---
Build and Deployment:
Build:
Building and testing of artifacts in virtual environments:
uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3
description: |-
While building and testing artifacts, third party systems, application frameworks
and 3rd party libraries are used. These might be malicious as a result of
vulnerable libraries or because they are altered during the delivery phase.
risk: |-
While building and testing artifacts, third party systems, application frameworks
and 3rd party libraries are used. These might be malicious as a result of
vulnerable libraries or because they are altered during the delivery phase.
measure: Each step during within the build and testing phase is performed in
a separate virtual environments, which is destroyed afterward.
meta:
implementationGuide: Depending on your environment, usage of virtual machines
or container technology is a good way. After the build, the filesystem should
not be used again in other builds.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 2
level: 2
implementation:
- uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
name: CI/CD tools
tags:
- ci-cd
url: https://martinfowler.com/articles/continuousIntegration.html
description: CI/CD tools such as jenkins, gitlab-ci or github-actions
- uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11
name: Container technologies and orchestration like Docker, Kubernetes
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/
references:
samm2:
- I-SB-2-A
iso27001-2017:
- 14.2.6
iso27001-2022:
- 8.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/a340f46b-6360-4cb8-847b-a0d3483d09d3
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Defined build process:
uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b
description: "A *build process* include more than just compiling your source
code. \nIt also includes steps such as managing (third party) dependencies,
\nenvironment configuration, running the unit tests, etc. \n\nA *defined build
process* has automated these steps to ensure consistency.\n\nThis can be done
with a Jenkinsfile, Maven, or similar tools.\n"
risk: Performing builds without a defined process is error prone; for example,
as a result of incorrect security related configuration.
measure: A well defined build process lowers the possibility of errors during
the build process.
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 2
usefulness: 4
level: 1
assessment: |
- Show your build pipeline and an exemplary job (build + test).
- Show that every team member has access.
- Show that failed jobs are fixed.
Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
implementation:
- uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
name: CI/CD tools
tags:
- ci-cd
url: https://martinfowler.com/articles/continuousIntegration.html
description: CI/CD tools such as jenkins, gitlab-ci or github-actions
- uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11
name: Container technologies and orchestration like Docker, Kubernetes
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/
references:
samm2:
- I-SB-1-A
iso27001-2017:
- 12.1.1
- 14.2.2
iso27001-2022:
- 5.37
- 8.32
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f6f7737f-25a9-4317-8de2-09bf59f29b5b
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Pinning of artifacts:
uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477
risk: Unauthorized manipulation of artifacts might be difficult to spot. For
example, this may result in using images with malicious code. Also, intended
major changes, which are automatically used in an image used might break the
functionality.
measure: Pinning of artifacts ensure that changes are performed only when intended.
comment: The usage of pinning requires a good processes for patching. Therefore,
choose this activity wisely.
meta:
implementationGuide: Pinning artifacts in Dockerfile refers to the practice
of using specific, immutable versions of base images and dependencies in
your build process. Instead of using the latest tag for your base image,
select a specific version or digest. For example, replace FROM node:latest,
to FROM node@sha256:abcdef12.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 2
implementation:
- uuid: 9368abfb-cf37-477a-9091-a804d2de9148
name: Signing of containers
tags:
- signing
- container
- build
url: https://www.aquasec.com/cloud-native-academy/supply-chain-security/container-image-signing/
description: Container technology automatically creates a hash for images,
which can be used.
- uuid: 638b3691-c9a5-45fa-9ba8-e40aeea32766
name: Immutable images
tags:
- deployment
- container
- build
url: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification
description: Immutable images are an other way, e.g. by using a registry,
which doesn't allow overriding of images.
dependsOn:
- Defined build process
references:
samm2:
- I-SB-1-A
iso27001-2017:
- 14.2.6
iso27001-2022:
- 8.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f3c4971e-9f4d-4e59-8ed0-f0bdb6262477
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
SBOM of components:
uuid: 2858ac12-0179-40d9-9acf-1b839c030473
description: |-
SBOM (Software Bill of Materials) is a document that lists all components, libraries,
and dependencies used in a software application or container image. Creating an SBOM
during the build process can help ensure transparency, security, and license compliance
for your application.
risk: In case a vulnerability of severity high or critical exists, it needs
to be known where an artifacts with that vulnerability is deployed with which
dependencies.
measure: Creation of an SBOM of components (e.g. application and container image
content) during build.
dependsOn:
- Defined build process
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 3
usefulness: 3
level: 2
implementation: []
references:
samm2: []
iso27001-2017:
- 8.1
- 8.2
iso27001-2022:
- 5.9
- 5.12
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/2858ac12-0179-40d9-9acf-1b839c030473
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Signing of artifacts:
uuid: 5786959d-0c6f-46a6-8e1c-a32ff1a50222
risk: Execution or usage of malicious code or data e.g. via executables, libraries
or container images.
measure: Digitally signing artifacts for all steps during the build and especially
docker images, helps to ensure their integrity and authenticity.
description: "To perform a push to a GitHub repository, you must be authenticated.
