps to prevent unauthorized manipulation
- of source code.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- implementation:
- - uuid: d6d755d3-b9f1-4942-a084-e62b266541df
- name: Signing of commits
- tags:
- - signing
- url: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
- description: Signing of commits in git
- - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4
- name: Enforcement of commit signing
- tags:
- - signing
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
- description: Usage of branch protection rules
- dependsOn:
- - Defined build process
- references:
- samm2:
- - I-SB-2-A
- iso27001-2017:
- - 14.2.6
- iso27001-2022:
- - 8.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/9f107927-61e9-4574-85ad-3f2b4bca8665
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Deployment:
- Blue/Green Deployment:
- uuid: 0cb2626b-fb0d-4a0f-9688-57f787310d97
- risk: A new artifact's version can have unknown defects.
- measure: |-
- Using a blue/green deployment strategy increases application availability
- and reduces deployment risk by simplifying the rollback process if a deployment fails.
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 1
- usefulness: 2
- level: 5
- implementation:
- - uuid: 4fb3d95c-07c0-4cbb-b396-5054aba751c2
- name: Blue/Green Deployments
- tags: []
- url: https://martinfowler.com/bliki/BlueGreenDeployment.html
- dependsOn:
- - Smoke Test
- references:
- samm2:
- - I-SD-2-A
- iso27001-2017:
- - 17.2.1
- - 12.1.1
- - 12.1.2
- - 12.1.4
- - 12.5.1
- - 14.2.9
- iso27001-2022:
- - 8.14
- - 5.37
- - 8.31
- - 8.32
- - 8.19
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0cb2626b-fb0d-4a0f-9688-57f787310d97
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Defined decommissioning process:
- uuid: da4ff665-dcb9-4e93-9d20-48cdedc50fc2
- description: |-
- The decommissioning process in the context of Docker and Kubernetes involves
- retiring Docker containers, images, and Kubernetes resources that are no longer
- needed or have been replaced. This process must be carefully executed to avoid
- impacting other services and applications.
- risk: Unused applications are not maintained and may contain vulnerabilities.
- Once exploited they can be used to attack other applications or to perform
- lateral movements within the organization.
- measure: A clear decommissioning process ensures the removal of unused applications
- from the `Inventory of production components` and if implemented from `Inventory
- of production artifacts`.
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 1
- usefulness: 2
- level: 2
- references:
- samm2:
- - O-OM-2-B
- iso27001-2017:
- - 11.2.7
- iso27001-2022:
- - 7.14
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/da4ff665-dcb9-4e93-9d20-48cdedc50fc2
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Defined deployment process:
- uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a
- risk: Deployment of insecure or malfunctioning artifacts.
- measure: Defining a deployment process ensures that there are established criteria
- in terms of functionalities, security, compliance, and performance, and that
- the artifacts meet them.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 1
- dependsOn:
- - Defined build process
- implementation:
- - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
- name: CI/CD tools
- tags:
- - ci-cd
- url: https://martinfowler.com/articles/continuousIntegration.html
- description: CI/CD tools such as jenkins, gitlab-ci or github-actions
- - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
- name: Docker
- url: https://github.com/moby/moby
- tags: []
- references:
- samm2:
- - I-SD-1-A
- iso27001-2017:
- - 12.1.1
- - 14.2.2
- iso27001-2022:
- - 5.37
- - 8.32
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Environment depending configuration parameters (secrets):
- uuid: df428c9d-efa0-4226-9f47-a15bb53f822b
- risk: Unauthorized access to secrets stored in source code or in artifacts (e.g.
- container images) through process listing (e.g. ps -ef).
- measure: Set configuration parameters via environment variables stored using
- specific platform functionalities or secrets management systems (e.g. Kubernetes
- secrets or Hashicorp Vault).
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 2
- implementation:
- - uuid: e3a2ffc8-313f-437e-9663-b24591568209
- name: Hashicorp Vault
- tags:
- - authentication
- - authorization
- - secrets
- - infrastructure
- url: https://github.com/hashicorp/vault
- description: |
- A tool for secrets management, encryption as a service, and privileged access management.
- references:
- samm2:
- - I-SD-1-B
- iso27001-2017:
- - 9.4.5
- - 14.2.6
- iso27001-2022:
- - 8.4
- - 8.31
- d3f:
- - ApplicationConfigurationHardening
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/df428c9d-efa0-4226-9f47-a15bb53f822b
- tags:
- - secret
- teamsImplemented:
- Default: false
- B: false
- C: false
- Evaluation of the trust of used components:
- uuid: 0de465a6-55a7-4343-af79-948bb5ff10ba
- risk: Application and system components like Open Source libraries or images
- can have implementation flaws or deployment flaws. Developers or operations
- might start random images in the production cluster which have malicious code
- or known vulnerabilities.
- measure: Each components source is evaluated to be trusted. For example the
- source, number of developers included, email configuration used by maintainers
- to prevent maintainer account theft, typo-squatting, ... Create image assessment
- criteria, perform an evaluation of images and create a whitelist of artifacts/container
- images/virtual machine images.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 3
- level: 2
- implementation:
- - uuid: 2a76300f-6b1f-4a51-b925-134c36b723af
- name: Kubernetes Admission Controller can whitelist registries and/or whitelist
- a signing key.
- tags: []
- url: https://medium.com/slalom-technology/build-a-kubernetes-dynamic-admission-controller-for-container-registry-whitelisting-b46fe020e22d
- - uuid: 5d8b27ac-286e-47a5-b23f-769eb6d74e4a
- name: packj
- tags:
- - OpenSource
- - Supply Chain
- - vulnerability
- url: https://github.com/ossillate-inc/packj
- description: |
- Packj is a tool to detect software supply chain attacks. It can detect malicious, vulnerable, abandoned, typo-squatting, and other "risky" packages from popular open-source package registries, such as NPM, RubyGems, and PyPI.
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0de465a6-55a7-4343-af79-948bb5ff10ba
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Handover of confidential parameters:
- uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a
- risk: Parameters are often used to set credentials, for example by starting
- containers or applications; these parameters can often be seen by any one
- listing running processes on the target system.
- measure: Encryption ensures confidentiality of credentials e.g. from unauthorized
- access on the file system. Also, the usage of a credential management system
- can help protect credentials.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 3
- implementation: ""
- dependsOn:
- - Environment depending configuration parameters (secrets)
- references:
- samm2:
- - I-SD-2-B
- iso27001-2017:
- - 14.1.3
- - 13.1.3
- - 9.4.3
- - 9.4.1
- - 10.1.2
- iso27001-2022:
- - 8.33
- - 8.22
- - 5.17
- - 8.3
- - 8.24
- d3f:
- - ApplicationConfigurationHardening
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/94a96f79-8bd6-4904-97c0-994ff88f176a
- tags:
- - secret
- teamsImplemented:
- Default: false
- B: false
- C: false
- Inventory of production artifacts:
- uuid: 83057028-0b77-4d2e-8135-40969768ae88
- risk: In case a vulnerability of severity high or critical exists, it needs
- to be known where an artifacts (e.g. container image) with that vulnerability
- is deployed.
- measure: A documented inventory of artifacts in production like container images
- exists (gathered manually or automatically).
- dependsOn:
- - Defined deployment process
- - Inventory of production components
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 3
- usefulness: 3
- level: 2
- implementation:
- - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
- name: Backstage
- tags:
- - documentation
- - inventory
- url: https://github.com/backstage/backstage
- description: |
- Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure.
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c
- name: Image Metadata Collector
- tags:
- - documentation
- - inventory
- - kubernetes
- url: https://github.com/SDA-SE/image-metadata-collector/
- description: |
- Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API.
- references:
- samm2:
- - I-SB-1-B
- iso27001-2017:
- - 8.1
- - 8.2
- iso27001-2022:
- - 5.9
- - 5.12
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/83057028-0b77-4d2e-8135-40969768ae88
- tags:
- - inventory
- teamsImplemented:
- Default: false
- B: false
- C: false
- Inventory of production components:
- uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f
- risk: An organization is unaware of components like applications in production.
- Not knowing existing applications in production leads to not assessing it.
- measure: |-
- A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production.
- In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track.
- dependsOn:
- - Defined deployment process
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 4
- level: 1
- implementation:
- - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
- name: Backstage
- tags:
- - documentation
- - inventory
- url: https://github.com/backstage/backstage
- description: |
- Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure.
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c
- name: Image Metadata Collector
- tags:
- - documentation
- - inventory
- - kubernetes
- url: https://github.com/SDA-SE/image-metadata-collector/
- description: |
- Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API.
- references:
- samm2:
- - I-SB-1-B
- iso27001-2017:
- - 8.1
- - 8.2
- iso27001-2022:
- - 5.9
- - 5.12
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/2a44b708-734f-4463-b0cb-86dc46344b2f
- tags:
- - inventory
- teamsImplemented:
- Default: false
- B: false
- C: false
- Inventory of production dependencies:
- uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6
- risk: Delayed identification of components and their vulnerabilities in production.
- In case a vulnerability is known by the organization, it needs to be known
- where an artifacts with that vulnerability is deployed with which dependencies.
- measure: A documented inventory of dependencies used in artifacts like container
- images and containers exists.
- dependsOn:
- - Inventory of production artifacts
- - SBOM of components
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 3
- usefulness: 3
- level: 3
- implementation:
- - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
- name: Backstage
- tags:
- - documentation
- - inventory
- url: https://github.com/backstage/backstage
- description: |
- Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure.
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c
- name: Image Metadata Collector
- tags:
- - documentation
- - inventory
- - kubernetes
- url: https://github.com/SDA-SE/image-metadata-collector/
- description: |
- Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API.
- references:
- samm2:
- - I-SB-3-B
- - I-SB-2-B
- - I-SB-1-B
- iso27001-2017:
- - 8.1
- - 8.2
- iso27001-2022:
- - 5.9
- - 5.12
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/13e9757e-58e2-4277-bc0f-eadc674891e6
- comments: ""
- tags:
- - inventory
- - sbom
- teamsImplemented:
- Default: false
- B: false
- C: false
- Rolling update on deployment:
- uuid: 85d52588-f542-4225-a338-20dc22a5508d
- risk: While a deployment is performed, the application can not be reached.
- measure: A deployment without downtime is performed*.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 2
- level: 3
- implementation:
- - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
- name: Docker
- url: https://github.com/moby/moby
- tags: []
- - uuid: a71ce8f8-fd4a-4240-8b46-64a6cdb5dfdb
- name: Webserver
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:WebServer/
- - uuid: ee2eb94b-7204-40d8-97da-43c7b1296e2e
- name: rolling update
- tags: []
- dependsOn:
- - Defined deployment process
- references:
- samm2:
- - I-SD-1-A
- iso27001-2017:
- - 12.5.1
- - 14.2.2
- - 17.2.1
- iso27001-2022:
- - 8.19
- - 8.32
- - 8.14
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/85d52588-f542-4225-a338-20dc22a5508d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Same artifact for environments:
- uuid: a854b48d-83bd-4f8d-8621-a0bdd470837f
- risk: Building of an artifact for different environments means that an untested
- artifact might reach the production environment.
- measure: Building an artifact once and deploying it to different environments
- means that only tested artifacts are allowed to reach the production environment
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 4
- implementation:
- - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
- name: Docker
- url: https://github.com/moby/moby
- tags: []
- dependsOn:
- - Defined build process
- references:
- samm2:
- - I-SD-2-A
- iso27001-2017:
- - 14.3.1
- - 14.2.8
- - 12.1.4
- iso27001-2022:
- - 8.33
- - 8.29
- - 8.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a854b48d-83bd-4f8d-8621-a0bdd470837f
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of feature toggles:
- uuid: a511799b-045e-4b96-9843-7d63d8c1e2ad
- risk: Using environment variables to enable or disable features can lead to
- a situation where a feature is accidentally enabled in the production environment.
- measure: Usage of environment independent configuration parameter, called static
- feature toggles, mitigates the risk of accidentally enabling insecure features
- in production.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 2
- level: 4
- implementation:
- - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
- name: Docker
- url: https://github.com/moby/moby
- tags: []
- - uuid: 83be6c60-6633-4c32-98de-7ae065c143c9
- name: Feature Toggles
- tags:
- - development
- - architecture
- url: https://martinfowler.com/articles/feature-toggles.html
- description: |
- Feature Toggles are a powerful technique, allowing teams to modify system behavior without changing code. (Pete Hodgson)
- dependsOn:
- - Same artifact for environments
- references:
- samm2:
- - I-SD-2-A
- iso27001-2017:
- - 14.3.1
- - 14.2.8
- - 14.2.9
- - 12.1.4
- iso27001-2022:
- - 8.33
- - 8.29
- - 8.31
- d3f:
- - ApplicationConfigurationHardening
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a511799b-045e-4b96-9843-7d63d8c1e2ad
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Patch Management:
- A patch policy is defined:
- uuid: 99415139-6b50-441b-89e1-0aa59accd43d
- risk: Vulnerabilities in running artifacts stay for long and might get exploited.
- measure: A patch policy for all artifacts (e.g. in images) is defined. How often
- is an image rebuilt?
- difficultyOfImplementation:
- knowledge: 3
- time: 1
- resources: 2
- usefulness: 4
- level: 1
- implementation: []
- references:
- samm2:
- - O-EM-1-B
- iso27001-2017:
- - 12.6.1
- - 12.5.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.19
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/99415139-6b50-441b-89e1-0aa59accd43d
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Automated PRs for patches:
- uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488
- risk: Components with known (or unknown) vulnerabilities might stay for long
- and get exploited, even when a patch is available.
- measure: |-
- Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes
- * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform)
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 4
- level: 1
- implementation:
- - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4
- name: dependabot
- tags:
- - auto-pr
- - patching
- url: https://dependabot.com/
- - uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971
- name: Jenkins
- tags: []
- url: https://www.jenkins.io/
- - uuid: 0d63f907-37fe-4375-88a5-a5e252732618
- name: terraform
- tags:
- - IaC
- url: https://www.terraform.io/
- description: |
- Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service.
- - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
- name: renovate
- tags:
- - auto-pr
- - patching
- url: https://github.com/renovatebot/renovate
- references:
- samm2:
- - O-EM-1-B
- iso27001-2017:
- - 12.6.1
- - 14.2.5
- iso27001-2022:
- - "8.8"
- - "8.27"
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/8ae0b92c-10e0-4602-ba22-7524d6aed488
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Automated deployment of automated PRs:
- uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d
- description: Automated merges of automated created PRs for outdated dependencies.
- risk: Even if automated dependencies PRs are merged, they might not be deployed.
- This results in vulnerabilities in running artifacts stay for too long and
- might get exploited.
- measure: |
- After merging of an automated dependency PR, automated deployment is needed,
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- dependsOn:
- - Automated merge of automated PRs
- implementation:
- - uuid: 0d63f907-37fe-4375-88a5-a5e252732618
- name: terraform
- tags:
- - IaC
- url: https://www.terraform.io/
- description: |
- Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service.
- - uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f
- name: argoCD
- tags:
- - deployment
- url: https://argo-cd.readthedocs.io/en/stable/
- references:
- samm2:
- - O-EM-2-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/08f27c26-2c6a-47fe-9458-5e88f188085d
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Automated merge of automated PRs:
- uuid: f2594f8f-1cd6-45f9-af29-eaf3315698eb
- description: Automated merges of automated created PRs for outdated dependencies.
- risk: Vulnerabilities in running artifacts stay for too long and might get exploited.
- measure: |
- A good practice is to merge trusted dependencies (e.g. spring boot) after a grace period like one week.
- Often, patches, fixes and minor updates are automatically merged. Be aware that automated merging requires a high
- automated test coverage. Enforcement of merging of pull requests after a grace period.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 3
- level: 2
- dependsOn:
- - Automated PRs for patches
- implementation:
- - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4
- name: dependabot
- tags:
- - auto-pr
- - patching
- url: https://dependabot.com/
- - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
- name: renovate
- tags:
- - auto-pr
- - patching
- url: https://github.com/renovatebot/renovate
- references:
- samm2:
- - O-EM-2-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/f2594f8f-1cd6-45f9-af29-eaf3315698eb
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Nightly build of images (base images):
- uuid: 34869eaf-f2e1-4926-b0bd-28c43402f057
- description: |-
- A base image is a pre-built image that serves as a starting point for building
- new images or containers. These base images usually include an operating system,
- necessary dependencies, libraries, and other components that are required to run
- a specific application or service. Nightly builds of custom base images refer to
- an automated process that occurs daily or on a scheduled basis, usually during
- nighttime or off-peak hours, to create updated versions of custom base images.
- risk: Vulnerabilities in running containers stay for too long and might get
- exploited.
- measure: Custom base images are getting build at least nightly. In case the
- packages in the base image e.g. centos has changed, the build server
- triggers the build of depending images.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 2
- usefulness: 3
- level: 2
- implementation: []
- references:
- samm2:
- - O-EM-1-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/34869eaf-f2e1-4926-b0bd-28c43402f057
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Reduction of the attack surface:
- uuid: 16e39c8f-5336-4001-88ed-a552d2447531
- description: |-
- Distroless images are minimal, stripped-down base images that contain only the
- essential components required to run your application. They do not include package
- managers, shells, or any other tools that are commonly found in standard Linux
- distributions. Using distroless images can help reduce the attack surface and
- overall size of your container images.
- risk: Components, dependencies, files or file access rights might have vulnerabilities,
- but the they are not needed.
- measure: Removal of unneeded components, dependencies, files or file access
- rights. For container images the usage of distroless images is recommended.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 2
- usefulness: 3
- level: 2
- implementation:
- - uuid: ef647044-b675-47d3-9720-3ebc144ef37b
- name: Distroless
- tags: []
- url: https://github.com/GoogleContainerTools/distroless
- - uuid: be757cb3-63d6-4a63-9c4e-e10b746fd47a
- name: Fedora CoreOS
- tags: []
- url: https://getfedora.org/coreos
- - uuid: a92c4f8f-a918-406a-b1e5-70acfc0477bd
- name: Distroless or Alpine
- tags: []
- url: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22
- references:
- samm2:
- - I-SB-2
- iso27001-2017:
- - hardening is missing in ISO 27001
- - 14.2.1
- iso27001-2022:
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/16e39c8f-5336-4001-88ed-a552d2447531
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of a maximum lifetime for images:
- uuid: 485a3383-7f2e-4dba-bb84-479377070904
- description: |-
- The maximum lifetime for a Docker container refers to the duration a container
- should be allowed to run before it is considered outdated, stale, or insecure.
- There is not a fixed, universally applicable maximum lifetime for a Docker
- container, as it varies depending on the specific use case, application
- requirements, and security needs. As a best practice, it is essential to define
- a reasonable maximum lifetime for containers to ensure that you consistently
- deploy the most recent, patched, and secure versions of both your custom base
- images and third-party images.
- risk: Vulnerabilities in images of running containers stay for too long and
- might get exploited. Long running containers have potential memory leaks.
- A compromised container might get killed by restarting the container (e.g.
- in case the attacker has not reached the persistence layer).
- measure: A short maximum lifetime for images is defined, e.g. 30 days. The project
- images, based on the nightly builded images, are deployed at leased once within
- the defined lifetime. Third Party images are deployed at leased once within
- the defined lifetime.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 2
- usefulness: 3
- level: 2
- implementation: []
- references:
- samm2:
- - O-EM-1-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/485a3383-7f2e-4dba-bb84-479377070904
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of a short maximum lifetime for images:
- uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e
- description: |-
- The maximum lifetime for a Docker container refers to the duration a container
- should be allowed to run before it is considered outdated, stale, or insecure.
- There is not a fixed, universally applicable maximum lifetime for a Docker
- container, as it varies depending on the specific use case, application
- requirements, and security needs. As a best practice, it is essential to define
- a reasonable maximum lifetime for containers to ensure that you consistently
- deploy the most recent, patched, and secure versions of both your custom base
- images and third-party images.
- risk: Vulnerabilities in running containers stay for too long and might get
- exploited.
- measure: |
- A good practice is to perform the build and deployment daily or even just-in-time, when a new component (e.g. package) for the image is available.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 2
- usefulness: 3
- level: 4
- implementation:
- - uuid: 1a463242-b480-46f6-a912-b51ec1c1558d
- name: "Sample concept: \n(1"
- tags: []
- description: "Sample concept: \n(1) each container has a set lifetime and
- is killed / replaced with a new container multiple times a day where you
- have some form of a graceful replacement to ensure no (short) service outage
- will occur to the end users. \n(2) twice a day a rebuild of images is done.
- The rebuilds are put into a automated testing pipeline. If the testing has
- no blocking issues the new images will be released for deployment during
- the next \"restart\" of a container. What has to be done, is to ensure the
- new containers are deployed in some canary deployment manner, this will
- ensure that if (and only if) something buggy has been introduced which breaks
- functionality the canary deployment will make sure the \"older version\"
- is being used and not the buggy newer one."
- references:
- samm2:
- - O-EM-2-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
- Management/6b96e5a0-ce34-4ea4-a88f-469d3b84546e
- comments: ""
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
-Culture and Organization:
- Design:
- Conduction of advanced threat modeling:
- uuid: ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9
- risk: Inadequate identification of business and technical risks.
- measure: Threat modeling is performed by using reviewing user stories and producing
- security driven data flow diagrams.
- difficultyOfImplementation:
- knowledge: 4
- time: 3
- resources: 2
- usefulness: 3
- level: 4
- dependsOn:
- - Conduction of simple threat modeling on technical level
- - Creation of threat modeling processes and standards
- description: |
- **Example High Maturity Scenario:**
-
- Based on a detailed threat model defined and updated through code, the team decides the following:
-
- * Local encrypted caches need to expire and auto-purged.
- * Communication channels encrypted and authenticated.
- * All secrets persisted in shared secrets store.
- * Frontend designed with permissions model integration.
- * Permissions matrix defined.
- * Input is escaped output is encoded appropriately using well established libraries.
-
- Source: OWASP Project Integration Project
- implementation:
- - uuid: c0533602-11b7-4838-93cc-a40556398163
- name: Whiteboard
- tags:
- - defender
- - threat-modeling
- - collaboration
- - whiteboard
- url: https://en.wikipedia.org/wiki/Whiteboard
- - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1
- name: Miro (or any other collaborative board)
- tags:
- - defender
- - threat-modeling
- - collaboration
- - whiteboard
- url: https://miro.com/
- - uuid: 088794c4-3424-40d4-9084-4151587fc84d
- name: Draw.io
- tags:
- - defender
- - threat-modeling
- - whiteboard
- url: https://github.com/jgraph/drawio-desktop
- - uuid: fd0f282b-a065-4464-beed-770c604a5f52
- name: Threat Modeling Playbook
- tags:
- - owasp
- - defender
- - threat-modeling
- - whiteboard
- url: https://github.com/Toreon/threat-model-playbook
- - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52
- name: OWASP SAMM
- tags:
- - threat-modeling
- - owasp
- - defender
- url: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- - uuid: e8332407-5149-459e-a2fe-c5c78c7ec55c
- name: Threagile
- tags:
- - threat-modeling
- url: https://github.com/Threagile/threagile
- - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617
- name: Threat Matrix for Storage
- url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/
- tags:
- - documentation
- - storage
- - cluster
- - kubernetes
- references:
- samm2:
- - D-TA-2-B
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 8.2.1
- - 14.2.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 5.12
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Conduction of simple threat modeling on business level:
- uuid: 48f97f31-931c-46eb-9b3e-e2fec0cd0426
- risk: Business related threats are discovered too late in the development and
- deployment process.
- measure: Threat modeling of business functionality is performed during the product
- backlog creation to facilitate early detection of security defects.
- difficultyOfImplementation:
- knowledge: 2
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- implementation: []
- references:
- samm2:
- - D-TA-2-B
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 8.2.1
- - 14.2.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 5.12
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/48f97f31-931c-46eb-9b3e-e2fec0cd0426
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Conduction of simple threat modeling on technical level:
- uuid: 47419324-e263-415b-815d-e7161b6b905e
- risk: Technical related threats are discovered too late in the development and
- deployment process.
- measure: Threat modeling of technical features is performed during the product
- sprint planning.
- difficultyOfImplementation:
- knowledge: 2
- time: 3
- resources: 1
- usefulness: 3
- level: 1
- implementation:
- - uuid: c0533602-11b7-4838-93cc-a40556398163
- name: Whiteboard
- tags:
- - defender
- - threat-modeling
- - collaboration
- - whiteboard
- url: https://en.wikipedia.org/wiki/Whiteboard
- - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1
- name: Miro (or any other collaborative board)
- tags:
- - defender
- - threat-modeling
- - collaboration
- - whiteboard
- url: https://miro.com/
- - uuid: 088794c4-3424-40d4-9084-4151587fc84d
- name: Draw.io
- tags:
- - defender
- - threat-modeling
- - whiteboard
- url: https://github.com/jgraph/drawio-desktop
- - uuid: fd0f282b-a065-4464-beed-770c604a5f52
- name: Threat Modeling Playbook
- tags:
- - owasp
- - defender
- - threat-modeling
- - whiteboard
- url: https://github.com/Toreon/threat-model-playbook
- - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52
- name: OWASP SAMM
- tags:
- - threat-modeling
- - owasp
- - defender
- url: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617
- name: Threat Matrix for Storage
- url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/
- tags:
- - documentation
- - storage
- - cluster
- - kubernetes
- description: |
- # OWASP SAMM Description
- Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.
-
- Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system.
-
- At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use.
-
- Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage.
-
- Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- # OWASP Project Integration Description
- There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one.
-
- A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/).
-
- OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/).
-
- There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another.
-
- > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._
-
- 
-
- Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function.
-
- 
-
- This practice has the side effect that it trains non-security specialists to think like attackers.
-
- The outcomes of this stage should help lay the foundation of secure design and considerations.
-
- **Example Low Maturity Scenario:**
-
- Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password.
-
- Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext.
-
- Frontend serves data over GraphQL as a thin layer between caching system and end user.
-
- GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes.
-
- Source: OWASP Project Integration Project
- references:
- samm2:
- - D-TA-2-B
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 8.2.1
- - 14.2.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 5.12
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/47419324-e263-415b-815d-e7161b6b905e
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Creation of advanced abuse stories:
- uuid: 0a929c3e-ab9a-4206-8761-adf84b74622e
- risk: Simple user stories are not going deep enough. Relevant security considerations
- are performed. Security flaws are discovered too late in the development and
- deployment process
- measure: Advanced abuse stories are created as part of threat modeling activities.
- difficultyOfImplementation:
- knowledge: 4
- time: 2
- resources: 1
- usefulness: 4
- level: 5
- dependsOn:
- - Creation of simple abuse stories
- implementation:
- - uuid: bb5b8988-021b-452a-a914-bd36887b6860
- name: Don't Forget EVIL User stories
- tags: []
- url: https://www.owasp.org/index.php/Agile_Software_Development
- description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
- and [Practical Security Stories and Security Tasks for Agile Development
- Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)'
- references:
- samm2:
- - D-TA-2-B
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- - May be part of project management
- - 6.1.5
- - May be part of risk assessment
- - 8.1.2
- iso27001-2022:
- - Not explicitly covered by ISO 27001
- - May be part of project management
- - 5.8
- - May be part of risk assessment
- - 5.9
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/0a929c3e-ab9a-4206-8761-adf84b74622e
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Creation of simple abuse stories:
- uuid: bacf85b6-5bc0-405d-b5ba-a5d971467cc1
- risk: User stories mostly don't consider security implications. Security flaws
- are discovered too late in the development and deployment process.
- measure: Abuse stories are created during the creation of user stories.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 3
- implementation:
- - uuid: bb5b8988-021b-452a-a914-bd36887b6860
- name: Don't Forget EVIL User stories
- tags: []
- url: https://www.owasp.org/index.php/Agile_Software_Development
- description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
- and [Practical Security Stories and Security Tasks for Agile Development
- Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)'
- dependsOn:
- - Conduction of simple threat modeling on technical level
- - Creation of threat modeling processes and standards
- references:
- samm2:
- - D-TA-2-B
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- - May be part of project management
- - 6.1.5
- - May be part of risk assessment
- - 8.1.2
- iso27001-2022:
- - Not explicitly covered by ISO 27001
- - May be part of project management
- - 5.8
- - May be part of risk assessment
- - 5.9
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/bacf85b6-5bc0-405d-b5ba-a5d971467cc1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Creation of threat modeling processes and standards:
- uuid: dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e
- risk: Inadequate identification of business and technical risks.
- measure: Creation of threat modeling processes and standards through the organization
- helps to enhance the security culture and provide more structure to the threat
- model exercises.
- difficultyOfImplementation:
- knowledge: 4
- time: 3
- resources: 2
- usefulness: 3
- level: 3
- description: ""
- implementation:
- - uuid: fd0f282b-a065-4464-beed-770c604a5f52
- name: Threat Modeling Playbook
- tags:
- - owasp
- - defender
- - threat-modeling
- - whiteboard
- url: https://github.com/Toreon/threat-model-playbook
- - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52
- name: OWASP SAMM
- tags:
- - threat-modeling
- - owasp
- - defender
- url: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- dependsOn:
- - Conduction of simple threat modeling on technical level
- references:
- samm2:
- - D-TA-3-B
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 8.2.1
- - 14.2.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001
- - May be part of risk assessment
- - 5.12
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Information security targets are communicated:
- uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885
- risk: Employees don't know their organizations security targets. Therefore security
- is not considered during development and administration as much as it should
- be.
- measure: Transparent and timely communication of the security targets by senior
- management is essential to ensure teams' buy-in and support.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 3
- level: 2
- implementation: []
- references:
- samm2:
- - G-PS-2
- iso27001-2017:
- - 5.1.1
- - 7.2.1
- iso27001-2022:
- - 5.1
- - 5.4
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/1b9281b9-48e2-4c01-9ac6-9db9931c4885
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Education and Guidance:
- Ad-Hoc Security trainings for software developers:
- uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298
- risk: Understanding security is hard and personnel needs to be trained on it.
- Otherwise, flaws like an SQL Injection might be introduced into the software
- which might get exploited.
- measure: Provide security awareness training for all personnel involved in software
- development Ad-Hoc.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 3
- level: 1
- implementation:
- - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a
- name: OWASP Juice Shop
- tags:
- - training
- url: https://github.com/bkimminich/juice-shop
- description: In case you do not have the budget to hire an external security
- expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
- name: OWASP Cheatsheet Series
- tags:
- - training
- - secure coding
- url: https://cheatsheetseries.owasp.org/
- references:
- samm2:
- - G-EG-1-A
- iso27001-2017:
- - 7.2.2
- iso27001-2022:
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Aligning security in teams:
- uuid: f994a55d-71bb-45a4-a887-0a213d72c504
- risk: The concept of Security Champions might suggest that only he/she is responsible
- for security. However, everyone in the project team should be responsible
- for security.
- measure: By aligning security Subject Matter Experts with project teams, a higher
- security standard can be achieved.
- difficultyOfImplementation:
- knowledge: 4
- time: 4
- resources: 1
- usefulness: 5
- implementation:
- - uuid: 8a044b74-17f2-4ffa-9dee-6b3bb6e4baf3
- name: Involve Security SME
- tags: []
- description: Security SME are involved in discussion for requirements analysis,
- software design and sprint planning to provide guidance and suggestions.
- level: 4
- references:
- samm2:
- - G-EG-3-B
- iso27001-2017:
- - 7.1.1
- iso27001-2022:
- - 6.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/f994a55d-71bb-45a4-a887-0a213d72c504
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Conduction of build-it, break-it, fix-it contests:
- uuid: bfdb576e-a416-4ec6-96fe-a078d58b2ff8
- risk: Understanding security is hard, even for security champions and the conduction
- of security training often focuses on breaking a component instead of building
- a component secure.
- measure: The build-it, break-it, fix-it contest allows to train people with
- security related roles like security champions the build, break and fix part
- of a secure application. This increases the learning of building secure components.
- difficultyOfImplementation:
- knowledge: 5
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- implementation:
- - uuid: 8d4c1849-f310-4c42-8148-2810b382bc6f
- name: Build it Break it Fix it Contest
- tags: []
- url: https://builditbreakit.org/
- references:
- samm2:
- - G-EG-2-A
- iso27001-2017:
- - 7.2.2
- iso27001-2022:
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/bfdb576e-a416-4ec6-96fe-a078d58b2ff8
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Conduction of collaborative security checks with developers and system administrators:
- uuid: 95caef96-36ed-458c-a087-5c35d4f9dec2
- risk: Security checks by external companies do not increase the understanding
- of an application/system for internal employees.
- measure: Periodically security reviews of source code (SCA), in which security
- SME, developers and operations are involved, are effective at increasing the
- robustness of software and the security knowledge of the teams involved.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 1
- usefulness: 3
- level: 5
- implementation: []
- references:
- samm2:
- - G-EG-2-A
- iso27001-2017:
- - Mutual review of source code is not explicitly required in ISO 27001 may
- be
- - 7.2.2
- - 12.6.1
- - 12.7.1
- iso27001-2022:
- - Mutual review of source code is not explicitly required in ISO 27001 may
- be
- - 6.3
- - 8.8
- - 8.34
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/95caef96-36ed-458c-a087-5c35d4f9dec2
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Conduction of collaborative team security checks:
- uuid: 35446784-7610-40d9-af9e-d43f3173bf8c
- risk: Development teams limited insight over security practices.
- measure: Mutual security testing the security of other teams project enhances
- security awareness and knowledge.
- difficultyOfImplementation:
- resources: 2
- knowledge: 4
- time: 4
- usefulness: 2
- level: 4
- implementation: []
- references:
- samm2:
- - G-EG-1-A
- - G-EG-2-A
- iso27001-2017:
- - Mutual security testing is not explicitly required in ISO 27001 may be
- - 7.2.2
- iso27001-2022:
- - Mutual security testing is not explicitly required in ISO 27001 may be
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/35446784-7610-40d9-af9e-d43f3173bf8c
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Conduction of war games:
- uuid: 534f60bf-0995-4314-bb9c-f0f2bf204694
- risk: Understanding incident response plans during an incident is hard and ineffective.
- measure: War Games like activities help train for incidents. Security SMEs create
- attack scenarios in a testing environment enabling the trainees to learn how
- to react in case of an incident.
- difficultyOfImplementation:
- knowledge: 4
- time: 5
- resources: 4
- usefulness: 3
- level: 4
- implementation: []
- references:
- samm2:
- - G-EG-2-A
- iso27001-2017:
- - War games are not explicitly required in ISO 27001 may be
- - 7.2.2
- - 16.1
- - 16.1.5
- iso27001-2022:
- - War games are not explicitly required in ISO 27001 may be
- - 6.3
- - 5.24
- - 5.26
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/534f60bf-0995-4314-bb9c-f0f2bf204694
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Each team has a security champion:
- uuid: 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87
- risk: No one feels directly responsible for security and the security champion
- does not have enough time to allocate to each team.
- measure: Each team defines an individual to be responsible for security. These
- individuals are often referred to as 'security champions'
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 1
- usefulness: 4
- level: 2
- description: |
- Implement a program where each software development team has a member considered a "Security Champion" who is the liaison between Information Security and developers. Depending on the size and structure of the team the "Security Champion" may be a software developer, tester, or a product manager. The "Security Champion" has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. "Security Champions" have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support "Security Champions" for cultural reasons.
-
- The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, "Security Champions" assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.
-
- [Source: OWASP SAMM](https://owaspsamm.org/model/governance/education-and-guidance/stream-b/)
- implementation:
- - uuid: c191a515-3c10-4903-a889-70c8021f2ea1
- name: OWASP Security Champions Playbook
- tags:
- - security champions
- url: https://github.com/c0rdis/security-champions-playbook
- references:
- samm2:
- - G-EG-1-B
- - G-EG-2-B
- iso27001-2017:
- - Security champions are missing in ISO 27001 most likely
- - 7.2.1
- - 7.2.2
- iso27001-2022:
- - Security champions are missing in ISO 27001 most likely
- - 5.4
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/6217fe11-5ed7-4cf4-9de4-555bcfa6fe87
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Office Hours:
- uuid: 185d5a74-19dc-4422-be07-44ea35226783
- risk: Developers and Operations are not in contact with the security team and
- therefore do not ask prior implementation of (known or unknown) threats-
- measure: As a security team, be open for questions and hints during defined
- office hours. x x d
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 3
- level: 3
- implementation: ~
- references:
- samm2:
- - G-EG-1-A
- iso27001-2017:
- - 7.2.2
- iso27001-2022:
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/185d5a74-19dc-4422-be07-44ea35226783
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Regular security training for all:
- uuid: 9768f154-357a-4c06-af6f-d66570677c9b
- risk: Understanding security is hard.
- measure: Provide security awareness training for all internal personnel involved
- in software development on a regular basis like twice in a year for 1-3 days.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 2
- usefulness: 4
- level: 2
- description: |
- Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option.
-
- Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level.
-
- Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization.
-
- [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/)
- implementation:
- - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a
- name: OWASP Juice Shop
- tags:
- - training
- url: https://github.com/bkimminich/juice-shop
- description: In case you do not have the budget to hire an external security
- expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
- name: OWASP Cheatsheet Series
- tags:
- - training
- - secure coding
- url: https://cheatsheetseries.owasp.org/
- references:
- samm2:
- - G-EG-1-A
- iso27001-2017:
- - 7.2.2
- iso27001-2022:
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/9768f154-357a-4c06-af6f-d66570677c9b
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Regular security training for externals:
- uuid: 31833d56-35af-4ef3-9300-f23d27646ce7
- risk: Understanding security is hard.
- measure: Provide security awareness training for all personnel including externals
- involved in software development on a regular basis.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 3
- usefulness: 4
- level: 4
- implementation:
- - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a
- name: OWASP Juice Shop
- tags:
- - training
- url: https://github.com/bkimminich/juice-shop
- description: In case you do not have the budget to hire an external security
- expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
- name: OWASP Cheatsheet Series
- tags:
- - training
- - secure coding
- url: https://cheatsheetseries.owasp.org/
- references:
- samm2:
- - G-EG-3-A
- iso27001-2017:
- - 7.2.2
- iso27001-2022:
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/31833d56-35af-4ef3-9300-f23d27646ce7
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Regular security training of security champions:
- uuid: f88d1b17-3d7d-4c3d-8139-ad44fc4942d4
- risk: Understanding security is hard, even for security champions.
- measure: Regular security training of security champions.
- assessment: |
- - Process Documentation: TODO
- - Training Content: TOODO
- difficultyOfImplementation:
- knowledge: 4
- time: 2
- resources: 2
- usefulness: 5
- level: 2
- implementation:
- - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
- name: OWASP Cheatsheet Series
- tags:
- - training
- - secure coding
- url: https://cheatsheetseries.owasp.org/
- dependsOn:
- - Each team has a security champion
- references:
- samm2:
- - D-TA-2-B
- - G-EG-1-A
- iso27001-2017:
- - Security champions are missing in ISO 27001
- - 7.2.2
- iso27001-2022:
- - Security champions are missing in ISO 27001
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/f88d1b17-3d7d-4c3d-8139-ad44fc4942d4
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Reward of good communication:
- uuid: 91b6f75b-9f4a-4d77-95a2-af7ad3222c7c
- risk: Employees are not getting excited about security.
- measure: Good communication and transparency encourages cross-organizational
- support. Gamification of security is also known to help, examples include
- T-Shirts, mugs, cups, gift cards and 'High-Fives'.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 1
- usefulness: 3
- level: 2
- implementation:
- - uuid: 8e1b4a8a-c53b-4b1e-90f6-c60b7e225098
- name: Motivate people
- tags:
- - security champions
- - gamification
- - nudging
- url: https://github.com/wurstbrot/security-pins
- description: |-
- Enhance motivation can be performed with the distribution of pins
- as a reward, see [OWASP Security Pins Project](https://github.com/wurstbrot/security-pins)
- - uuid: 22b63bdb-2003-4ac0-969d-b1e5268c2510
- name: OWASP Top 10 Maturity Categories for Security Champions
- tags:
- - security champions
- url: https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx
- references:
- samm2:
- - G-EG-1-B
- iso27001-2017:
- - not required by ISO 27001
- - interestingly enough A7.2.3 is requiring a process to handle misconduct
- but nothing to promote good behavior.
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/91b6f75b-9f4a-4d77-95a2-af7ad3222c7c
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Security Coaching:
- uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3
- risk: Training does not change behaviour. Therefore, even if security practices
- are understood, it's likely that they are not performed.
- measure: By coaching teams on security topics using for example the samman coaching
- method, teams internalize security practices as new habits in their development
- process.
- difficultyOfImplementation:
- knowledge: 4
- time: 3
- resources: 1
- usefulness: 3
- implementation:
- - uuid: 9223be73-00da-400e-a910-3871734cff2f
- name: sammancoaching
- tags:
- - documentation
- - coaching
- - education
- url: https://sammancoaching.org/
- description: |
- Security coaches work with software development teams to help them adopt better security practices.