It's important to note that GitHub does not verify if the authenticated user's
email address matches the one in the commit.\nTo clearly identify the author
of a commit for reviewers, commit signing is recommended.\n\nGitHub actions
such as [semantic-release-action](https://github.com/cycjimmy/semantic-release-action)
do not automatically sign commits and may encounter issues as a result. \n\nTo
address this, you can refer to a working configuration example in the [workflow
folder](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/blob/master/.github/workflows/main.yml)
of DSOMM, which demonstrates how to use semantic release action in conjunction
with [planetscale/ghcommit-action](https://github.com/planetscale/ghcommit-action).\nFor
added security, consider using [Fine-grained personal access tokens](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/)
provided by your organization for a specific repository. Store the Personal
Access Token (PAT) as a secret in your project."
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 4
level: 5
implementation:
- uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6
name: Docker Content Trust
tags: []
url: https://docs.docker.com/engine/security/trust/
- uuid: 6e9d8c14-ba3b-4698-afc3-365b4ab6fb1f
name: in-toto
tags: []
url: https://in-toto.github.io/
dependsOn:
- Defined build process
- Pinning of artifacts
references:
samm2:
- I-SB-1-A
iso27001-2017:
- 14.2.6
iso27001-2022:
- 8.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/5786959d-0c6f-46a6-8e1c-a32ff1a50222
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Signing of code:
uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665
risk: Execution or usage of malicious code or data e.g. via executables, libraries
or container images.
measure: Digitally signing commits helps to prevent unauthorized manipulation
of source code.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
implementation:
- uuid: d6d755d3-b9f1-4942-a084-e62b266541df
name: Signing of commits
tags:
- signing
url: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
description: Signing of commits in git
- uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4
name: Enforcement of commit signing
tags:
- signing
url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
description: Usage of branch protection rules
dependsOn:
- Defined build process
references:
samm2:
- I-SB-2-A
iso27001-2017:
- 14.2.6
iso27001-2022:
- 8.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/9f107927-61e9-4574-85ad-3f2b4bca8665
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Deployment:
Blue/Green Deployment:
uuid: 0cb2626b-fb0d-4a0f-9688-57f787310d97
risk: A new artifact's version can have unknown defects.
measure: |-
Using a blue/green deployment strategy increases application availability
and reduces deployment risk by simplifying the rollback process if a deployment fails.
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 1
usefulness: 2
level: 5
implementation:
- uuid: 4fb3d95c-07c0-4cbb-b396-5054aba751c2
name: Blue/Green Deployments
tags: []
url: https://martinfowler.com/bliki/BlueGreenDeployment.html
dependsOn:
- Smoke Test
references:
samm2:
- TODO
iso27001-2017:
- 17.2.1
- 12.1.1
- 12.1.2
- 12.1.4
- 12.5.1
- 14.2.9
iso27001-2022:
- 8.14
- 5.37
- 8.31
- 8.32
- 8.19
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0cb2626b-fb0d-4a0f-9688-57f787310d97
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Defined decommissioning process:
uuid: da4ff665-dcb9-4e93-9d20-48cdedc50fc2
description: |-
The decommissioning process in the context of Docker and Kubernetes involves
retiring Docker containers, images, and Kubernetes resources that are no longer
needed or have been replaced. This process must be carefully executed to avoid
impacting other services and applications.
risk: Unused applications are not maintained and may contain vulnerabilities.
Once exploited they can be used to attack other applications or to perform
lateral movements within the organization.
measure: A clear decommissioning process ensures the removal of unused applications
from the `Inventory of production components` and if implemented from `Inventory
of production artifacts`.