- level: 3
- references:
- samm2:
- - G-EG-3-B
- iso27001-2017:
- - 7.1.1
- iso27001-2022:
- - 6.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Security code review:
- uuid: 7121b0c7-6ace-4d6b-95d0-94535dbccb57
- risk: Understanding security is hard.
- measure: |
- The following areas of code tend to have a high-risk of containing security vulnerabilities:
- - Crypto implementations / usage
- - Parser, unparser
- - System configuration
- - Authentication, authorization
- - Session management
- - Request throttling
- - :unicorn: (self-developed code, only used in that one software)
- description: |
- ### Benefits
- - New vulnerabilities may be found before reaching production.
- - Old vulnerabilities are found and fixed.
- assessment: |
- - Present the performed reviews (including participants, findings, consequences) and assess whether it is reasonable.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 1
- usefulness: 3
- level: 2
- implementation:
- - uuid: c77f7ecd-76de-4611-bd6d-5b249f910c39
- name: CWE Top 25 Most Dangerous Software Weaknesses
- tags:
- - documentation
- - threat
- url: https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
- credits: |
- AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
- references:
- samm2:
- - V-ST-1-B
- iso27001-2017:
- - ISO 27001:2017 mapping is missing
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/7121b0c7-6ace-4d6b-95d0-94535dbccb57
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Security consulting on request:
- uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0
- risk: Not asking a security expert when questions regarding security appear
- might lead to flaws.
- measure: Security consulting to teams is given on request. The security consultants
- can be internal or external.
- difficultyOfImplementation:
- knowledge: 3
- time: 1
- resources: 1
- usefulness: 3
- level: 1
- implementation:
- - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
- name: OWASP Cheatsheet Series
- tags:
- - training
- - secure coding
- url: https://cheatsheetseries.owasp.org/
- references:
- samm2:
- - G-EG-1-A
- iso27001-2017:
- - security consulting is missing in ISO 27001 may be
- - 6.1.1
- - 6.1.4
- - 6.1.5
- iso27001-2022:
- - Security consulting is missing in ISO 27001 may be
- - 5.2
- - 5.6
- - 5.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/0b28367b-75a0-4bae-a926-3725c1bf9bb0
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Security-Lessoned-Learned:
- uuid: 58c46807-fee9-448b-b6dd-8050c464ab52
- risk: After an incident, a similar incident might reoccur.
- measure: Running a 'lessons learned' session after an incident helps drive continuous
- improvement. Regular meetings with security champions are a good place to
- share and discuss lessons learned.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- implementation: []
- references:
- samm2:
- - O-IM-3-B
- iso27001-2017:
- - 16.1.6
- iso27001-2022:
- - 5.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/58c46807-fee9-448b-b6dd-8050c464ab52
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple mob hacking:
- uuid: 535f301a-e8e8-4eda-ad77-a08b035c92de
- risk: Understanding security is hard.
- measure: |
- Participate with your whole team in a simple mob hacking session organized by the Security Champion Guild.
- In the session the guild presents a vulnerable application and together you look at possible exploits.
- Just like in mob programming there is one driver and several navigators.
- description: |
- ### Guidelines for your simple mob hacking session
- - All exploits happen via the user interface.
- - No need for security/hacking tools.
- - No need for deep technical or security knowledge.
- - Use an insecure training app, e.g., [DVWA](https://dvwa.co.uk/) or [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/).
- - Encourage active participation, e.g., use small groups.
- - Allow enough time for everyone to run at least one exploit.
-
- ### Benefits
- - The team gets an idea of how exploits can look like and how easy applications can be attacked.
- - The team understands functional correct working software can be highly insecure and easy to exploit.
- difficultyOfImplementation:
- knowledge: 5
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- credits: |
- AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
- implementation:
- - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a
- name: OWASP Juice Shop
- tags:
- - training
- url: https://github.com/bkimminich/juice-shop
- description: In case you do not have the budget to hire an external security
- expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- - uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529
- name: Damn Vulnerable Web Application
- tags:
- - training
- description: Simple Application with intended vulnerabilities. HTML based.
- references:
- samm2:
- - G-EG-1-A
- iso27001-2017:
- - 7.2.2
- iso27001-2022:
- - 6.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
- and Guidance/535f301a-e8e8-4eda-ad77-a08b035c92de
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Process:
- Approval by reviewing any new version:
- uuid: 3f63bdbc-c75f-4780-a941-e6ad42e894e1
- risk: An individual might forget to implement security measures to protect source
- code or infrastructure components.
- measure: On each new version (e.g. Pull Request) of source code or infrastructure
- components a security peer review of the changes is performed (two eyes principle)
- and approval given by the reviewer.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 3
- implementation: []
- references:
- samm2: []
- iso27001-2017:
- - Peer review - four eyes principle is not explicitly required by ISO 27001
- - 6.1.2
- - 14.2.1
- iso27001-2022:
- - Peer review - four eyes principle is not explicitly required by ISO 27001
- - 5.3
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/3f63bdbc-c75f-4780-a941-e6ad42e894e1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Definition of a change management process:
- uuid: b4193d32-3948-47e2-a326-3748c48019a1
- risk: The impact of a change is not controlled because these are not recorded
- or documented.
- measure: Each change of a system is automatically recorded and adequately logged.
- difficultyOfImplementation:
- knowledge: 4
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- implementation: []
- references:
- samm2: []
- iso27001-2017:
- - 14.2.2
- - 12.1.2
- - 12.4.1
- iso27001-2022:
- - 8.32
- - 8.15
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/b4193d32-3948-47e2-a326-3748c48019a1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Definition of simple BCDR practices for critical components:
- uuid: c72da779-86cc-45b1-a339-190ce5093171
- description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan
- and a process that helps a business to return to normal operations if a disaster
- occurs.
- risk: If the disaster recovery actions are not clear, you risk slow reaction
- and remediation delays. This applies to cyber attacks as well as natural emergencies,
- such as a power outage.
- measure: By understanding and documenting a business continuity and disaster
- recovery (BCDR) plan, the overall availability of systems and applications
- is increased. Success factors like responsibilities, Service Level Agreements,
- Recovery Point Objectives, Recovery Time Objectives or Failover must be fully
- documented and understood by the people involved in the recovery.
- difficultyOfImplementation:
- knowledge: 4
- time: 3
- resources: 2
- usefulness: 4
- level: 1
- implementation: []
- references:
- samm2: []
- iso27001-2017:
- - 17.1.1
- iso27001-2022:
- - 5.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/c72da779-86cc-45b1-a339-190ce5093171
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Determining the protection requirement:
- uuid: 72737130-472c-4984-80f8-9ab2f1c2ed5d
- risk: "Not defining the protection requirement of applications can lead to wrong
- prioritization, delayed remediation of \ncritical security issues, increasing
- the risk of exploitation and potential damage to the organization."
- measure: "Defining the protection requirement. \nThe protection requirements
- for an application should consider:\n- Processed data criticality\n- Application
- accessibility (internal vs. external)\n- Regulatory compliance\n- Other relevant
- factors"
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 2
- dependsOn:
- - Inventory of production components
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
- name: Business friendly vulnerability management metrics
- url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
- tags:
- - documentation
- - vulnerability
- - vulnerability management system
- - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
- name: DefectDojo Client
- tags:
- - Defectdojo
- - statistics
- url: https://github.com/SDA-SE/defectdojo-client
- description: |
- This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
- references:
- samm2:
- - I-DM-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/72737130-472c-4984-80f8-9ab2f1c2ed5d
- tags:
- - vulnerability-mgmt
- - metrics
- - vmm-measurements
- teamsImplemented:
- Default: false
- B: false
- C: false
-Implementation:
- Application Hardening:
- App. Hardening Level 1:
- uuid: cf819225-30cb-4702-8e32-60225eedc33d
- risk: Using an insecure application might lead to a compromised application.
- This might lead to total data theft or data modification.
- measure: |
- Following frameworks like the
- * OWASP Application Security Verification Standard Level 1
- * OWASP Mobile Application Security Verification Standard
-
- in all applications provides a good baseline. Implement 95%-100% of the recommendations.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 2
- dependsOn:
- - App. Hardening Level 1 (50%)
- description: |
- To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jump-start the development process, but also do so securely.
-
- [...]
-
- ### Planning aka Requirements Gathering & Analysis
- The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security.
-
- 
-
- Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process.
-
- These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations.
-
- In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below.
-
- Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md)
- implementation:
- - uuid: 88767cde-1610-402e-98ec-bc3575377183
- name: OWASP ASVS
- tags: []
- url: https://owasp.org/www-project-application-security-verification-standard/
- - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
- name: OWASP MASVS
- tags: []
- url: https://github.com/OWASP/owasp-masvs
- - uuid: 596cb528-8981-4723-bcc3-22c261f26114
- name: API Security Maturity Model for Authorization
- tags:
- - api
- url: https://curity.io/resources/learn/the-api-security-maturity-model/
- references:
- samm2:
- - D-SR-1-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/cf819225-30cb-4702-8e32-60225eedc33d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- App. Hardening Level 1 (50%):
- uuid: b597928e-54d6-48a5-a806-8003dcd56aab
- risk: Using an insecure application might lead to a compromised application.
- This might lead to total data theft or data modification.
- measure: |
- Following frameworks like the
- * OWASP Application Security Verification Standard Level 1
- * OWASP Mobile Application Security Verification Standard
-
- in all applications provides a good baseline. Implement 50% of the recommendations.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 1
- description: |
- To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely.
-
- [...]
-
- ### Planning aka Requirements Gathering & Analysis
- The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security.
-
- 
-
- Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process.
-
- These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations.
-
- In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below.
-
- Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md)
- implementation:
- - uuid: 88767cde-1610-402e-98ec-bc3575377183
- name: OWASP ASVS
- tags: []
- url: https://owasp.org/www-project-application-security-verification-standard/
- - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
- name: OWASP MASVS
- tags: []
- url: https://github.com/OWASP/owasp-masvs
- - uuid: 596cb528-8981-4723-bcc3-22c261f26114
- name: API Security Maturity Model for Authorization
- tags:
- - api
- url: https://curity.io/resources/learn/the-api-security-maturity-model/
- references:
- samm2:
- - D-SR-1-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/b597928e-54d6-48a5-a806-8003dcd56aab
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- App. Hardening Level 2:
- uuid: ffe86caf-2fec-4630-b514-2db83983984d
- risk: Using an insecure application might lead to a compromised application.
- This might lead to total data theft or data modification.
- measure: |
- Following frameworks like the
- * OWASP Application Security Verification Standard Level 2
- * OWASP Mobile Application Security Verification Standard Level 2
-
- Implement 95%-100% of the recommendations.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 3
- level: 4
- implementation:
- - uuid: 88767cde-1610-402e-98ec-bc3575377183
- name: OWASP ASVS
- tags: []
- url: https://owasp.org/www-project-application-security-verification-standard/
- - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
- name: OWASP MASVS
- tags: []
- url: https://github.com/OWASP/owasp-masvs
- references:
- samm2:
- - D-SR-2-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/ffe86caf-2fec-4630-b514-2db83983984d
- comments: ""
- dependsOn:
- - App. Hardening Level 2 (75%)
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- App. Hardening Level 2 (75%):
- uuid: 03643ca2-03c2-472b-8e19-956bf02fe9b7
- risk: Using an insecure application might lead to a compromised application.
- This might lead to total data theft or data modification.
- measure: |
- Following frameworks like the
- * OWASP Application Security Verification Standard Level 2
- * OWASP Mobile Application Security Verification Standard Level 2
-
- Implement 75% of the recommendations.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- implementation:
- - uuid: 88767cde-1610-402e-98ec-bc3575377183
- name: OWASP ASVS
- tags: []
- url: https://owasp.org/www-project-application-security-verification-standard/
- - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
- name: OWASP MASVS
- tags: []
- url: https://github.com/OWASP/owasp-masvs
- references:
- samm2:
- - D-SR-2-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/03643ca2-03c2-472b-8e19-956bf02fe9b7
- comments: ""
- dependsOn:
- - App. Hardening Level 1
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- App. Hardening Level 3:
- uuid: 4cae98c2-4163-44ed-bb88-3c67c569533a
- risk: Using an insecure application might lead to a compromised application.
- This might lead to total data theft or data modification.
- measure: |
- Following frameworks like the
- * OWASP Application Security Verification Standard Level 3
- * OWASP Mobile Application Security Verification Standard
-
- Implement 95%-100% of the recommendations.
- difficultyOfImplementation:
- knowledge: 4
- time: 4
- resources: 2
- usefulness: 4
- level: 5
- implementation:
- - uuid: 88767cde-1610-402e-98ec-bc3575377183
- name: OWASP ASVS
- tags: []
- url: https://owasp.org/www-project-application-security-verification-standard/
- - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
- name: OWASP MASVS
- tags: []
- url: https://github.com/OWASP/owasp-masvs
- references:
- samm2:
- - D-SR-3-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a
- dependsOn:
- - App. Hardening Level 2
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Containers are running as non-root:
- uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f
- risk: |-
- There are various reasons to run a container as non-root. Samples are listed:
- ## Container Escape Vectors
-
- - Root privileges significantly increase the chance of breaking container isolation
- - Root access can be leveraged to exploit kernel vulnerabilities
- - Compromised root containers provide attackers with maximum privileges inside the container
- - Greater potential for escaping container boundaries to the host system
-
- ## Host System Vulnerabilities
-
- Root containers can potentially:
-
- - Mount sensitive host filesystems
- - Access critical device files
- - Modify host network settings
- - Interact with host system processes
- - Override security controls
-
- ## Resource Management Issues
-
- Root privileges may allow containers to:
-
- - Bypass resource quotas and limits
- - Modify control group (cgroup) settings
- - Interfere with other containers' resources
- - Circumvent memory and CPU restrictions
-
- Security Boundary Weakening
-
- - Violates the principle of least privilege
- - Provides unnecessary elevated permissions
- - Expands the potential attack surface
- - Increases the impact of a successful compromise
- measure: "Containers are running as non-root. This can be enforced in the image
- itself or during runtime parameters \n(e.g. `podman run --user [...]`)."
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 2
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/a86c1fbc-28fd-4610-89a3-a7f73acfe45f
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Context-aware output encoding:
- uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7
- description: "**Input validation** stops malicious data from entering your system.
- \\\n**Output encoding** neutralizes malicious data before rendering to user,
- or the next system.\n\nInput validation and output encoding work together.
- Apply both. \n\n**Context-aware output encoding** encodes data differently,
- depending on its context. In the sample below the `{{bad_data}}` must be encoded
- differently, depending on its context, to render safe HTML.\n\n```html\n{{bad_data}}
\nClick me\n\n\n``` \n"
- risk: If an attacker manages to slip though your input validation, the attacker
- may gain control over the user session or execute arbitrary actions.
- measure: "* Use modern secure frameworks such as React/Angular/Vue/Svelte. The
- default method here renders data in a safe way.\n* Use established and well-maintained
- encoding libraries such as OWASP\u2019s Java Encoder and Microsoft\u2019s
- AntiXSS.\n* Implement content security policies (CSP) to restrict the types
- of content that can be loaded and executed.\n"
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 1
- usefulness: 3
- level: 1
- implementation:
- - uuid: 2d61e48f-bade-4332-a383-adc50c29673a
- name: OWASP DOM based XSS Prevention CheatSheet
- url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
- tags: []
- - uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc
- name: CWE-838 Inappropriate Encoding for Output Context
- tags:
- - documentation
- - cwe
- url: https://cwe.mitre.org/data/definitions/838.html
- references:
- samm2:
- - D-SR-1-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/e1f37abb-d848-4a3a-b3df-65e91a89dcb7
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Parametrization:
- uuid: 00e91a8a-3972-4692-8679-674ab8547486
- description: |
- By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well.
-
- This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed.
-
- Pay attention to these two lines of code. They seem similar, but behave very differently.
-
- * `sql.execute("SELECT * FROM table WHERE ID = " + id);`
- * `sql.execute("SELECT * FROM table WHERE ID = ?", id);`
- The second line is parameterized. The same principle applies to other types, such as command line execution, etc.
- risk: "Systems vulnerable to injections may lead to data breaches, loss of data,
- \nunauthorized alteration of data, or complete database compromise or downtime.\n\nThis
- applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. \n"
- measure: |
- * Identify which of the types your application is using. Check that you use:
- * Use _parametrized queries_ (or _prepared statements_)
- * For database queries, you may also use:
- * Use _stored procedures_ ()
- * Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 1
- usefulness: 3
- level: 1
- implementation:
- - uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4
- name: OWASP Parameterization CheatSheet
- url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html
- tags: []
- references:
- samm2:
- - D-SR-1-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- Hardening/00e91a8a-3972-4692-8679-674ab8547486
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Secure headers:
- uuid: 29318d60-18ce-4526-80ea-f5928e49f639
- risk: |
- Missing or misconfigured security headers can lead to various security vulnerabilities, e.g.:
- - Cross-Site Scripting (XSS) due to missing Content Security Policy
- - Clickjacking attacks due to missing X-Frame-Options
- - Information disclosure through Server header exposure
- - SSL/TLS downgrade attacks due to missing HSTS
- - Cross-site scripting and injection due to missing security headers
- measure: |
- Implement and enforce security headers across all applications and services
-
- Implementation Methods:
- 1. Reverse Proxy/Load Balancer: Configure at nginx/Apache level
- 2. Web Application: Implement in the application middleware
- 3. Service Mesh: Configure at the ingress controller level
- 4. Standard Docker Image: Use secure base images with preset headers
-
- Remove or Secure:
- - Server header: Hide server version information
- - X-Powered-By: Remove technology stack information
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 4
- level: 3
- implementation:
- - uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
- name: OWASP Secure Headers Project
- tags:
- - header
- - documentation
- url: https://owasp.org/www-project-secure-headers/
- description: "The OWASP Secure Headers Project (also called OSHP) describes
- HTTP response headers that your application can use \nto increase the security
- of your application. Once set, these HTTP response headers can restrict
- modern browsers \nfrom running into easily preventable vulnerabilities.
- The OWASP Secure Headers Project intends to raise awareness\nand use of
- these headers."
- meta:
- implementationGuide: |
- Essential headers:
- - Content-Security-Policy: Define trusted sources for content
- - Strict-Transport-Security: Enforce HTTPS connections
- - X-Frame-Options: Prevent clickjacking attacks
- - X-Content-Type-Options: Prevent MIME-type sniffing
- - X-XSS-Protection: Enable browser's XSS filtering
- - Referrer-Policy: Control information in the Referrer header
- references:
- samm2:
- - D-SR-3-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/cre/620-421
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Development and Source Control:
- .gitignore:
- uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d
- risk: Unintended leakage of secrets, debug, or workstation specific data
- measure: .gitignore files help prevent accidental commits of secrets, debug,
- or workstation specific data
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 5
- level: 4
- dependsOn: []
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.1.1
- - 12.1.2
- - 14.2.2
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.37
- - 8.32
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
- and Source Control/363a3eea-baf9-4010-88ca-bb8186a2989d
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Block force pushes:
- uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17
- risk: "Misuse of force push can lead to loss of work. It may overwrite remote
- \nbranches without warning, potentially erasing valuable contributions from
- team members. This can disrupt collaboration, \ncause data loss, and create
- confusion in the development process.\n\nBypassing the pull request process
- might remove an important code review step. \nThis increases the risk of merging
- low-quality or buggy code into the main branch, potentially introducing bugs
- in the codebase."
- measure: Mandate blocking of force pushes in the version control platform.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 3
- level: 3
- dependsOn:
- - Require a PR before merging
- implementation:
- - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
- name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
- tags:
- - source-code-protection
- - scm
- - uuid: 99211481-de9c-4358-880e-628366416a27
- name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
- tags:
- - source-code-protection
- - scm
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - 6.1.2
- - 14.2.1
- iso27001-2022:
- - 5.3
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
- and Source Control/c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Dismiss stale PR approvals:
- uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162
- risk: Intentional or accidental alterations in critical branches like main (or
- master) through post-approval code additions.
- measure: Implement a policy where any commits made after a pull request has
- been approved automatically revoke that approval, necessitating a fresh review
- and re-approval process.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 4
- level: 3
- dependsOn:
- - Require a PR before merging
- implementation:
- - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
- name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
- tags:
- - source-code-protection
- - scm
- - uuid: 99211481-de9c-4358-880e-628366416a27
- name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
- tags:
- - source-code-protection
- - scm
- - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4
- name: Enforcement of commit signing
- tags:
- - signing
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
- description: Usage of branch protection rules
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Peer review - four eyes principle is not explicitly required by ISO 27001
- - 6.1.2
- - 14.2.1
- iso27001-2022:
- - Peer review - four eyes principle is not explicitly required by ISO 27001
- - 5.3
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
- and Source Control/ea6f69f7-54a5-4922-ac15-a77ff0c16162
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Local development linting & style checks performed:
- uuid: 517b0957-4981-4ac0-b4c7-0d8d1934c474
- risk: Insecure or unmaintainable code base.
- measure: Integrate static code analysis tools in IDEs.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 2
- level: 5
- description: ""
- implementation:
- - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe
- name: How to enforce a consistent coding style in your projects
- url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm
- tags:
- - ide
- - linting
- - uuid: aa5ded61-5380-4da6-9474-afc36a397682
- name: In-Depth Linting of Your TypeScript While Coding
- url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding
- tags:
- - ide
- - linting
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - ISO 27001:2017 mapping is missing
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
- and Source Control/517b0957-4981-4ac0-b4c7-0d8d1934c474
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Require a PR before merging:
- uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2
- risk: Intentional or accidental alterations in critical branches like main (or
- master).
- measure: Define source code management system policies (e.g. branch protection
- rules, mandatory code reviews from at least one person, ...) to ensure that
- changes to critical branches are only possible under defined conditions. These
- policies can be implemented at repository level or organization level, depending
- on the source code management system.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 4
- level: 2
- implementation:
- - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
- name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
- tags:
- - source-code-protection
- - scm
- - uuid: 99211481-de9c-4358-880e-628366416a27
- name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
- tags:
- - source-code-protection
- - scm
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Peer review - four eyes principle is not explicitly required by ISO 27001
- - 6.1.2
- - 14.2.1
- iso27001-2022:
- - Peer review - four eyes principle is not explicitly required by ISO 27001
- - 5.3
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
- and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Require status checks to pass:
- uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee
- risk: Organizations risk introducing broken builds, quality issues, and security
- vulnerabilities into their codebase.
- measure: Mandate passing of security related specified status checks, like successful
- builds or static application security tests, before proceeding.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 4
- level: 3
- dependsOn:
- - Require a PR before merging
- implementation:
- - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
- name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
- tags:
- - source-code-protection
- - scm
- - uuid: 99211481-de9c-4358-880e-628366416a27
- name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
- tags:
- - source-code-protection
- - scm
- - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4
- name: Enforcement of commit signing
- tags:
- - signing
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
- description: Usage of branch protection rules
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - 6.1.2
- - 14.2.1
- iso27001-2022:
- - 5.3
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
- and Source Control/ac8730a2-ccc0-465c-9550-d91edae9d5ee
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Versioning:
- uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f
- risk: Deployment of untracked artifacts.
- measure: Version artifacts in order to identify deployed features and issues.
- This includes application and infrastructure code, jenkins configuration,
- container and virtual machine images.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 3
- usefulness: 5
- level: 1
- dependsOn:
- - Defined deployment process
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.1.1
- - 12.1.2
- - 14.2.2
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.37
- - 8.32
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
- and Source Control/066084c6-1135-4635-9cc5-9e75c7c5459f
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Infrastructure Hardening:
- Applications are running in virtualized environments:
- uuid: 3a94d55e-fd82-4996-9eb3-20d23ff2a873
- risk: Through a vulnerability in one service on a server, the attacker gains
- access to other services running on the same server.
- measure: Applications are running in a dedicated and isolated virtualized environments.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 5
- usefulness: 3
- level: 2
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/3a94d55e-fd82-4996-9eb3-20d23ff2a873
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Backup:
- uuid: 5c61fd6b-8106-4c68-ac28-a8a42f1c67dc
- risk: If errors are experienced during the deployment process you want to deploy
- an old release. However, due to changes in the database this is often unfeasible.
- measure: Performing automated periodical backups are used. Backup before deployment
- can help facilitate deployments whilst testing the backup restore processes.
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 1
- usefulness: 4
- level: 2
- implementation:
- - uuid: ba7348e5-1abf-4c7d-8fbc-49f99460930b
- name: A complete backup of persisted data might be performed*.
- tags: []
- - uuid: 9af7624e-0729-4eeb-b257-ebaf65f70355
- name: A Point in Time Recovery for databases should be implemented.
- tags: []
- dependsOn:
- - Defined deployment process
- references:
- samm2:
- - TODO
- iso27001-2017:
- - 12.3
- - 14.2.6
- iso27001-2022:
- - 8.13
- - 8.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/5c61fd6b-8106-4c68-ac28-a8a42f1c67dc
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Baseline Hardening of the environment:
- uuid: 5992c38c-8597-4035-89db-d15820d81c3a
- risk: Using default configurations for a cluster environment leads to potential
- risks.
- measure: Harden environments according to best practices. Level 1 and partially
- level 2 from hardening practices like 'CIS Kubernetes Bench for Security'
- should be considered.
- difficultyOfImplementation:
- knowledge: 4
- time: 3
- resources: 2
- usefulness: 4
- level: 2
- implementation:
- - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff
- name: CIS Kubernetes Benchmark for Security
- tags: []
- url: https://www.cisecurity.org/benchmark/kubernetes
- - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f
- name: CIS Docker Benchmark for Security
- tags: []
- url: https://www.cisecurity.org/benchmark/docker
- - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef
- name: For example for Cont
- tags: []
- description: 'For example for Containers: Deny running containers as root,
- deny using advanced privileges, deny mounting of the hole filesystem, ...'
- url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/
- - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b
- name: Attack Matrix Cloud
- tags:
- - mitre
- url: https://attack.mitre.org/matrices/enterprise/cloud/
- description: Attack matrix for cloud
- - uuid: 59881520-4c69-4922-a44e-99044a77de2b
- name: Attack Matrix Containers
- tags:
- - mitre
- url: https://attack.mitre.org/matrices/enterprise/containers/
- description: Attack matrix for containers
- - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935
- name: Attack Matrix Kubernetes
- tags:
- - mitre
- url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- description: Attack matrix for kubernetes
- - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af
- name: Defend the core kubernetes security at every layer
- url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/
- tags:
- - documentation
- - cluster
- - kubernetes
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - system hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/5992c38c-8597-4035-89db-d15820d81c3a
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Filter outgoing traffic:
- uuid: 6df508ef-86fc-4c22-bd9f-646c3127ce7d
- risk: A compromised infrastructure component might try to send out stolen data.
- measure: Having a whitelist and explicitly allowing egress traffic provides
- the ability to stop unauthorized data leakage.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 3
- usefulness: 2
- level: 3
- dependsOn: []
- implementation:
- - uuid: 4a024319-4510-4a53-a8b6-8f35b6c01867
- name: Open Policy Agent
- tags: []
- url: https://www.openpolicyagent.org/
- - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7
- name: firewalls
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/6df508ef-86fc-4c22-bd9f-646c3127ce7d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Hardening of the Environment:
- uuid: dcf9601b-b4f2-4e25-9143-e39af75f7c33
- risk: Using default configurations for a cluster environment leads to potential
- risks.
- measure: Harden environments according to best practices. Level 2 and partially
- level 3 from hardening practices like 'CIS Kubernetes Bench for Security'
- should be considered.
- difficultyOfImplementation:
- knowledge: 4
- time: 4
- resources: 2
- usefulness: 3
- level: 4
- implementation:
- - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff
- name: CIS Kubernetes Benchmark for Security
- tags: []
- url: https://www.cisecurity.org/benchmark/kubernetes
- - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f
- name: CIS Docker Benchmark for Security
- tags: []
- url: https://www.cisecurity.org/benchmark/docker
- - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef
- name: For example for Cont
- tags: []
- description: 'For example for Containers: Deny running containers as root,
- deny using advanced privileges, deny mounting of the hole filesystem, ...'
- url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/
- - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b
- name: Attack Matrix Cloud
- tags:
- - mitre
- url: https://attack.mitre.org/matrices/enterprise/cloud/
- description: Attack matrix for cloud
- - uuid: 59881520-4c69-4922-a44e-99044a77de2b
- name: Attack Matrix Containers
- tags:
- - mitre
- url: https://attack.mitre.org/matrices/enterprise/containers/
- description: Attack matrix for containers
- - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935
- name: Attack Matrix Kubernetes
- tags:
- - mitre
- url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- description: Attack matrix for kubernetes
- - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af
- name: Defend the core kubernetes security at every layer
- url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/
- tags:
- - documentation
- - cluster
- - kubernetes
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/dcf9601b-b4f2-4e25-9143-e39af75f7c33
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Immutable infrastructure:
- uuid: 48e92bb1-fdba-40e8-b6c2-35de0d431833
- risk: The availability of IT systems might be disturbed due to components failures
- measure: Redundancies in the IT systems
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 3
- dependsOn:
- - Infrastructure as Code
- implementation:
- - uuid: b206481f-9c66-45e2-843c-37c5730580cd
- name: Remove direct access to infrastructure
- tags: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 17.2.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.14
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/48e92bb1-fdba-40e8-b6c2-35de0d431833
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Infrastructure as Code:
- uuid: 8b994601-575e-4ea5-b228-accb18c8e514
- risk: No tracking of changes in systems might lead to errors in the configuration.
- In additions, it might lead to unauthorized changes. An examples is jenkins.
- measure: Systems are setup by code. A full environment can be provisioned. In
- addition, software like Jenkins 2 can be setup and configured in in code too.
- The code should be stored in a version control system.
- difficultyOfImplementation:
- knowledge: 3
- time: 5
- resources: 4
- usefulness: 4
- level: 3
- implementation:
- - uuid: b0931397-2402-44f1-814b-63292ab4a339
- name: GitOps
- tags: []
- url: https://www.redhat.com/en/topics/devops/what-is-gitops
- - uuid: 73747d35-2185-4f22-94a0-723288fa283c
- name: Ansible
- tags: []
- url: https://github.com/ansible/ansible
- - uuid: 691c443f-b6e2-498d-94dc-778d8d51cfce
- name: Chef
- tags: []
- url: https://github.com/chef/chef
- - uuid: eb7f76a8-87e5-4394-af4c-c09487c85982
- name: Puppet
- tags: []
- url: https://github.com/puppetlabs/puppet
- - uuid: 321dcfe4-d2fc-4dd2-85bf-aac563958458
- name: Jenkinsfile
- tags: []
- url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.1.1
- - 12.1.2
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.37
- - 8.32
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/8b994601-575e-4ea5-b228-accb18c8e514
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Isolated networks for virtual environments:
- uuid: 4ce24abd-8ba6-494c-828d-4d193e28e4a1
- risk: Virtual environments in default settings are able to access other virtual
- environments on the network stack. By using virtual machines, it is often
- possible to connect to other virtual machines. By using docker, one bridge
- is used by default so that all containers on one host can communicate with
- each other.
- measure: The communication between virtual environments is controlled and regulated.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 3
- usefulness: 5
- level: 2
- dependsOn: []
- implementation:
- - uuid: 9429d52c-203d-49ae-814f-1401210887cd
- name: istio
- tags: []
- url: https://istio.io/
- - uuid: fc0eda30-2bf7-466f-948e-e17584db9f30
- name: bridges
- tags: []
- - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7
- name: firewalls
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/4ce24abd-8ba6-494c-828d-4d193e28e4a1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Limitation of system events:
- uuid: e5386abf-9154-4752-a1a8-c3a8900f732d
- risk: System events (system calls) can lead to privilege escalation.
- measure: System calls are limited.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 5
- level: 3
- dependsOn:
- - Audit of system events
- implementation:
- - uuid: 0cc7e68b-f7d9-4e66-8065-47d076129ffd
- name: seccomp
- tags: []
- url: https://man7.org/linux/man-pages/man2/seccomp.2.html
- - uuid: 73ab2e3d-11a7-459d-8b57-9337662bd1ff
- name: strace
- tags: []
- url: https://man7.org/linux/man-pages/man1/strace.1.html
- - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012
- name: Falco
- tags:
- - falco
- - systemcall
- - monitoring
- url: https://github.com/falcosecurity/falco
- description: |
- Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - System hardening is not explicitly covered by ISO 27001 - too specific
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/e5386abf-9154-4752-a1a8-c3a8900f732d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- MFA:
- uuid: 598e9f13-1ac8-4a01-b85e-8fab93ee81de
- risk: One factor authentication is more vulnerable to brute force attacks and
- is considered less secure.
- measure: Two ore more factor authentication for all accounts on all (important)
- systems and applications
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 4
- level: 2
- dependsOn:
- - MFA for admins
- implementation:
- - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8
- name: YubiKey - Smartcard
- tags: []
- url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
- - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8
- name: SMS
- tags: []
- - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d
- name: TOTP
- tags: []
- url: https://d3fend.mitre.org/technique/d3f:One-timePassword/
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - 9.2.4
- - 6.1.2
- - 14.2.1
- iso27001-2022:
- - 5.17
- - 5.3
- - 8.25
- d3f:
- - Multi-factorAuthentication
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/598e9f13-1ac8-4a01-b85e-8fab93ee81de
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- MFA for admins:
- uuid: 8098e416-e1ed-4ae4-a561-83efbe76bf57
- risk: One factor authentication is more vulnerable to brute force attacks and
- is considered less secure.
- measure: Two ore more factor authentication for all privileged accounts on systems
- and applications
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 4
- level: 1
- implementation:
- - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8
- name: YubiKey - Smartcard
- tags: []
- url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
- - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8
- name: SMS
- tags: []
- - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d
- name: TOTP
- tags: []
- url: https://d3fend.mitre.org/technique/d3f:One-timePassword/
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - 9.2.4
- - 6.1.2
- - 14.2.1
- iso27001-2022:
- - 5.17
- - 5.3
- - 8.25
- d3f:
- - Multi-factorAuthentication
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/8098e416-e1ed-4ae4-a561-83efbe76bf57
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Microservice-architecture:
- uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a
- risk: Monolithic applications are hard to test.
- measure: A microservice-architecture helps to have small components, which are
- more easy to test.
- difficultyOfImplementation:
- knowledge: 4
- time: 5
- resources: 5
- usefulness: 1
- level: 5
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/118b869b-3850-456e-98d9-1abdb85cbc5a
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Production near environments are used by developers:
- uuid: e14de741-94b3-447c-8b07-eea947d82e61
- risk: In case an errors occurs in production, the developer need to be able
- to create a production near environment on a local development environment.
- measure: Usage of infrastructure as code helps to create a production near environment.
- The developer needs to be trained in order to setup a local development environment.
- In addition, it should be possible to create production like test data. Often
- personal identifiable information is anonymized in order to comply with data
- protection laws.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 3
- usefulness: 4
- level: 4
- dependsOn:
- - Defined deployment process
- - Infrastructure as Code
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - 12.1.4
- - 17.2.1
- iso27001-2022:
- - 8.31
- - 8.14
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/e14de741-94b3-447c-8b07-eea947d82e61
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Role based authentication and authorization:
- uuid: 070bb14b-e04a-4f3d-896a-a08eba7a35f9
- risk: Everyone is able to get unauthorized access to information on systems
- or to modify information unauthorized on systems.
- measure: The usage of a (role based) access control helps to restrict system
- access to authorized users.
- difficultyOfImplementation:
- knowledge: 2
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- implementation:
- - uuid: 04edc63e-d389-48dd-b365-552aaf4ea004
- name: Directory Service
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:DirectoryService/
- - uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e
- name: Plugins
- tags: []
- dependsOn:
- - Defined deployment process
- - Defined build process
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - 9.4.1
- iso27001-2022:
- - 8.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/070bb14b-e04a-4f3d-896a-a08eba7a35f9
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple access control for systems:
- uuid: 82e499d1-f463-4a4b-be90-68812a874af6
- risk: Attackers a gaining access to internal systems and application interfaces
- measure: All internal systems are using simple authentication
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 3
- usefulness: 5
- level: 1
- dependsOn:
- - Defined deployment process
- implementation:
- - uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9
- name: HTTP-Basic Authentication
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/
- - uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e
- name: VPN
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - 9.4.1
- iso27001-2022:
- - 8.3
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/82e499d1-f463-4a4b-be90-68812a874af6
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of a chaos technology:
- uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe
- risk: Due to manual changes on a system, they are not replaceable anymore. In
- case of a crash it might happen that a planned redundant system is unavailable.
- In addition, it is hard to replay manual changes.
- measure: A randomized periodically shutdown of systems makes sure, that nobody
- will perform manual changes to a system.
- difficultyOfImplementation:
- knowledge: 3
- time: 5
- resources: 5
- usefulness: 3
- level: 4
- implementation:
- - uuid: c117e79b-8223-4e55-9da5-efbf5d741c15
- name: Chaos Monkey
- tags:
- - chaos
- - testing
- url: https://github.com/Netflix/chaosmonkey
- description: Chaos Monkey is a resiliency tool that helps applications tolerate
- random instance failures. Chaos Monkey randomly terminates virtual machine
- instances and containers that run inside of your production environment.
- Exposing engineers to failures more frequently incentivizes them to build
- resilient services.
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 17.1.3
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/f8e80f18-2503-4e3e-b3bc-7f67bb28defe
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of an security account:
- uuid: 746025a6-dbfb-4087-a000-e46acab64ee1
- risk: Having security auditing in the same account as infrastructure and applications
- at the cloud provide might cause evil administrators (or threat actors taking
- over an account of an administrator) to alter evidence like audit logs.
- measure: Usage of a separate account dedicated for security activities.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 3
- usefulness: 4
- level: 2
- implementation: ""
- references:
- samm2:
- - I-SD-2-B
- iso27001-2017:
- - 10.1
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/746025a6-dbfb-4087-a000-e46acab64ee1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of edge encryption at transit:
- uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629
- risk: Evil actors might be able to perform a man in the middle attack and sniff
- confidential information (e.g. authentication factors like passwords).
- measure: |-
- By using encryption at the edge of traffic in transit, it is impossible
- or at least harder to sniff credentials or information being outside of the organization.
-
- Using standard secure protocols like HTTPS is recommended.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 1
- implementation: ""
- references:
- samm2:
- - I-SD-2-B
- iso27001-2017:
- - 10.1
- iso27001-2022:
- - 8.24
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/ad23be9c-5661-4f1f-81a3-5a5dc7061629
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of encryption at rest:
- uuid: 0ff45fb8-7eef-46ed-9b3a-84c955cd7060
- risk: Evil actors might be able to access data and read information, e.g. from
- physical hard disks.
- measure: By using encryption at rest, it is impossible or at least harder to
- to read information.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 2
- implementation: ""
- references:
- samm2:
- - I-SD-2-B
- iso27001-2017:
- - 10.1
- iso27001-2022:
- - 8.24
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/0ff45fb8-7eef-46ed-9b3a-84c955cd7060
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of internal encryption at transit:
- uuid: ecb0184c-6bc9-45da-bbbb-a983797ffc93
- risk: Evil actors within the organization of traffic in transit might be able
- to perform a man in the middle attack and sniff confidential information (e.g.
- authentication factors like passwords)
- measure: By using encryption internally, e.g. inside of a cluster, it is impossible
- or at least harder to sniff credentials.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 3
- usefulness: 4
- level: 3
- implementation: ""
- references:
- samm2:
- - I-SD-2-B
- iso27001-2017:
- - 10.1
- iso27001-2022:
- - 8.24
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/ecb0184c-6bc9-45da-bbbb-a983797ffc93
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of security by default for components:
- uuid: 11b3848e-e931-4146-a35d-35409ada24ee
- risk: Components (images, libraries, applications) are not hardened.
- measure: Hardening of components is important, specially for image on which
- other teams base on. Hardening should be performed on the operation system
- and on the services inside (e.g. Nginx or a Java-Application).