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 1
usefulness: 2
level: 2
references:
samm2:
- O-OM-2-B
iso27001-2017:
- 11.2.7
iso27001-2022:
- 7.14
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/da4ff665-dcb9-4e93-9d20-48cdedc50fc2
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Defined deployment process:
uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a
risk: Deployment of insecure or malfunctioning artifacts.
measure: Defining a deployment process ensures that there are established criteria
in terms of functionalities, security, compliance, and performance, and that
the artifacts meet them.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 1
dependsOn:
- Defined build process
implementation:
- uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
name: CI/CD tools
tags:
- ci-cd
url: https://martinfowler.com/articles/continuousIntegration.html
description: CI/CD tools such as jenkins, gitlab-ci or github-actions
- uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
name: Docker
url: https://github.com/moby/moby
tags: []
references:
samm2:
- I-SD-1-A
iso27001-2017:
- 12.1.1
- 14.2.2
iso27001-2022:
- 5.37
- 8.32
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Environment depending configuration parameters (secrets):
uuid: df428c9d-efa0-4226-9f47-a15bb53f822b
risk: Unauthorized access to secrets stored in source code or in artifacts (e.g.
container images) through process listing (e.g. ps -ef).
measure: Set configuration parameters via environment variables stored using
specific platform functionalities or secrets management systems (e.g. Kubernetes
secrets or Hashicorp Vault).
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 2
implementation:
- uuid: e3a2ffc8-313f-437e-9663-b24591568209
name: Hashicorp Vault
tags:
- authentication
- authorization
- secrets
- infrastructure
url: https://github.com/hashicorp/vault
description: |
A tool for secrets management, encryption as a service, and privileged access management.
references:
samm2:
- I-SD-1-B
iso27001-2017:
- 9.4.5
- 14.2.6
iso27001-2022:
- 8.4
- 8.31
d3f:
- ApplicationConfigurationHardening
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/df428c9d-efa0-4226-9f47-a15bb53f822b
tags:
- secret
teamsImplemented:
Default: false
B: false
C: false
Evaluation of the trust of used components:
uuid: 0de465a6-55a7-4343-af79-948bb5ff10ba
risk: Application and system components like Open Source libraries or images
can have implementation flaws or deployment flaws. Developers or operations
might start random images in the production cluster which have malicious code
or known vulnerabilities.
measure: Each components source is evaluated to be trusted. For example the
source, number of developers included, email configuration used by maintainers
to prevent maintainer account theft, typo-squatting, ... Create image assessment
criteria, perform an evaluation of images and create a whitelist of artifacts/container
images/virtual machine images.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 3
level: 2
implementation:
- uuid: 2a76300f-6b1f-4a51-b925-134c36b723af
name: Kubernetes Admission Controller can whitelist registries and/or whitelist
a signing key.
tags: []
url: https://medium.com/slalom-technology/build-a-kubernetes-dynamic-admission-controller-for-container-registry-whitelisting-b46fe020e22d
- uuid: 5d8b27ac-286e-47a5-b23f-769eb6d74e4a
name: packj
tags:
- OpenSource
- Supply Chain
- vulnerability
url: https://github.com/ossillate-inc/packj
description: |
Packj is a tool to detect software supply chain attacks. It can detect malicious, vulnerable, abandoned, typo-squatting, and other "risky" packages from popular open-source package registries, such as NPM, RubyGems, and PyPI.
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0de465a6-55a7-4343-af79-948bb5ff10ba
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Handover of confidential parameters:
uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a
risk: Parameters are often used to set credentials, for example by starting
containers or applications; these parameters can often be seen by any one
listing running processes on the target system.
measure: Encryption ensures confidentiality of credentials e.g. from unauthorized
access on the file system. Also, the usage of a credential management system
can help protect credentials.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 3
implementation: ""
dependsOn:
- Environment depending configuration parameters (secrets)
references:
samm2:
- I-SD-2-B
iso27001-2017:
- 14.1.3
- 13.1.3
- 9.4.3
- 9.4.1
- 10.1.2
iso27001-2022:
- 8.33
- 8.22
- 5.17
- 8.3
- 8.24
d3f:
- ApplicationConfigurationHardening
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/94a96f79-8bd6-4904-97c0-994ff88f176a
tags:
- secret
teamsImplemented:
Default: false
B: false
C: false
Inventory of production artifacts:
uuid: 83057028-0b77-4d2e-8135-40969768ae88
risk: In case a vulnerability of severity high or critical exists, it needs
to be known where an artifacts (e.g. container image) with that vulnerability
is deployed.
measure: A documented inventory of artifacts in production like container images
exists (gathered manually or automatically).
dependsOn:
- Defined deployment process
- Inventory of production components
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 3
usefulness: 3
level: 2
implementation:
- uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
name: Backstage
tags:
- documentation
- inventory
url: https://github.com/backstage/backstage
description: |
Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure.