- difficultyOfImplementation:
- knowledge: 4
- time: 3
- resources: 1
- usefulness: 3
- level: 3
- implementation:
- - uuid: d7fb1f5a-05e3-49f7-ae67-00bfb8f8410c
- name: 'For applications: Check default encoding'
- tags: []
- - uuid: 7e744f11-976e-46b6-88d4-f39b2965dfaf
- name: managing secrets
- tags: []
- url: https://d3fend.mitre.org/technique/d3f:CredentialHardening/
- - uuid: 520517ef-2911-4efc-8e1b-dcc9389aca45
- name: crypto
- tags: []
- - uuid: ba6bd46c-2069-4f4d-b26c-7334a7553339
- name: authentication
- tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:Authentication/
- dependsOn:
- - Defined build process
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - not explicitly covered by ISO 27001 - too specific
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/11b3848e-e931-4146-a35d-35409ada24ee
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of test and production environments:
- uuid: bfdacb52-1e3f-431d-ae72-d844a5e86415
- risk: Security tests are not running regularly because test environments are
- missing
- measure: A test and a production like environment is used
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 5
- usefulness: 4
- level: 2
- dependsOn:
- - Defined deployment process
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.1.4
- - 17.2.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.31
- - 8.14
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/bfdacb52-1e3f-431d-ae72-d844a5e86415
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Virtual environments are limited:
- uuid: 760f1056-b0ee-4f22-a35b-f65446f944ca
- risk: Denial of service (internally by an attacker or unintentionally by a bug)
- on one service effects other services
- measure: All virtual environments are using resource limits on hard disks, memory
- and CPU
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 3
- usefulness: 3
- level: 2
- dependsOn:
- - Applications are running in virtualized environments
- implementation: []
- references:
- samm2:
- - O-EM-1-A
- iso27001-2017:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 12.1.3
- - 13.1.3
- - 17.2.1
- iso27001-2022:
- - Virtual environments are not explicitly covered by ISO 27001 - too specific
- - 8.6
- - 8.22
- - 8.14
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/760f1056-b0ee-4f22-a35b-f65446f944ca
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- WAF Advanced:
- uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced
- risk: The presence of sophisticated threats necessitates a robust defense strategy
- where application inputs are meticulously scrutinized for security breaches,
- including advanced persistent threats and zero-day vulnerabilities.
- measure: An advanced WAF protection level includes rigorous input validation,
- rejecting any parameters not explicitly required, and custom rule sets that
- are dynamically updated in response to emerging threats.
- description: |
- The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape.
- difficultyOfImplementation:
- knowledge: 5
- time: 5
- resources: 5
- usefulness: 4
- level: 5
- dependsOn:
- - WAF medium
- implementation: []
- references:
- samm2:
- - D-SR-3-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced
- comments: ~
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- WAF baseline:
- uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b
- risk: Vulnerable input, such as exploits, can infiltrate the application via
- numerous entry points, posing a significant security threat.
- measure: Implementing a web application firewall (WAF) is a critical security
- control. At a baseline level, the objective is to finely balance the reduction
- of false positives, maintaining user experience, against a potential increase
- in the less noticeable false negatives.
- description: |
- Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 3
- usefulness: 3
- level: 3
- dependsOn:
- - Context-aware output encoding
- implementation: []
- references:
- samm2:
- - D-SR-3-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b
- comments: ~
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- WAF medium:
- uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium
- risk: The threat from malicious inputs remains high, with exploits seeking to
- exploit any vulnerabilities present at the various points of entry to the
- application.
- measure: A WAF deployed with a medium level of protection strengthens the security
- posture by striking a more advanced balance between the detection of genuine
- threats and the minimization of false alarms.
- description: |
- Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic.
- difficultyOfImplementation:
- knowledge: 4
- time: 5
- resources: 4
- usefulness: 3
- level: 4
- dependsOn:
- - WAF baseline
- implementation: []
- references:
- samm2:
- - D-SR-3-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
- Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium
- comments: ~
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
-Information Gathering:
- Logging:
- Centralized application logging:
- uuid: fe875e17-ae4a-45f8-a359-244aa4fcbc04
- risk: Local stored logs can be unauthorized manipulated by attackers with system
- access or might be corrupt after an incident. In addition, it is hard to perform
- an correlation of logs. This leads attacks, which can be performed silently.
- measure: A centralized logging system is used and applications logs (including
- application exceptions) are shipped to it.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 5
- level: 2
- dependsOn:
- - Alerting
- implementation: []
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.4.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.15
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/fe875e17-ae4a-45f8-a359-244aa4fcbc04
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Centralized system logging:
- uuid: 4eced38a-7904-4c45-adb0-50b663065540
- risk: Local stored system logs can be unauthorized manipulated by attackers
- or might be corrupt after an incident. In addition, it is hard to perform
- a aggregation of logs.
- measure: By using centralized logging logs are protected against unauthorized
- modification.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 2
- level: 1
- implementation:
- - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66
- name: rsyslog
- url: https://www.rsyslog.com/
- tags:
- - tool
- - logging
- - uuid: 7a8fad2e-d642-4972-8501-74591b23feab
- name: logstash
- url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
- tags:
- - tool
- - logging
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.4.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.15
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/4eced38a-7904-4c45-adb0-50b663065540
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Correlation of security events:
- uuid: ccf4561d-253f-4762-adcb-bc4622fd6fc5
- risk: Detection of security related events with hints on different systems/tools/metrics
- is not possible.
- measure: Events are correlated on one system. For example the correlation and
- visualization of failed login attempts combined with successful login attempts.
- difficultyOfImplementation:
- knowledge: 4
- time: 4
- resources: 4
- usefulness: 3
- level: 5
- dependsOn:
- - Visualized logging
- - Alerting
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.4.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.15
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccf4561d-253f-4762-adcb-bc4622fd6fc5
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Logging of security events:
- uuid: ccfdd0a8-991e-4269-ad77-c0a54ca655cb
- description: |
- Implement logging of security relevant events. The following events tend to be security relevant:
- - successful/failed login/logout
- - creation, change, and deletion of users
- - errors during input validation and output creation
- - exceptions and errors with security in their name
- - transactions of value (e.g., financial transactions, costly operations)
- - :unicorn: (special things of your application)
- measure: Security-relevant events like login/logout or creation, change, deletion
- of users should be logged.
- assessment: |
- - Show which events are logged.
- - Show a test for one event logging.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 4
- level: 2
- credits: |
- [AppSecure-nrw](https://github.com/AppSecure-nrw/security-belts/blob/master/orange/logging-of-security-events.md)
- implementation:
- - uuid: 7a8fad2e-d642-4972-8501-74591b23feab
- name: logstash
- url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
- tags:
- - tool
- - logging
- - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45
- name: fluentd
- tags:
- - tool
- url: https://www.fluentd.org/
- - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531
- name: bash
- tags:
- - tool
- url: https://www.gnu.org/software/bash/
- - uuid: 5a5c7d99-41e8-454a-86ae-a638c9787d8c
- name: OWASP Logging CheatSheet
- url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
- tags:
- - logging
- - documentation
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - 12.4.1
- iso27001-2022:
- - 8.15
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccfdd0a8-991e-4269-ad77-c0a54ca655cb
- risk: |-
- * No track of security-relevant events makes it harder to analyze an incident.
- * Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal.
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- PII logging concept:
- uuid: 613a73dc-4f60-49db-a6ce-4fb7bf8519f9
- risk: Personal identifiable information (PII) is logged and the privacy law
- (e.g. General Data Protection Regulation) is not followed.
- measure: A concept how to log PII is documented and applied.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 1
- level: 5
- implementation:
- - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66
- name: rsyslog
- url: https://www.rsyslog.com/
- tags:
- - tool
- - logging
- - uuid: 7a8fad2e-d642-4972-8501-74591b23feab
- name: logstash
- url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
- tags:
- - tool
- - logging
- - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45
- name: fluentd
- tags:
- - tool
- url: https://www.fluentd.org/
- - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531
- name: bash
- tags:
- - tool
- url: https://www.gnu.org/software/bash/
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.4.1
- - 18.1.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.15
- - 5.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/613a73dc-4f60-49db-a6ce-4fb7bf8519f9
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Visualized logging:
- uuid: 7c735089-6a83-419f-8b27-c1e676cedea1
- risk: System and application protocols are not visualized properly which leads
- to no or very limited logging assessment. Specially developers might have
- difficulty to read applications logs with unusually tools like the Linux tool
- 'cat'
- measure: Protocols are visualized in a simple to use real time monitoring system.
- The GUI gives the ability to search for special attributes in the protocol.
- difficultyOfImplementation:
- knowledge: 1
- time: 3
- resources: 3
- usefulness: 4
- level: 3
- dependsOn:
- - Centralized system logging
- - Centralized application logging
- implementation:
- - uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3
- name: ELK-Stack
- tags: []
- url: https://www.elastic.co/elk-stack
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.4.1
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.15
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/7c735089-6a83-419f-8b27-c1e676cedea1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Monitoring:
- Advanced app. metrics:
- uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf
- risk: People are not looking into tests results. Vulnerabilities not recolonized,
- even they are detected by tools.
- measure: All defects from the dimension Test- and Verification are instrumented.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 2
- usefulness: 4
- level: 4
- dependsOn:
- - Simple application metrics
- - Visualized metrics
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d03bc410-74a7-4e92-82cb-d01a020cb6bf
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Advanced availability and stability metrics:
- uuid: ed715b38-c34b-40cd-83fd-ce807f306fc1
- risk: Trends and advanced attacks are not detected.
- measure: Advanced metrics are gathered in relation to availability and stability.
- For example unplanned downtime's per year.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 2
- usefulness: 4
- level: 3
- dependsOn:
- - Simple application metrics
- - Visualized metrics
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - 12.1.3
- iso27001-2022:
- - 8.6
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ed715b38-c34b-40cd-83fd-ce807f306fc1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Alerting:
- uuid: 8a442d8e-0eb1-4793-a513-571aef982edd
- risk: Incidents are discovered after they happened.
- measure: |
- Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically.
- difficultyOfImplementation:
- knowledge: 2
- time: 5
- resources: 5
- usefulness: 5
- level: 2
- dependsOn:
- - Visualized metrics
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- - I-DM-3-A
- iso27001-2017:
- - 16.1.2
- - 16.1.4
- - 12.1.4
- iso27001-2022:
- - 6.8
- - 5.25
- - 8.31
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8a442d8e-0eb1-4793-a513-571aef982edd
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Audit of system events:
- uuid: 1cd5e4b8-be36-4726-adc7-d8f843f47ac8
- risk: System events (system calls) trends and attacks are not detected.
- measure: Gathering of system calls.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 4
- level: 3
- dependsOn:
- - Visualized metrics
- implementation:
- - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012
- name: Falco
- tags:
- - falco
- - systemcall
- - monitoring
- url: https://github.com/falcosecurity/falco
- description: |
- Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/1cd5e4b8-be36-4726-adc7-d8f843f47ac8
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Coverage and control metrics:
- uuid: d0d681e7-d6de-4829-ac64-a9eb2546aa0d
- risk: The effectiveness of configuration, patch and vulnerability management
- is unknown.
- measure: "Usage of Coverage- and control-metrics to show the effectiveness of
- the security program. Coverage is the degree in \n which a specific
- security control for a specific target group is applied with all resources.\n
- \ The control degree shows the actual application of security standards
- and security-guidelines. Examples are gathering information on anti-virus,
- anti-rootkits, patch management, server configuration and vulnerability management."
- difficultyOfImplementation:
- knowledge: 3
- time: 5
- resources: 2
- usefulness: 4
- level: 4
- dependsOn:
- - Visualized metrics
- implementation:
- - uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d
- name: https://ht.transpare
- tags: []
- url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD
- description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - not explicitly covered by ISO 27001 - too specific
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d0d681e7-d6de-4829-ac64-a9eb2546aa0d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Deactivation of unused metrics:
- uuid: 7f36b9ba-bc05-4fd6-9a2a-73344c249722
- risk: High resources are used while gathering unused metrics.
- measure: Deactivation of unused metrics helps to free resources.
- difficultyOfImplementation:
- knowledge: 2
- time: 5
- resources: 5
- usefulness: 5
- level: 3
- dependsOn:
- - Visualized metrics
- implementation: []
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.1.3
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.6
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/7f36b9ba-bc05-4fd6-9a2a-73344c249722
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Defense metrics:
- uuid: e808028c-351c-42f1-bcd9-fba738d1fc55
- risk: IDS/IPS systems like packet- or application-firewalls detect and prevent
- attacks. It is not known how many attacks has been detected and blocked.
- measure: |
- Gathering of defense metrics like TCP/UDP sources enables to assume the geographic location of the request.
- Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered.
- difficultyOfImplementation:
- knowledge: 3
- time: 5
- resources: 2
- usefulness: 4
- level: 4
- dependsOn:
- - Visualized metrics
- - Filter outgoing traffic
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - 12.4.1
- - 13.1.1
- iso27001-2022:
- - 8.15
- - 8.2
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e808028c-351c-42f1-bcd9-fba738d1fc55
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Grouping of metrics:
- uuid: 42170a71-d4c8-47af-bd71-bf36875fd05b
- risk: The analysis of metrics takes long.
- measure: Meaningful grouping of metrics helps to speed up analysis.
- difficultyOfImplementation:
- knowledge: 2
- time: 4
- resources: 2
- usefulness: 2
- level: 3
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 12.1.3
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.6
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/42170a71-d4c8-47af-bd71-bf36875fd05b
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Metrics are combined with tests:
- uuid: 71699daf-b2a4-466b-a0b2-89f7dbb18506
- risk: Changes might cause high load due to programming errors.
- measure: Metrics during tests helps to identify programming errors.
- difficultyOfImplementation:
- knowledge: 2
- time: 3
- resources: 2
- usefulness: 5
- level: 5
- dependsOn:
- - Grouping of metrics
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - not explicitly covered by ISO 27001
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/71699daf-b2a4-466b-a0b2-89f7dbb18506
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Monitoring of costs:
- uuid: 10e23a8c-22ff-4487-a706-87ccc9d0798e
- risk: Not monitoring costs might lead to unexpected high resource consumption
- and a high invoice.
- measure: Implement cost budgets. Setting of an alert threshold and sending out
- errors when it is reached. In the best case, a second threshold with a limit
- is set so that the cost can not go higher.
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 2
- usefulness: 3
- level: 2
- dependsOn:
- - Simple application metrics
- - Simple system metrics
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - 12.1.3
- iso27001-2022:
- - 8.6
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/10e23a8c-22ff-4487-a706-87ccc9d0798e
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Screens with metric visualization:
- uuid: 8746647c-638c-473f-8e17-82c068e4c311
- risk: Security related information is discovered too late during an incident.
- measure: By having an internal accessible screen with a security related dashboards
- helps to visualize incidents.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 5
- level: 4
- dependsOn:
- - Grouping of metrics
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 16.1.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.26
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8746647c-638c-473f-8e17-82c068e4c311
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple application metrics:
- uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1
- risk: Attacks on an application are not recognized.
- measure: |-
- Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include:
- - Authentication attempts (successful/failed logins)
- - Transaction volumes and patterns (e.g. orders, payments)
- - API call rates and response times
- - User session metrics
- - Resource utilization
-
- Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either:
- - A legitimate event (unannounced marketing campaign, viral social media post)
- - A security incident (automated bulk purchase bots, credential stuffing attack)
-
- By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 5
- level: 1
- implementation:
- - uuid: ddf221df-3517-42e4-b23d-c1d9a162744c
- name: Prometheus
- tags: []
- url: https://prometheus.io/
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - 12.4.1
- iso27001-2022:
- - 8.15
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e9a6d403-a467-445e-b98a-74f0c29da0b1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple budget metrics:
- uuid: f08a3219-6941-43ec-8762-4aff739f4664
- risk: Not getting notified about reaching the end of the budget (e.g. due to
- a denial of service) creates unexpected costs.
- measure: Cloud providers often provide insight into budgets. A threshold and
- alarming for the budget is set.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 5
- level: 1
- implementation:
- - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8
- name: collected
- tags: []
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - 12.1.3
- iso27001-2022:
- - 8.6
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/f08a3219-6941-43ec-8762-4aff739f4664
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple system metrics:
- uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03
- risk: Without simple metrics analysis of incidents are hard. In case an application
- uses a lot of CPU from time to time, it is hard for a developer to find out
- the source with Linux commands.
- measure: Gathering of system metrics helps to identify incidents and specially
- bottlenecks like in CPU usage, memory usage and hard disk usage.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 5
- assessment: |
- Are system metrics gathered?
- level: 1
- implementation:
- - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8
- name: collected
- tags: []
- references:
- samm2:
- - O-IM-1-A
- iso27001-2017:
- - 12.1.3
- iso27001-2022:
- - 8.6
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/3d1f4c3b-f713-46d9-933a-54a014a26c03
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Targeted alerting:
- uuid: d6f06ae8-401a-4f44-85df-1079247fa030
- risk: People are bored (ignorant) of incident alarm messages, as they are not
- responsible to react.
- measure: By the definition of target groups for incidents people are only getting
- alarms for incidents they are in charge for.
- difficultyOfImplementation:
- knowledge: 2
- time: 5
- resources: 5
- usefulness: 5
- level: 3
- dependsOn:
- - Alerting
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- - I-DM-3-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 16.1.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.26
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d6f06ae8-401a-4f44-85df-1079247fa030
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Visualized metrics:
- uuid: ded39bcf-4eaa-4c5f-9c94-09acde0a4734
- risk: Not visualized metrics lead to restricted usage of metrics.
- measure: Metrics are visualized in real time in a user friendly way.
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 2
- usefulness: 3
- level: 2
- dependsOn:
- - Simple application metrics
- - Simple system metrics
- implementation: []
- references:
- samm2:
- - O-IM-2-A
- iso27001-2017:
- - 12.1.3
- iso27001-2022:
- - 8.6
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ded39bcf-4eaa-4c5f-9c94-09acde0a4734
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test KPI:
- Fix rate per repo/product:
- uuid: cf0d600e-114d-4887-9059-d81c53805f0d
- risk: "Not communicating how many applications are adhering to SLAs based on
- the criticality of vulnerabilities can lead to delayed remediation of \ncritical
- security issues, increasing the risk of exploitation and potential damage
- to the organization."
- measure: "Measurement and communication of the number of vulnerabilities handled
- per severity level for components such as applications, ensuring alignment
- with SLAs. \nThe rate should be broken down by team, product, application,
- repository, and/or service. This analysis should be conducted at least quarterly."
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
- name: Business friendly vulnerability management metrics
- url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
- tags:
- - documentation
- - vulnerability
- - vulnerability management system
- - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
- name: DefectDojo Client
- tags:
- - Defectdojo
- - statistics
- url: https://github.com/SDA-SE/defectdojo-client
- description: |
- This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
- references:
- samm2:
- - I-DM-3-B
- - I-SB-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
- KPI/cf0d600e-114d-4887-9059-d81c53805f0d
- tags:
- - vulnerability-mgmt
- - metrics
- - vmm-measurements
- teamsImplemented:
- Default: false
- B: false
- C: false
- Generation of response statistics:
- uuid: c922981b-65ed-40f3-a947-96fee9a0125f
- risk: No or delayed reaction to findings leads to potential exploitation of
- findings.
- measure: Creation and response statistics (e.g. Mean Time to Resolution) of
- findings. This is also referred to as _Mean Time to Resolve_.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- dependsOn:
- - Usage of a vulnerability management system
- level: 3
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
- name: Business friendly vulnerability management metrics
- url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
- tags:
- - documentation
- - vulnerability
- - vulnerability management system
- - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
- name: DefectDojo Client
- tags:
- - Defectdojo
- - statistics
- url: https://github.com/SDA-SE/defectdojo-client
- description: |
- This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
- references:
- samm2:
- - I-DM-2-B
- - I-SB-3-B
- iso27001-2017:
- - 16.1.4
- - 8.2.3
- iso27001-2022:
- - 5.25
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
- KPI/c922981b-65ed-40f3-a947-96fee9a0125f
- tags:
- - vulnerability-mgmt
- - metrics
- - vmm-measurements
- comments: The [DefectDojo-Client](https://github.com/SDA-SE/defectdojo-client/tree/master/statistic-client)
- generates statistics from OWASP DefectDojo and places the results in a [Github
- repository](https://github.com/pagel-pro/cluster-image-scanner-all-results).
- teamsImplemented:
- Default: false
- B: false
- C: false
- Number of vulnerabilities/severity:
- uuid: bc548cba-cb82-4f76-bd4b-325d9d256279
- risk: Failing to convey the number of vulnerabilities by severity might undermine
- the effectiveness of product teams. This might lead to ignorance of findings.
- measure: Measurement and communication of vulnerabilities per severity for components
- like applications. At least quarterly.
- description: |-
- Communication can be performed in a simple way, e.g. text based during the build process.
- This activity depends on at least one security testing implementation.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 2
- dependsOn: []
- implementation: []
- references:
- samm2:
- - I-DM-3-B
- - I-SB-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
- KPI/bc548cba-cb82-4f76-bd4b-325d9d256279
- tags:
- - vulnerability-mgmt
- - metrics
- - vmm-measurement
- teamsImplemented:
- Default: false
- B: false
- C: false
- Number of vulnerabilities/severity/layer:
- uuid: 0ec92899-a5cb-4649-984b-2fb1d6c784ad
- risk: Failing to convey the number of vulnerabilities by severity and layer
- (app/infra) might undermine the effectiveness of product teams. This might
- lead to ignorance of findings.
- measure: Measurement and communication of vulnerabilities per severity for components
- like applications and split it depending on the layer (e.g. app/infra). At
- least quarterly.
- description: |-
- Communication can be performed in a simple way, e.g. text based during the build process.
- This activity depends on at least one security testing implementation.
- Layers to consider (SCA):
- - Cloud provider (if insights are possible)
- - Runtimes, e.g. Kubernetes nodes
- - Base images and container images
- - Application
-
- Layers to consider SAST/DAST:
- - Cloud provider
- - Runtime, e.g. Kubernetes
- - Base images and container images
- - Application
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 2
- dependsOn: []
- implementation: []
- references:
- samm2:
- - I-DM-3-B
- - I-SB-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
- KPI/0ec92899-a5cb-4649-984b-2fb1d6c784ad
- tags:
- - vulnerability-mgmt
- - metrics
- - vmm-measurement
- teamsImplemented:
- Default: false
- B: false
- C: false
- Patching mean time to resolution via PR:
- uuid: 86d490b9-d798-4a5b-a011-ab9688014c46
- risk: Without measuring Mean Time to Resolution (MTTR) related to patching,
- it is challenging to identify delays in the patching process. Unaddressed
- vulnerabilities can be exploited by attackers, leading to potential security
- breaches and data loss.
- measure: "Measurement and communication of patching Mean Time to Resolution
- (MTTR) in alignment with Service Level Agreements (SLAs), conducted at least
- on a quarterly basis.\nThis includes the measurement of the existence of a
- properly configured automated pull request (PR) tool (e.g., Dependabot or
- Renovate) in a repository. \nIn addition, the measurement of the time from
- opening an automated PR to merging it.\n\nAverage time to patch is visualized
- per component/project/team."
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 2
- usefulness: 3
- level: 2
- dependsOn:
- - Automated PRs for patches
- implementation: []
- references:
- samm2:
- - I-DM-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
- KPI/86d490b9-d798-4a5b-a011-ab9688014c46
- tags:
- - patching
- - metrics
- - vmm-measurements
- teamsImplemented:
- Default: false
- B: false
- C: false
- Patching mean time to resolution via production:
- uuid: 77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f
- risk: Without measuring Mean Time to Resolution (MTTR) related to patching,
- it is challenging to identify delays in the patching process. Unaddressed
- vulnerabilities can be exploited by attackers, leading to potential security
- breaches and data loss.
- measure: |-
- Measurement and communication of the time from the availability of a patch to its deployment in production in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis.
- Average time to patch is visualized per component/project/team.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 2
- usefulness: 3
- level: 4
- dependsOn:
- - Patching mean time to resolution via PR
- - Automated PRs for patches
- implementation: []
- references:
- samm2:
- - I-DM-3-B
- iso27001-2017:
- - 16.1.4
- iso27001-2022:
- - 5.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
- KPI/77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f
- tags:
- - patching
- - metrics
- - vmm-measurements
- teamsImplemented:
- Default: false
- B: false
- C: false
- SLA per criticality:
- uuid: 51f3fce5-b5c8-4683-8c41-e785fe4f3b5f
- risk: "Not communicating how many applications are adhering to SLAs based on
- the criticality of vulnerabilities can lead to delayed remediation of \ncritical
- security issues, increasing the risk of exploitation and potential damage
- to the organization."
- measure: "Measurement and communication of how many of the vulnerabilities handling
- per severity for components like applications are aligned to SLAs. \nThis
- is performed for the hole organization and doesn't need to be broken down
- (yet) on team/product/application. \nAt least quarterly."
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- dependsOn: []
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
- name: Business friendly vulnerability management metrics
- url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
- tags:
- - documentation
- - vulnerability
- - vulnerability management system
- - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
- name: DefectDojo Client
- tags:
- - Defectdojo
- - statistics
- url: https://github.com/SDA-SE/defectdojo-client
- description: |
- This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
- references:
- samm2:
- - I-DM-3-B
- - I-SB-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
- KPI/51f3fce5-b5c8-4683-8c41-e785fe4f3b5f
- tags:
- - vulnerability-mgmt
- - metrics
- - vmm-measurements
- teamsImplemented:
- Default: false
- B: false
- C: false
-Test and Verification:
- Application tests:
- High coverage of security related module and integration tests:
- uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a
- risk: Vulnerabilities are rising due to code changes in a complex microservice
- environment in not important components.
- measure: Implementation of security related tests via unit tests and integration
- tests. Including the test of libraries, in case the are not tested already.
- difficultyOfImplementation:
- knowledge: 5
- time: 5
- resources: 3
- usefulness: 3
- level: 5
- implementation: []
- references:
- samm2:
- - V-ST-3-B
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- tests/67667c97-c33e-4306-a4e5-e7b1d8e10c5a
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Security integration tests for important components:
- uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715
- risk: Vulnerabilities are rising due to code changes in a complex microservice
- environment.
- measure: Implementation of essential security related integration tests. For
- example for authentication and authorization.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 2
- usefulness: 2
- level: 3
- references:
- samm2:
- - V-ST-3-B
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- tests/f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Security unit tests for important components:
- uuid: eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075
- risk: Vulnerabilities are rising due to code changes.
- measure: Usage of unit tests to test important security related features like
- authentication and authorization.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 2
- usefulness: 3
- level: 2
- comments: |
- The integration of module tests takes place during development instead, it highlights vulnerabilities in sub-routines, functions, modules, libraries etc. checked.
- A sample implementation of unit tests are explained in the video [Shift-Left-Security with the Security Test Pyramid - Andreas Falk](https://www.youtube.com/watch?v=TzFZy3f7d8E) starting with minute 9.
- implementation:
- - uuid: cc2eec82-f3a7-4ae5-9ccb-3d75352b2e4d
- name: JUnit
- tags:
- - unittest
- url: https://junit.org/junit5/
- - uuid: fd56720a-ad4b-487c-b4c3-897a688672c4
- name: Karma
- tags: []
- url: https://karma-runner.github.io
- references:
- samm2:
- - V-ST-3-B
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- tests/eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Smoke Test:
- uuid: 73aaae0b-5d68-4953-9fa4-fd25bf665f2a
- risk: During a deployment an error might happen which leads to non-availability
- of the system, a part of the system or a feature.
- measure: Integration tests are performed against the production environment
- after each deployment.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 2
- level: 4
- implementation: []
- dependsOn:
- - Defined deployment process
- references:
- samm2:
- - V-ST-3-B
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
- tests/73aaae0b-5d68-4953-9fa4-fd25bf665f2a
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Consolidation:
- Advanced visualization of defects:
- uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876
- risk: Correlation of the vulnerabilities of different tools to have an overview
- of the the overall security level per component/project/team is not given.
- measure: Findings are visualized per component/project/team.
- difficultyOfImplementation:
- knowledge: 2
- time: 4
- resources: 1
- usefulness: 2
- level: 4
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
- name: Business friendly vulnerability management metrics
- url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
- tags:
- - documentation
- - vulnerability
- - vulnerability management system
- references:
- samm2:
- - I-DM-3-B
- iso27001-2017:
- - 16.1.4
- - 8.2.1
- - 8.2.2
- - 8.2.3
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/7a82020c-94d1-471c-bbd3-5f7fe7df4876
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Artifact-based false positive treatment:
- uuid: 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f
- risk: Without artifact-specific false positive handling, teams must repeatedly
- triage the same findings across different versions or deployments of the same
- component, leading to inefficient use of security resources.
- measure: "Implement false positive marking and temporary acceptance of findings
- \nbased on specific artifacts (applications, components, or repositories).\nThis
- allows teams to suppress findings for specific versions or builds\nwhile maintaining
- visibility for future releases."
- description: |-
- Artifact-based false positive treatment enables more granular control
- over finding suppression by linking decisions to specific code artifacts,
- container images, or application versions. This approach helps maintain
- security oversight while reducing repeated analysis overhead.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 2
- dependsOn:
- - Simple false positive treatment
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- references:
- samm2:
- - I-DM-2-A
- - I-DM-2-B
- - I-SB-3-B
- iso27001-2017:
- - 16.1.4
- - 16.1.6
- iso27001-2022:
- - 5.25
- - 5.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f
- tags:
- - false-positive
- - defect-management
- teamsImplemented:
- Default: false
- B: false
- C: false
- Fix based on accessibility:
- uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed
- risk: Overwhelming volume of security findings from automated testing tools.
- This might lead to ignorance of findings.
- measure: Implement a simple risk-based prioritization framework for vulnerability
- remediation based on accessibility of the applications.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 3
- meta:
- implementationGuide: |-
- Develop a scoring system for asset accessibility, considering factors like:
- - Whether the asset is internet-facing (highly recommended)
- - The number of network hops required to reach the asset (recommended)
- - Authentication requirements for access (recommended)
- dependsOn:
- - Treatment of defects with severity high or higher
- - Inventory of production components
- implementation: ~
- references:
- samm2:
- - I-DM-3-B
- - I-SB-3-B
- iso27001-2017:
- - 16.1.4
- - 8.2.1
- - 8.2.2
- - 8.2.3
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/0c10a7f7-f78f-49f2-943d-19fdef248fed
- tags:
- - vuln-action
- - defect-management
- teamsImplemented:
- Default: false
- B: false
- C: false
- Global false positive treatment:
- uuid: 9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c
- risk: Without centralized false positive management across environments, organizations
- face inconsistent security decisions, duplicated analysis efforts, and potential
- security gaps when the same findings are handled differently across applications
- and teams.
- measure: "Implement global false positive and acceptance management that applies
- \nconsistently across all applications. This enables organization-wide security
- decisions and reduces redundant \nanalysis of common false positives."
- description: "Global false positive treatment allows (security) teams to make
- \norganization-wide decisions about specific vulnerabilities or finding \npatterns.
- When a finding is marked as a false positive or temporarily \naccepted at
- the global level, this decision automatically applies to \nall applications
- in the specified environment, ensuring consistency \nand operational efficiency."
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 2
- usefulness: 4
- level: 3
- dependsOn:
- - Artifact-based false positive treatment
- - Usage of a vulnerability management system
- implementation: ~
- references:
- samm2:
- - I-DM-2-B
- - I-DM-3-A
- - I-SB-3-B
- iso27001-2017:
- - 16.1.3
- - 16.1.4
- - 16.1.6
- iso27001-2022:
- - 6.8
- - 5.25
- - 5.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c
- tags:
- - false-positive
- - defect-management
- teamsImplemented:
- Default: false
- B: false
- C: false
- Integration in development process:
- uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d
- risk: "Not integrating vulnerability handling into the development process may
- result in product teams ignoring findings. \n\nSecurity joke: We will gain
- 100% false negatives."
- measure: Integration of findings into the development process. E.g. adding findings
- to the backlog of products teams.
- description: |-
- Validating Findings by Security Engineers Pros:
- - Ensures accuracy and relevance of findings before they reach product teams
- - Reduces false positives, saving development teams time and effort
- - Might provides a layer of expertise in assessing the severity and impact of vulnerabilities
-
- Validating Findings by Security Engineers Cons:
- - Requires a sufficient number of skilled security engineers, which might be challenging for some organizations
- - May slow down the process if security engineers are overloaded with validation tasks
- - For Software Composition Analysis findings (known vulnerabilities) I, as a sec. eng., struggle to analysis if it is a false positive/true positive due to a lack of insights in the application
-
- Pushing Findings Directly to Product Teams Pros:
- - Accelerates the process by immediately notifying product teams of potential vulnerabilities
- - Empowers product teams to take swift action in addressing security issues
- Pushing Findings Directly to Product Teams Cons:
- - Increases the workload on product teams, potentially leading to frustration
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- dependsOn: []
- implementation:
- - uuid: 889444eb-de68-4367-bada-a66f8cb9733a
- name: Jira
- tags:
- - documentation
- - issue
- - proprietary
- url: https://jira.atlassian.com/
- description: Jira is a bug tracking and project management tool developed
- by Atlassian, used by development teams for tracking issues, planning sprints,
- and managing software releases. It offers features for creating and managing
- tasks, assigning them to team members, and monitoring progress through customizable
- workflows and dashboards.
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
- name: DefectDojo Client
- tags:
- - Defectdojo
- - statistics
- url: https://github.com/SDA-SE/defectdojo-client
- description: |
- This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
- references:
- samm2:
- - I-DM-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/aaffa73f-59f6-4267-b0ab-732f3d13e90d
- tags:
- - vulnerability-mgmt
- - vmm-measurements
- teamsImplemented:
- Default: false
- B: false
- C: false
- Integration of vulnerability issues into the development process:
- uuid: ce970c9b-da94-41cf-bd78-8c15357b7e8e
- risk: To read console output of the build server to search for vulnerabilities
- might be difficult. Also, to check a vulnerability management system might
- not be a daily task for a developer.
- measure: Vulnerabilities are tracked in the teams issue system (e.g. jira).
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 2
- level: 3
- implementation:
- - uuid: aaad322e-806e-4c51-b78d-6551f7dc376a
- name: SAST
- tags: []
- description: 'At SAST (Static Application Security Testing): Server-side /
- client-side teams can easily be recorded. With microservice architecture
- individual microservices can be used usually Teams.'
- url: https://d3fend.mitre.org/dao/artifact/d3f:StaticAnalysisTool/
- - uuid: 9d4bd377-11ec-4054-9c9e-9bfb99ac9609
- name: DAST
- tags: []
- description: 'At DAST (Dynamic Application Security Testing): vulnerabilities
- are classified and can be assigned to server-side and client-side teams.'
- url: https://d3fend.mitre.org/dao/artifact/d3f:DynamicAnalysisTool/
- references:
- samm2:
- - I-DM-2-B
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 16.1.4
- - 16.1.5
- - 16.1.6
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.25
- - 5.26
- - 5.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/ce970c9b-da94-41cf-bd78-8c15357b7e8e
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Reproducible defect tickets:
- uuid: 27337442-e4b1-4e87-8dc9-ce86fbb79a39
- risk: Vulnerability descriptions are hard to understand by staff from operations
- and development.
- measure: Vulnerabilities include the test procedure to give the staff from operations
- and development the ability to reproduce vulnerabilities. This enhances the
- understanding of vulnerabilities and therefore the fix have a higher quality.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 2
- usefulness: 2
- level: 4
- implementation: []
- references:
- samm2:
- - I-DM-2-B
- - I-SB-3-B
- iso27001-2017:
- - 16.1.4
- - 8.2.1
- - 8.2.2
- - 8.2.3
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/27337442-e4b1-4e87-8dc9-ce86fbb79a39
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple false positive treatment:
- uuid: c1acc8af-312e-4503-a817-a26220c993a0
- risk: As false positive occur during each test, all vulnerabilities might be
- ignored. Specially, if tests are automated an run daily.
- measure: |-
- Findings from security tests must be triaged and outcomes persisted/documented to:
- - Prevent re-analysis of known issues in subsequent test runs
- - Track accepted risks vs false positives
- - Enable consistent decision-making across teams
-
- At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings.
-
- Samples for false positive handling:
- - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html)
- - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/)
- - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status)
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 4
- level: 1
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- references:
- samm2:
- - I-DM-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 16.1.6
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 5.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/c1acc8af-312e-4503-a817-a26220c993a0
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple visualization of defects:
- uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83
- risk: The security level of a component is not visible. Therefore, the motivation
- to enhance the security is not give.
- measure: Vulnerabilities are simple visualized.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 2
- implementation:
- - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207
- name: OWASP Dependency Check
- tags:
- - OpenSource
- - Supply Chain
- - vulnerability
- url: https://owasp.org/www-project-dependency-check/
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- - uuid: ef80cd34-d3ba-4406-a4fa-4cf6f30c2e81
- name: LogParser Jenkins Plugins
- tags: []
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- references:
- samm2:
- - I-DM-1-B
- iso27001-2017:
- - 16.1.4
- - 8.2.1
- - 8.2.2
- - 8.2.3
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/55f4c916-3a34-474d-ad96-9a9f7a4f6a83
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Treatment of all defects:
- uuid: b2f77606-3e6c-41e9-b72d-7c0b1d3d581d
- risk: Vulnerabilities with severity low are not visible.
- measure: All vulnerabilities are added to the quality gate.
- difficultyOfImplementation:
- knowledge: 3
- time: 4
- resources: 1
- usefulness: 2
- level: 5
- implementation: []
- references:
- samm2:
- - I-DM-2-B
- - I-SB-3-B
- iso27001-2017:
- - 16.1.4
- - 12.6.1
- iso27001-2022:
- - 8.8
- - 5.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/b2f77606-3e6c-41e9-b72d-7c0b1d3d581d
- tags:
- - vuln-action
- - defect-management
- comments: ""
- teamsImplemented:
- Default: false
- B: false
- C: false
- Treatment of defects per protection requirement:
- uuid: 2b7cc923-bdaf-43e3-8fb4-a995b7783969
- risk: "Not defining the protection requirement of applications can lead to wrong
- prioritization, delayed remediation of \ncritical security issues, increasing
- the risk of exploitation and potential damage to the organization."
- measure: "Defining the protection requirement and the corresponding handling
- of vulnerabilities per severity for components like applications are aligned
- to SLAs. \n This is performed for the hole organization and doesn't need to
- be broken down (yet) on team/product/application. \n At least quarterly."
- description: |-
- The protection requirements for an application should consider:
- - Data criticality
- - Application accessibility (internal vs. external)
- - Regulatory compliance
- - Other relevant factors
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- dependsOn: []
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
- name: Business friendly vulnerability management metrics
- url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
- tags:
- - documentation
- - vulnerability
- - vulnerability management system
- - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
- name: DefectDojo Client
- tags:
- - Defectdojo
- - statistics
- url: https://github.com/SDA-SE/defectdojo-client
- description: |
- This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
- references:
- samm2:
- - I-DM-3-B
- iso27001-2022:
- - 5.25
- - 5.12
- - 5.13
- - 5.1
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/2b7cc923-bdaf-43e3-8fb4-a995b7783969
- tags:
- - vulnerability-mgmt
- - metrics
- - vmm-measurements
- teamsImplemented:
- Default: false
- B: false
- C: false
- Treatment of defects with severity high or higher:
- uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385
- risk: Vulnerabilities with severity high or higher are not visible.
- measure: Vulnerabilities with severity high or higher are added to the quality
- gate.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 1
- comments: False positive analysis, specially for static analysis, is time consuming.
- references:
- samm2:
- - I-DM-2-B
- iso27001-2017:
- - 16.1.4
- - 12.6.1
- iso27001-2022:
- - 8.8
- - 5.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385
- implementation: []
- tags:
- - vuln-action
- - defect-management
- teamsImplemented:
- Default: false
- B: false
- C: false
- Treatment of defects with severity middle:
- uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594
- risk: Vulnerabilities with severity middle are not visible.
- measure: Vulnerabilities with severity middle are added to the quality gate.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 3
- comments: False positive analysis, specially for static analysis, is time consuming.
- references:
- samm2:
- - I-DM-2-B
- - I-SB-3-B
- iso27001-2017:
- - 16.1.4
- - 12.6.1
- iso27001-2022:
- - 8.8
- - 5.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9cac3341-fe83-4079-bef2-bfc4279eb594
- implementation: []
- tags:
- - vuln-action
- - defect-management
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of a vulnerability management system:
- uuid: 85ba5623-84be-4219-8892-808837be582d
- risk: Maintenance of false positives in each tool enforces a high workload.
- In addition a correlation of the same finding from different tools is not
- possible.
- measure: Aggregation of vulnerabilities in one tool reduce the workload to handle
- them, e.g. mark as false positives.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 2
- usefulness: 2
- dependsOn:
- - Exploit likelihood estimation
- - Each team has a security champion
- - Office Hours
- level: 3
- description: "For known vulnerabilities a processes to estimate the exploit
- ability of a vulnerability is recommended.\n\nTo implement a security culture
- including training, office hours and security champions can help integrating
- \nsecurity scanning at scale. Such activities help to understand why a vulnerability
- is potentially critical and needs handling."
- implementation:
- - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
- name: OWASP DefectDojo
- tags:
- - vulnerability management system
- - owasp
- url: https://github.com/DefectDojo/django-DefectDojo
- description: |
- DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
- name: Purify
- tags:
- - vulnerability management system
- url: https://github.com/faloker/purify/
- description: |
- The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- - uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
- name: SecObserve
- tags:
- - vulnerability management system
- url: https://github.com/MaibornWolff/SecObserve
- description: |
- The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
- references:
- samm2:
- - I-DM-1-B
- - I-SB-2-B
- - I-SB-3-B
- iso27001-2017:
- - 12.6.1
- - 16.1.3
- - 16.1.4
- - 16.1.5
- - 16.1.6
- iso27001-2022:
- - 8.8
- - 6.8
- - 5.25
- - 5.26
- - 5.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/85ba5623-84be-4219-8892-808837be582d
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Dynamic depth for applications:
- Coverage analysis:
- uuid: d0ba0be5-c573-405f-b905-b7a8f87a9cc7
- risk: Parts of the service are not still covered by tests.
- measure: Check that there are no missing paths in the application with coverage-tools.
- difficultyOfImplementation:
- knowledge: 4
- time: 5
- resources: 3
- usefulness: 4
- level: 5
- implementation:
- - uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366
- name: OWASP Code Pulse
- tags: []
- url: https://www.owasp.org/index.php/OWASP_Code_Pulse
- - uuid: f011de6e-ab7c-4ec7-af55-03427271ab32
- name: Coverage.py
- tags:
- - testing
- - coverage
- url: https://github.com/nedbat/coveragepy
- description: |
- Code coverage measurement for Python
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - not explicitly covered by ISO 27001 - too specific
- - part of periodic review, PDCA
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/d0ba0be5-c573-405f-b905-b7a8f87a9cc7
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Coverage of client side dynamic components:
- uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e
- risk: Parts of the service are not covered during the scan, because JavaScript
- is not getting executed. Therefore, the coverage of client-side dynamic components
- is limited, leading to potential security risks and undetected vulnerabilities.
- measure: Usage of a spider which executes dynamic content like JavaScript, e.g.
- via Selenium.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 4
- level: 2
- dependsOn:
- - Usage of different roles
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/9711f871-f79d-4573-8d4f-d2c98fd0d18e
- implementation:
- - uuid: 6583fd5f-4314-4b39-9265-de72f861c8cb
- name: Ajax Spider
- tags: []
- url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Coverage of hidden endpoints:
- uuid: 6a9cb303-0f98-48a8-bdcd-56d41c0012b8
- risk: Hidden endpoints of the service are not getting tracked.
- measure: Hidden endpoints are getting detected and included in the vulnerability
- scan.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 1
- usefulness: 5
- level: 3
- implementation:
- - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b
- name: cURL
- tags: []
- url: https://curl.se/
- - uuid: 7ce77258-bf65-4e7a-9627-daf765ee1d77
- name: OpenAPI Specifications
- tags: []
- url: https://spec.openapis.org/
- - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801
- name: OWASP Zap
- tags:
- - vulnerability
- - scanner
- url: https://github.com/zaproxy/zaproxy
- description: |
- The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ...
- - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b
- name: Schemathesis
- tags:
- - testing
- - api
- - documentation
- url: https://github.com/schemathesis/schemathesis
- description: |
- Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema.
- dependsOn:
- - Usage of different roles
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - not explicitly covered by ISO 27001 - too specific
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/6a9cb303-0f98-48a8-bdcd-56d41c0012b8
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Coverage of more input vectors:
- uuid: 5e0ff85b-ec89-4ef0-96b1-5695fa0025dc
- risk: Parts of the service are not covered. For example specially formatted
- or coded parameters are not getting detected as parameter (e.g. parameters
- in REST-like URLs, parameters in JSON-Format or base64-coded parameters).
- measure: Special parameter and special encodings are defined, so that they get
- fuzzed by the used vulnerability scanners.
- difficultyOfImplementation:
- knowledge: 5
- time: 5
- resources: 1
- usefulness: 4
- level: 3
- dependsOn:
- - Usage of different roles
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - not explicitly covered by ISO 27001 - too specific
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/5e0ff85b-ec89-4ef0-96b1-5695fa0025dc
- implementation:
- - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b
- name: Schemathesis
- tags:
- - testing
- - api
- - documentation
- url: https://github.com/schemathesis/schemathesis
- description: |
- Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema.
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Coverage of sequential operations:
- uuid: 845f06ec-148c-4c67-9755-7041911dcca5
- risk: Sequential operations like workflows (e.g. login -> put products in the
- basket
- measure: Sequential operations are defined and checked by the vulnerability
- scanner in the defined order.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 5
- level: 3
- implementation:
- - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b
- name: cURL
- tags: []
- url: https://curl.se/
- dependsOn:
- - Usage of different roles
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 14.2.8
- - 14.2.3
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/845f06ec-148c-4c67-9755-7041911dcca5
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Coverage of service to service communication:
- uuid: 22aab0ef-76ce-4b8c-979c-3699784330db
- risk: Service to service communication is not covered.
- measure: Service to service communication is dumped and checked.
- difficultyOfImplementation:
- knowledge: 4
- time: 5
- resources: 2
- usefulness: 3
- level: 5
- dependsOn:
- - Simple Scan
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/22aab0ef-76ce-4b8c-979c-3699784330db
- implementation:
- - uuid: 000b55f9-e6fd-4649-8290-27876a0409e2
- name: Citrus Fresh Integration Testing
- tags:
- - framework
- - testing
- url: https://citrusframework.org/
- description: Integration Test framework with focus on messaging applications
- and Microservices.
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Simple Scan:
- uuid: 07796811-37f9-467c-9ff2-48f346e77ff3
- risk: Deficient security tests are performed. Simple vulnerabilities are not
- detected and missing security configurations (e.g. headers) are not set. Fast
- feedback is not given.
- measure: A simple scan is performed to get a security baseline. In case the
- test is done in under 10 minutes, it should be part of the build and deployment
- process.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 1
- level: 2
- dependsOn:
- - Defined build process
- implementation:
- - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801
- name: OWASP Zap
- tags:
- - vulnerability
- - scanner
- url: https://github.com/zaproxy/zaproxy
- description: |
- The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ...
- - uuid: 83ae1e92-5eb9-4467-b3d3-fd2f96e6ab63
- name: Arachni
- url: https://github.com/Arachni/arachni
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/07796811-37f9-467c-9ff2-48f346e77ff3
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of different roles:
- uuid: 65a2d7d9-5441-46bf-a4e3-f76919857750
- risk: Parts of the service are not covered during the scan, because a login
- is not performed.
- measure: Integration of authentication with all roles used in the service.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 2
- level: 2
- dependsOn:
- - Simple Scan
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - not explicitly covered by ISO 27001 - too specific
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/65a2d7d9-5441-46bf-a4e3-f76919857750
- implementation:
- - uuid: 7eb37566-02d5-4fff-8dcf-8fcd1c8197f3
- name: Zest
- url: https://www.zaproxy.org/docs/desktop/addons/zest/
- tags:
- - zap
- description: |
- Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools.
- assessment: For REST APIs, multiple OAuth2 scopes are used.
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of multiple scanners:
- uuid: 5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea
- risk: Each vulnerability scanner has different opportunities. By using just
- one scanner, some vulnerabilities might not be found.
- measure: Usage of multiple spiders and scanner enhance the coverage and the
- vulnerabilities.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 5
- usefulness: 1
- level: 4
- dependsOn:
- - Usage of different roles
- implementation:
- - uuid: f220b299-0917-4750-96c5-d81cd402b4df
- name: OWASP secureCodeBox
- tags:
- - vulnerability
- - scanner-orchestration
- url: https://github.com/secureCodeBox/secureCodeBox
- description: |
- secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.6.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for applications/5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Dynamic depth for infrastructure:
- Load tests:
- uuid: ab5725aa-4d53-47b9-96df-c14b3fa93bcd
- risk: As it is unknown how many requests the systems and applications can serve,
- due to an unexpected load the availability is disturbed.
- measure: Load test against the production system or a production near system
- is performed.
- difficultyOfImplementation:
- knowledge: 3
- time: 2
- resources: 5
- usefulness: 3
- level: 4
- implementation: []
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 12.1.3
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.6
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for infrastructure/ab5725aa-4d53-47b9-96df-c14b3fa93bcd
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for exposed services:
- uuid: a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8
- risk: Standard network segmentation and firewalling has not been performed,
- leading to world open cluster management ports.
- measure: With the help of tools the network configuration of unintentional exposed
- cluster(s) are tested. To identify clusters, all subdomains might need to
- be identified with a tool like OWASP Amass to perform port scans based o the
- result.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 2
- dependsOn:
- - Isolated networks for virtual environments
- usefulness: 2
- level: 2
- implementation:
- - uuid: 08111dc3-bdc4-47d8-8f2e-10bb50a86882
- name: nmap
- tags: []
- url: https://nmap.org/
- - uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a
- name: OWASP Amass
- tags: []
- url: https://github.com/OWASP/Amass
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 13.1.3
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.22
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for infrastructure/a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for unauthorized installation:
- uuid: dccf1949-b9a8-4ce8-b992-6a4a7f3a623a
- risk: Unapproved components are used.
- measure: Components must be whitelisted. Regular scans on the docker infrastructure
- (e.g. cluster) need to be performed, to verify that only standardized base
- images are used.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 3
- level: 3
- implementation:
- - uuid: 349cf64c-abea-40bb-bd07-9c98ce648fa4
- name: 'Example: All docker images used by teams need to be based on standard
- images.'
- tags: []
- comments: By preventing teams from trying out new components, innovation might
- be hampered
- references:
- samm2: []
- iso27001-2017:
- - 12.5.1
- - 12.6.1
- iso27001-2022:
- - 8.19
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for infrastructure/dccf1949-b9a8-4ce8-b992-6a4a7f3a623a
- dependsOn:
- - Evaluation of the trust of used components
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for unused Resources:
- uuid: 6532c1fe-9d23-4228-8722-558ddabca7d4
- risk: Unused resources, specially secrets, might be still valid, but are exposing
- information. As an attacker, I compromise a system, gather credentials and
- try to use them.
- measure: Test for unused resources helps to identify unused resources.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 2
- level: 5
- implementation:
- - uuid: 8fea20ad-e332-4aa8-b1f1-aa9deb635dc1
- name: K8sPurger
- tags:
- - vulnerability
- - scanner
- - dast
- - infrastructure
- url: https://github.com/yogeshkk/K8sPurger
- description: |
- Hunt Unused Resources In Kubernetes.
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 13.1.3
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.22
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for infrastructure/6532c1fe-9d23-4228-8722-558ddabca7d4
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test network segmentation:
- uuid: 6d2c3ac6-8afc-4af6-a5e9-6188341aca01
- risk: Wrong or no network segmentation of pods makes it easier for an attacker
- to access a database and extract or modify data.
- measure: Cluster internal test needs to be performed. Integration of fine granulated
- network segmentation (also between pods in the same namespace).
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 2
- implementation:
- - uuid: fffa6fb9-1fae-4852-88dc-c7086961330c
- name: netassert
- tags: []
- url: https://github.com/controlplaneio/netassert
- dependsOn:
- - Isolated networks for virtual environments
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 13.1.3
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - 8.22
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for infrastructure/6d2c3ac6-8afc-4af6-a5e9-6188341aca01
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test of the configuration of cloud environments:
- uuid: 7bb70764-9392-4462-935d-e55b2e148199
- risk: Standard hardening practices for cloud environments are not performed
- leading to vulnerabilities.
- measure: With the help of tools the configuration of virtual environments are
- tested.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 2
- implementation:
- - uuid: 893d9f37-2142-4490-996c-e43b55064d3d
- name: kubescape
- url: https://github.com/armosec/kubescape
- tags:
- - kubernetes
- - vulnerability
- - misconfiguration
- description: _Testing if Kubernetes is deployed securely as defined in Kubernetes
- Hardening Guidance by to NSA and CISA_
- - uuid: 2af7204c-a25c-4625-9775-889978386407
- name: kube-hunter
- tags: []
- url: https://github.com/aquasecurity/kube-hunter
- - uuid: d45fba7d-f176-4f06-a33c-434b17ec8a8f
- name: openVAS
- tags: []
- url: https://www.openvas.org/
- references:
- samm2: []
- iso27001-2017:
- - System hardening is not explicitly covered by ISO 27001 - too specific
- - 12.6.1
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - System hardening is not explicitly covered by ISO 27001 - too specific
- - 8.8
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for infrastructure/7bb70764-9392-4462-935d-e55b2e148199
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Weak password test:
- uuid: 61e10f9c-e126-4ffa-af12-fdbe0d0a831f
- risk: Weak passwords in components like applications or systems, specially for
- privileged accounts, lead to take over of that account.
- measure: Automatic brute force attacks are performed. Specially the usage of
- standard accounts like 'admin' and employee user-ids is recommended.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 1
- level: 3
- implementation:
- - uuid: b99c9d52-dd1a-4aef-8699-65173cf978ce
- name: HTC Hydra
- tags:
- - password
- url: https://www.htc-cs.com/en/products/htc-hydra/
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 9.4.3
- iso27001-2022:
- - 5.17
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
- depth for infrastructure/61e10f9c-e126-4ffa-af12-fdbe0d0a831f
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Static depth for applications:
- API design validation:
- uuid: 017d9e26-42b5-49a4-b945-9f59b308fb99
- risk: Creation of insecure or non-compliant API.
- measure: |
- Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP
- and validate the specification using specific tools.
- Checks should be integrated in IDEs and CI/CD pipelines.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- implementation:
- - uuid: 261f243e-f89c-4169-b076-b22a03ec00be
- name: Spectral
- tags:
- - linting
- - api
- - documentation
- url: https://github.com/stoplightio/spectral
- description: |
- Spectral is a flexible JSON/YAML linter built with extensibility in mind.
- It uses JSON/YAML path rules to describe the problems you want to find.
- - uuid: d2c9403d-9da2-4518-b33f-8b74b9c5ca3f
- name: API OAS Checker
- tags:
- - linting
- - api
- - documentation
- url: https://github.com/italia/api-oas-checker
- description: |
- A tool to check OpenAPI specifications using a comprehensive ruleset based
- on API best practices.
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - 8.25
- - 8.27
- - 8.28
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99
- dependsOn:
- - Inventory of production components
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Dead code elimination:
- uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d
- risk: Dead code increases the attack surface (use of hard coded credentials
- and variables, sensitive information)
- measure: Collection of unused code and then manual removal of unused code.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 1
- level: 5
- implementation:
- - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
- name: PMD
- tags: []
- dependsOn:
- - Defined build process
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Exclusion of source code duplicates:
- uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711
- risk: Duplicates in source code might influence the stability of the application.
- measure: Automatic Detection and manual removal of duplicates in source code.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 1
- level: 5
- implementation:
- - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
- name: PMD
- tags: []
- dependsOn:
- - Defined build process
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Exploit likelihood estimation:
- uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
- risk: Without proper prioritization, organizations may waste time and effort
- on low-risk vulnerabilities while neglecting critical ones.
- measure: Estimate the likelihood of exploitation by using data (CISA KEV) from
- the past or prediction models (EPSS).
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 4
- level: 3
- dependsOn:
- - Software Composition Analysis (server side)
- implementation:
- - uuid: aa507341-9531-42cd-95cf-d7b51af47086
- name: Known Exploited Vulnerabilities
- tags:
- - vulnerability
- url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- description: A catalog of vulnerabilities that have been exploited.
- - uuid: e39afc58-8195-4600-92c6-11922e3a141b
- name: Exploit Prediction Scoring System
- tags:
- - vulnerability
- url: https://www.first.org/epss/
- description: Estimates the likelihood that a software vulnerability will be
- exploited.
- references:
- samm2:
- - V-ST-2-A
- - I-SB-3-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Local development security checks performed:
- uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b
- risk: Creating and developing code contains code smells and quality issues.
- measure: |
- Integration of quality and linting plugins with interactive development environment (IDEs).
- Implement pre-commit checks to prevent secrets & other security issues being commit to source code.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 4
- level: 3
- implementation:
- - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
- name: Fortify Extension for Visual Studio Code
- url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
- tags:
- - ide
- - sast
- - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
- name: Setting Up the Visual Studio Code Extension Plugin
- url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
- tags:
- - ide
- - sast
- - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
- name: HCL AppScan CodeSweep
- url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
- tags:
- - ide
- - sast
- - uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82
- name: DevSecOps control Pre-commit
- url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop
- tags:
- - pre-commit
- - uuid: 8da8d115-0f4e-40f0-a3ce-484a49e845fb
- name: Building your DevSecOps pipeline 5 essential activities
- url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/
- tags:
- - pre-commit
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 13.1.3
- iso27001-2022:
- - Hardening is not explicitly covered by ISO 27001 - too specific
- - 8.22
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/6e180abc-7c98-4265-b4e9-852cb91b067b
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Software Composition Analysis (client side):
- uuid: 07fe8c4f-ae33-4409-b1b2-cf64cfccea86
- risk: Client side components might have vulnerabilities.
- measure: Tests for known vulnerabilities in components via Software Composition
- Analysis of the frontend are performed.
- difficultyOfImplementation:
- knowledge: 1
- time: 2
- resources: 1
- usefulness: 2
- level: 3
- dependsOn:
- - Defined build process
- - Inventory of production components
- - Exploit likelihood estimation
- implementation:
- - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7
- name: retire.js
- tags: []
- url: https://github.com/RetireJS/retire.js/
- - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3
- name: npm audit
- tags: []
- url: https://docs.npmjs.com/cli/audit
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240
- name: Dependabot
- tags:
- - dependency
- - dependency-management
- - scm
- url: https://github.com/dependabot/dependabot-core
- description: |
- Dependabot creates pull requests to keep your dependencies secure and up-to-date.
- references:
- samm2:
- - V-ST-2-A
- - I-SB-2-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/07fe8c4f-ae33-4409-b1b2-cf64cfccea86
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Software Composition Analysis (server side):
- uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe
- description: Use a tool like trivy and concentrate on application related vulnerabilities.
- At this stage, ignore vulnerabilities in container base images used in the
- service.
- risk: Server side components might have vulnerabilities.
- measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware)
- are performed.
- difficultyOfImplementation:
- knowledge: 1
- time: 3
- resources: 1
- usefulness: 5
- level: 2
- dependsOn:
- - Defined build process
- - Inventory of production components
- implementation:
- - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207
- name: OWASP Dependency Check
- tags:
- - OpenSource
- - Supply Chain
- - vulnerability
- url: https://owasp.org/www-project-dependency-check/
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7
- name: retire.js
- tags: []
- url: https://github.com/RetireJS/retire.js/
- - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3
- name: npm audit
- tags: []
- url: https://docs.npmjs.com/cli/audit
- - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240
- name: Dependabot
- tags:
- - dependency
- - dependency-management
- - scm
- url: https://github.com/dependabot/dependabot-core
- description: |
- Dependabot creates pull requests to keep your dependencies secure and up-to-date.
- - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
- name: https://github.com/aquasecurity/trivy
- tags: []
- url: https://github.com/aquasecurity/trivy
- references:
- samm2:
- - V-ST-2-A
- - I-SB-2-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/d918cd44-a972-43e9-a974-eff3f4a5dcfe
- tags:
- - vmm-testing
- teamsImplemented:
- Default: false
- B: false
- C: false
- Static analysis for all components/libraries:
- uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054
- risk: Used components like libraries and legacy applications might have vulnerabilities
- measure: Usage of a static analysis for all used components.
- difficultyOfImplementation:
- knowledge: 2
- time: 4
- resources: 2
- usefulness: 3
- level: 5
- dependsOn:
- - Static analysis for important client side components
- - Static analysis for important server side components
- - Inventory of production components
- implementation: []
- references:
- samm2:
- - V-ST-2-A
- - I-SB-3-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/f4ff841d-3b2a-45d9-853e-5ec7ecbcb054
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Static analysis for all self written components:
- uuid: ee68331f-9b1d-4f61-844b-b2ea04753a84
- risk: Parts in the source code of the frontend or middleware have vulnerabilities.
- measure: Usage of static analysis tools for all parts of the middleware and
- frontend. Static analysis uses for example string matching algorithms and/or
- dataflow analysis.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 4
- implementation:
- - uuid: 6a0948a7-4781-4858-9766-f4303971b28b
- name: eslint
- tags: []
- url: https://eslint.org/
- - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078
- name: FindSecurityBugs
- tags: []
- - uuid: cccc2882-62ab-4175-afa1-58471017e8ed
- name: jsprime
- tags: []
- url: https://github.com/dpnishant/jsprime
- - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
- name: Fortify Extension for Visual Studio Code
- url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
- tags:
- - ide
- - sast
- - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
- name: Setting Up the Visual Studio Code Extension Plugin
- url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
- tags:
- - ide
- - sast
- - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
- name: HCL AppScan CodeSweep
- url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
- tags:
- - ide
- - sast
- dependsOn:
- - Static analysis for important client side components
- - Static analysis for important server side components
- - Inventory of production components
- references:
- samm2:
- - V-ST-2-A
- - I-SB-3-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/ee68331f-9b1d-4f61-844b-b2ea04753a84
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Static analysis for important client side components:
- uuid: e237176b-bec5-447d-a926-e37d6dd60e4b
- risk: Important parts in the source code of the frontend have vulnerabilities.
- measure: Usage of static analysis tools for important parts of the frontend
- are used. Static analysis uses for example string matching algorithms and/or
- dataflow analysis.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 3
- implementation:
- - uuid: 6a0948a7-4781-4858-9766-f4303971b28b
- name: eslint
- tags: []
- url: https://eslint.org/
- - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078
- name: FindSecurityBugs
- tags: []
- - uuid: cccc2882-62ab-4175-afa1-58471017e8ed
- name: jsprime
- tags: []
- url: https://github.com/dpnishant/jsprime
- - uuid: 3a8ba0ea-37dc-4124-983b-bbf9b4443d75
- name: '[bdd-mobile-security'
- tags: []
- url: https://github.com/ing-bank/bdd-mobile-security-automation-framework
- description: '[bdd-mobile-security-automation-framework](https://github.com/ing-bank/bdd-mobile-security-automation-framework)'
- - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
- name: Fortify Extension for Visual Studio Code
- url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
- tags:
- - ide
- - sast
- - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
- name: Setting Up the Visual Studio Code Extension Plugin
- url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
- tags:
- - ide
- - sast
- - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
- name: HCL AppScan CodeSweep
- url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
- tags:
- - ide
- - sast
- dependsOn:
- - Defined build process
- - Inventory of production components
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/e237176b-bec5-447d-a926-e37d6dd60e4b
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Static analysis for important server side components:
- uuid: 6c05c837-8c99-46e2-828b-7c903e27dba4
- risk: Important parts in the source code of the middleware have vulnerabilities.
- measure: Usage of static analysis tools for important parts of the middleware
- are used. Static analysis uses for example string matching algorithms and/or
- dataflow analysis.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 3
- implementation:
- - uuid: 6a0948a7-4781-4858-9766-f4303971b28b
- name: eslint
- tags: []
- url: https://eslint.org/
- - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078
- name: FindSecurityBugs
- tags: []
- - uuid: cccc2882-62ab-4175-afa1-58471017e8ed
- name: jsprime
- tags: []
- url: https://github.com/dpnishant/jsprime
- - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
- name: Fortify Extension for Visual Studio Code
- url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
- tags:
- - ide
- - sast
- - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
- name: Setting Up the Visual Studio Code Extension Plugin
- url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
- tags:
- - ide
- - sast
- - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
- name: HCL AppScan CodeSweep
- url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
- tags:
- - ide
- - sast
- dependsOn:
- - Defined build process
- - Inventory of production components
- references:
- samm2:
- - V-ST-2-A
- - I-SB-3-B
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/6c05c837-8c99-46e2-828b-7c903e27dba4
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Stylistic analysis:
- uuid: efa52cc8-6c5c-4ba2-a3d2-7164b0402f34
- risk: Unclear or obfuscated code might have unexpected behavior.
- measure: Analysis of compliance to style guides of the source code ensures that
- source code formatting rules are met (e.g. indentation, loops, ...).
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 1
- level: 5
- implementation:
- - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
- name: PMD
- tags: []
- - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe
- name: How to enforce a consistent coding style in your projects
- url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm
- tags:
- - ide
- - linting
- - uuid: aa5ded61-5380-4da6-9474-afc36a397682
- name: In-Depth Linting of Your TypeScript While Coding
- url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding
- tags:
- - ide
- - linting
- - uuid: 94a7a85e-8064-46b4-929a-9e03fa292a9f
- name: Super-Linter
- tags:
- - linting
- - scm
- url: https://github.com/github/super-linter
- description: |
- Lint code bases to catch common errors and enforce code style
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.6.1
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/efa52cc8-6c5c-4ba2-a3d2-7164b0402f34
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for Patch Deployment Time:
- uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2
- risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities
- in production artifacts.
- measure: |
- Test of the Patch Deployment Time.
- This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 3
- level: 3
- implementation:
- - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
- name: PMD
- tags: []
- dependsOn:
- - Automated PRs for patches
- - Defined build process
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2
- comments: ""
- meta:
- implementationGuide: Self implementation. This activity is not repeated in
- the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure
- as well.
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for Time to Patch:
- uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f
- risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities
- in production artifacts.
- measure: |-
- Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs)
- This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 3
- level: 2
- implementation:
- - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4
- name: dependabot
- tags:
- - auto-pr
- - patching
- url: https://dependabot.com/
- - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
- name: renovate
- tags:
- - auto-pr
- - patching
- url: https://github.com/renovatebot/renovate
- dependsOn:
- - Automated PRs for patches
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/13af1227-3dd1-4d4f-a9e9-53deb793c18f
- comments: ""
- meta:
- implementationGuide: Usage of a version control platform API (e.g. github
- API) can be used to fetch the information. Consider that `Measure libyears`
- might be an alternative to this activity.
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test libyear:
- uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad
- risk: Vulnerabilities in running artifacts stay for long and might get exploited.
- measure: Test `libyear`, which provides a good insight how good patch management
- is.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 3
- level: 2
- implementation:
- - uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33
- name: libyear
- tags:
- - patching
- - build
- url: https://libyear.com/
- description: A simple measure of software dependency freshness. It is a single
- number telling you how up-to-date your dependencies are.
- dependsOn:
- - Defined build process
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - Not explicitly covered by ISO 27001 - too specific
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - Not explicitly covered by ISO 27001 - too specific
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/87b54313-fafd-4860-930f-5ef132b3e4ad
- comments: ""
- meta:
- implementationGuide: |
- `libyear` can be integrated into the build process and flag or even better break the build in case the defined threshold (e.g. 30 years) is reached.
- An alternative approach is to determine `libyear` based on deployed artifacts (which requires more effort in implementation).
- tags:
- - patching
- teamsImplemented:
- Default: false
- B: false
- C: false
- Usage of multiple analyzers:
- uuid: 297be001-8d94-41ee-ab29-207020d423c0
- risk: Each vulnerability analyzer has different opportunities. By using just
- one analyzer, some vulnerabilities might not be found.
- measure: Usage of multiple static tools to find more vulnerabilities.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 5
- usefulness: 1
- level: 4
- dependsOn:
- - Software Composition Analysis (server side)
- - Software Composition Analysis (client side)
- - Static analysis for all self written components
- implementation: []
- references:
- samm2:
- - V-ST-3-A
- iso27001-2017:
- - 12.6.1
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for applications/297be001-8d94-41ee-ab29-207020d423c0
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Static depth for infrastructure:
- Analyze logs:
- uuid: b217c8bb-5d61-4b41-a675-1083993f83b1
- risk: Not aware of attacks happening.
- measure: Check logs for keywords.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- implementation:
- - uuid: 1adf1ac0-8572-407b-a358-3976d9a225e2
- name: SigmaHQ
- tags: []
- url: https://github.com/SigmaHQ/sigma
- references:
- samm2: []
- iso27001-2017:
- - ISO 27001:2017 mapping is missing
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/b217c8bb-5d61-4b41-a675-1083993f83b1
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Correlate known vulnerabilities in infrastructure with new image versions:
- uuid: 7de0ae33-6538-45cd-8222-a1475647ba58
- risk: TODO.
- measure: TODO
- difficultyOfImplementation:
- knowledge: 2
- time: 5
- resources: 4
- usefulness: 1
- level: 4
- dependsOn:
- - Usage of a maximum lifetime for images
- implementation:
- - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc
- name: Anchore.io
- tags: []
- url: https://anchore.com/
- - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071
- name: Clair
- tags: []
- url: https://github.com/quay/clair
- - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531
- name: OpenSCAP
- tags: []
- url: https://www.open-scap.org/
- - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5
- name: Vuls
- tags: []
- url: https://github.com/future-architect/vuls
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 12.6.1
- - 14.2.1
- iso27001-2022:
- - 8.8
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/7de0ae33-6538-45cd-8222-a1475647ba58
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Software Composition Analysis:
- uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad
- risk: Known vulnerabilities in infrastructure components like container images
- might get exploited.
- measure: Check for known vulnerabilities
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 4
- level: 4
- description: Subscribing to Github projects and reading release notes might
- help. Software Composition Analysis for infrastructure might help, but is
- often too fine-granular.
- implementation:
- - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
- name: https://github.com/aquasecurity/trivy
- tags: []
- url: https://github.com/aquasecurity/trivy
- - uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57
- name: Registries like quay
- tags: []
- description: Registries like quay, dockerhub provide (commercial) offerings,
- often not suitable for distroless images
- - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
- name: Dependency-Track is an intelligent Component Analysis platform that
- allows organizations to identify and reduce risk in the software supply
- chain. Dependency-Track takes a unique and highly beneficial approach by
- leveraging the capabilities of Software Bill of Materials (SBOM).
- url: https://github.com/DependencyTrack/dependency-track
- tags:
- - sca
- - inventory
- - OpenSource
- - Supply Chain
- - vulnerability
- - inventory
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/26e1c6d5-5632-4ec7-80d2-e564b98732ad
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test cluster deployment resources:
- uuid: 621fb6a5-5c0a-4408-826a-068868bb031b
- risk: The deployment configuration (e.g. kubernetes deployment resources) might
- contain unsecured configurations.
- measure: Test the deployment configuration for virtualized environments for
- unsecured configurations.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 3
- level: 2
- implementation:
- - uuid: 1e58f8d2-61e2-45bb-a17c-51516d0cc9ba
- name: kubesec
- tags: []
- url: https://kubesec.io
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - System hardening is not explicitly covered by ISO 27001 - too specific
- - 12.6.1
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - System hardening is not explicitly covered by ISO 27001 - too specific
- - 8.8
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/621fb6a5-5c0a-4408-826a-068868bb031b
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for image lifetime:
- uuid: ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b
- risk: Old container images in production indicate that patch management is not
- performed and therefore vulnerabilities might exists.
- measure: Check the image age of containers in production.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 1
- usefulness: 2
- level: 2
- implementation:
- - url: https://github.com/SDA-SE/clusterscanner
- uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
- name: ClusterScanner
- tags:
- - docker
- - image
- - container
- - vulnerability
- - misconfiguration
- - security-tools
- - scanning
- description: Discover vulnerabilities and container image misconfiguration
- in production environments.
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 12.6.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for malware:
- uuid: 837f8f90-adc2-4e6b-9ebb-60c2ee29494d
- risk: Third party might include malware. Ether due to the maintainer (e.g.
- typo squatting of an image name and using the wrong image) or by an attacker
- on behalf of the maintainer with stolen credentials.
- measure: Check for malware in components (e.g. container images, VM baseline
- images, libraries).
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 3
- level: 3
- implementation:
- - url: https://github.com/SDA-SE/clusterscanner
- uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
- name: ClusterScanner
- tags:
- - docker
- - image
- - container
- - vulnerability
- - misconfiguration
- - security-tools
- - scanning
- description: Discover vulnerabilities and container image misconfiguration
- in production environments.
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.2.1
- iso27001-2022:
- - 8.7
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/837f8f90-adc2-4e6b-9ebb-60c2ee29494d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for new image version:
- uuid: cb6321aa-0fbf-4996-9e08-05ab26ef4c1e
- risk: When a new version of an image is available, it might fix security vulnerabilities.
- measure: Check for new images of containers in production.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 1
- usefulness: 2
- level: 3
- implementation: []
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.6.1
- - 14.2.5
- - 12.2.1
- iso27001-2022:
- - 8.8
- - 8.7
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/cb6321aa-0fbf-4996-9e08-05ab26ef4c1e
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for stored secrets in build artifacts:
- uuid: d5e6303c-d5c6-4d59-b258-a3b9de38a07f
- risk: Stored secrets in container images or other build artifacts shouldn't
- exists because they might be exposed to unauthorized parties.
- measure: Test for secrets in container images and other artifacts
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 2
- level: 1
- implementation:
- - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6
- name: truffleHog
- tags: []
- url: https://github.com/dxa4481/truffleHog
- - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835
- name: go-pillage-registries
- tags: []
- url: https://github.com/nccgroup/go-pillage-registries
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - vcs usage is not explicitly covered by ISO 27001 - too specific
- - 9.4.3
- - 10.1.2
- iso27001-2022:
- - vcs usage is not explicitly covered by ISO 27001 - too specific
- - 5.17
- - 8.24
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/d5e6303c-d5c6-4d59-b258-a3b9de38a07f
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test for stored secrets in code:
- uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c
- risk: Stored secrets in git history or directly in code shouldn't exists because
- they might be exposed to unauthorized parties.
- measure: Test for secrets in code and git history
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 2
- level: 1
- implementation:
- - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6
- name: truffleHog
- tags: []
- url: https://github.com/dxa4481/truffleHog
- - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835
- name: go-pillage-registries
- tags: []
- url: https://github.com/nccgroup/go-pillage-registries
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - vcs usage is not explicitly covered by ISO 27001 - too specific
- - 9.4.3
- - 10.1.2
- iso27001-2022:
- - vcs usage is not explicitly covered by ISO 27001 - too specific
- - 5.17
- - 8.24
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/c6e3c812-56e2-41b0-ae01-b7afc41a004c
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test of infrastructure components for known vulnerabilities:
- uuid: 13367d8f-e37f-4197-a610-9ffca4fde261
- risk: Infrastructure components might have vulnerabilities.
- measure: Test for known vulnerabilities in infrastructure components. Often,
- the only way to respond to known vulnerabilities in operating system packages
- is to accept the risk and wait for a patch. As the patch needs to be applied
- fast when it is available, this activity depends on 'Usage of a maximum life
- for images'.
- difficultyOfImplementation:
- knowledge: 2
- time: 5
- resources: 2
- usefulness: 1
- level: 4
- dependsOn:
- - Usage of a maximum lifetime for images
- implementation:
- - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc
- name: Anchore.io
- tags: []
- url: https://anchore.com/
- - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071
- name: Clair
- tags: []
- url: https://github.com/quay/clair
- - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531
- name: OpenSCAP
- tags: []
- url: https://www.open-scap.org/
- - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5
- name: Vuls
- tags: []
- url: https://github.com/future-architect/vuls
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 12.6.1
- - 14.2.1
- iso27001-2022:
- - 8.8
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/13367d8f-e37f-4197-a610-9ffca4fde261
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test of virtualized environments:
- uuid: 58825d22-1ce6-4748-af81-0ec9956e4129
- risk: Virtualized environments (e.g. via Container Images) might contains
- unsecure configurations.
- measure: Test virtualized environments for unsecured configurations.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 3
- level: 2
- implementation:
- - uuid: 73419fb5-b13d-4242-83ec-86f36c7d73d5
- name: Dive to inspect a container images
- tags: []
- url: https://github.com/wagoodman/dive
- - url: https://github.com/SDA-SE/clusterscanner
- uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
- name: ClusterScanner
- tags:
- - docker
- - image
- - container
- - vulnerability
- - misconfiguration
- - security-tools
- - scanning
- description: Discover vulnerabilities and container image misconfiguration
- in production environments.
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - ISO 27001:2017 mapping is missing
- iso27001-2022:
- - ISO 27001:2022 mapping is missing
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/58825d22-1ce6-4748-af81-0ec9956e4129
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test the cloud configuration:
- uuid: 46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc
- risk: Standard hardening practices for cloud environments are not performed
- leading to vulnerabilities.
- measure: With the help of tools, the configuration of virtual environments are
- tested.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 1
- usefulness: 4
- level: 2
- implementation:
- - uuid: 8aeefd29-6220-45bf-aead-83eba2e9d055
- name: kube-bench
- tags: []
- url: https://github.com/aquasecurity/kube-bench
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - System hardening is not explicitly covered by ISO 27001 - too specific
- - 12.6.1
- - 14.2.3
- - 14.2.8
- iso27001-2022:
- - System hardening is not explicitly covered by ISO 27001 - too specific
- - 8.8
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test the definition of virtualized environments:
- uuid: 8fc3de67-7b8d-420b-8d24-f35928cfed6e
- risk: The definition of virtualized environments (e.g. via Dockerfile)
- might contain unsecure configurations.
- measure: Test the definition of virtualized environments for unsecured configurations.
- difficultyOfImplementation:
- knowledge: 2
- time: 1
- resources: 2
- usefulness: 3
- level: 2
- meta:
- implementationGuide: For containier (images), test that the images are following
- best practices like distroless or non-root.
- implementation:
- - uuid: 94d993ad-ef6e-4d9f-b7a8-27ea68dc3005
- name: Dockerfile with hadolint
- tags: []
- url: https://github.com/hadolint/hadolint
- - uuid: 95b717cd-5ad3-40b5-993b-13a63c382b1b
- name: Deployment with kube-score
- tags: []
- url: https://github.com/zegl/kube-score
- - uuid: eba2685d-2d25-4961-8e4e-2957e7c07c30
- name: dockerfilelint
- tags:
- - sast
- - docker
- - dockerfile
- url: https://github.com/replicatedhq/dockerfilelint
- description: dockerfilelint is an node module that analyzes a Dockerfile and
- looks for common traps, mistakes and helps enforce best practices.
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - System hardening, virtual environments are not explicitly covered by ISO
- 27001 - too specific
- - 12.6.1
- - 14.2.3
- - 14.2.8
- - 14.2.1
- iso27001-2022:
- - System hardening, virtual environments are not explicitly covered by ISO
- 27001 - too specific
- - 8.8
- - 8.32
- - 8.29
- - 8.25
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
- depth for infrastructure/8fc3de67-7b8d-420b-8d24-f35928cfed6e
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Test-Intensity:
- Creation and application of a testing concept:
- uuid: 79ef8103-e1ed-4055-8df8-fd2b2015bebe
- risk: Scans might use a too small or too high test intensity.
- measure: A testing concept considering the amount of time per scan/intensity
- is created and applied. A dynamic analysis needs more time than a static analysis.
- The dynamic scan, depending on the test intensity might be performed on every
- commit, every night, every week or once in a month.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 3
- usefulness: 2
- level: 4
- implementation: []
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 14.2.2
- - 14.2.3
- - 14.2.1
- - 14.2.5
- - 12.6.1
- iso27001-2022:
- - 8.25
- - 8.32
- - 8.27
- - 8.8
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/79ef8103-e1ed-4055-8df8-fd2b2015bebe
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Deactivating of unneeded tests:
- uuid: 1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5
- risk: As tools cover a wide range of different vulnerability tests, they might
- not match the used components. Therefore, they need more time and resources
- as they need and the feedback loops takes too much time.
- measure: Unneeded tests are deactivated. For example in case the service is
- using a Mongo database and no mysql database, the dynamic scan doesn't need
- to test for sql injections.
- difficultyOfImplementation:
- knowledge: 2
- time: 3
- resources: 1
- usefulness: 1
- level: 3
- implementation: []
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.6.1
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Default settings for intensity:
- uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d
- risk: Time pressure and ignorance might lead to false predictions for the test
- intensity.
- measure: The intensity of the used tools are not modified to save time.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 1
- level: 1
- implementation: []
- references:
- samm2:
- - V-ST-1-A
- iso27001-2017:
- - 12.6.1
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/ab0a4b51-3b18-43f1-a6fc-a98e4b28453d
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- High test intensity:
- uuid: 2ebfc421-8c76-415c-a3b0-fa518915bd10
- risk: A too small intensity or a too high confidence might lead to not visible
- vulnerabilities.
- measure: A deep scan with high test intensity and a low confidence threshold
- is performed.
- difficultyOfImplementation:
- knowledge: 3
- time: 3
- resources: 5
- usefulness: 3
- level: 3
- implementation: []
- references:
- samm2:
- - V-ST-2-A
- iso27001-2017:
- - 12.6.1
- - 14.2.1
- - 14.2.5
- iso27001-2022:
- - 8.8
- - 8.25
- - 8.27
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/2ebfc421-8c76-415c-a3b0-fa518915bd10
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
- Regular automated tests:
- uuid: 598897a2-358e-441f-984c-e12ec4f6110a
- risk: After pushing source code to the version control system, any delay in
- receiving feedback on defects makes them harder for the developer to remediate.
- measure: On each push and/or at given intervals automatic security tests are
- performed.
- difficultyOfImplementation:
- knowledge: 1
- time: 1
- resources: 1
- usefulness: 2
- level: 2
- implementation: []
- references:
- samm2:
- - I-SB-3-A
- - V-ST-3-A
- iso27001-2017:
- - 14.2.3
- - 14.2.8
- - 14.2.9
- iso27001-2022:
- - 8.32
- - 8.29
- openCRE:
- - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/598897a2-358e-441f-984c-e12ec4f6110a
- comments: ""
- tags:
- - none
- teamsImplemented:
- Default: false
- B: false
- C: false
-...