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track is an intelligent Component Analysis platform that
allows organizations to identify and reduce risk in the software supply
chain. Dependency-Track takes a unique and highly beneficial approach by
leveraging the capabilities of Software Bill of Materials (SBOM).
url: https://github.com/DependencyTrack/dependency-track
tags:
- sca
- inventory
- OpenSource
- Supply Chain
- vulnerability
- inventory
- uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c
name: Image Metadata Collector
tags:
- documentation
- inventory
- kubernetes
url: https://github.com/SDA-SE/image-metadata-collector/
description: |
Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API.
references:
samm2:
- I-SD-2-A
iso27001-2017:
- 8.1
- 8.2
iso27001-2022:
- 5.9
- 5.12
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/83057028-0b77-4d2e-8135-40969768ae88
tags:
- inventory
teamsImplemented:
Default: false
B: false
C: false
Inventory of production components:
uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f
risk: An organization is unaware of components like applications in production.
Not knowing existing applications in production leads to not assessing it.
measure: |-
A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production.
In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track.
dependsOn:
- Defined deployment process
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 4
level: 1
implementation:
- uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
name: Backstage
tags:
- documentation
- inventory
url: https://github.com/backstage/backstage
description: |
Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure.
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track is an intelligent Component Analysis platform that
allows organizations to identify and reduce risk in the software supply
chain. Dependency-Track takes a unique and highly beneficial approach by
leveraging the capabilities of Software Bill of Materials (SBOM).
url: https://github.com/DependencyTrack/dependency-track
tags:
- sca
- inventory
- OpenSource
- Supply Chain
- vulnerability
- inventory
- uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c
name: Image Metadata Collector
tags:
- documentation
- inventory
- kubernetes
url: https://github.com/SDA-SE/image-metadata-collector/
description: |
Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API.
references:
samm2:
- I-SD-2-A
iso27001-2017:
- 8.1
- 8.2
iso27001-2022:
- 5.9
- 5.12
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/2a44b708-734f-4463-b0cb-86dc46344b2f
tags:
- inventory
teamsImplemented:
Default: false
B: false
C: false
Inventory of production dependencies:
uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6
risk: Delayed identification of components and their vulnerabilities in production.
In case a vulnerability is known by the organization, it needs to be known
where an artifacts with that vulnerability is deployed with which dependencies.
measure: A documented inventory of dependencies used in artifacts like container
images and containers exists.
dependsOn:
- Inventory of production artifacts
- SBOM of components
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 3
usefulness: 3
level: 3
implementation:
- uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
name: Backstage
tags:
- documentation
- inventory
url: https://github.com/backstage/backstage
description: |
Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure.
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track is an intelligent Component Analysis platform that
allows organizations to identify and reduce risk in the software supply
chain. Dependency-Track takes a unique and highly beneficial approach by
leveraging the capabilities of Software Bill of Materials (SBOM).
url: https://github.com/DependencyTrack/dependency-track
tags:
- sca
- inventory
- OpenSource
- Supply Chain
- vulnerability
- inventory
- uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c
name: Image Metadata Collector
tags:
- documentation
- inventory
- kubernetes
url: https://github.com/SDA-SE/image-metadata-collector/
description: |
Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API.
references:
samm2:
- I-SD-2-A
iso27001-2017:
- 8.1
- 8.2
iso27001-2022:
- 5.9
- 5.12
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/13e9757e-58e2-4277-bc0f-eadc674891e6
comments: ""
tags:
- inventory
- sbom
teamsImplemented:
Default: false
B: false
C: false
Rolling update on deployment:
uuid: 85d52588-f542-4225-a338-20dc22a5508d
risk: While a deployment is performed, the application can not be reached.
measure: A deployment without downtime is performed*.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 2
level: 3
implementation:
- uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
name: Docker
url: https://github.com/moby/moby
tags: []
- uuid: a71ce8f8-fd4a-4240-8b46-64a6cdb5dfdb
name: Webserver
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:WebServer/
- uuid: ee2eb94b-7204-40d8-97da-43c7b1296e2e
name: rolling update
tags: []
dependsOn:
- Defined deployment process
references:
samm2:
- I-SD-1-A
iso27001-2017:
- 12.5.1
- 14.2.2
- 17.2.1
iso27001-2022:
- 8.19
- 8.32
- 8.14
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/85d52588-f542-4225-a338-20dc22a5508d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Same artifact for environments:
uuid: a854b48d-83bd-4f8d-8621-a0bdd470837f
risk: Building of an artifact for different environments means that an untested
artifact might reach the production environment.
measure: Building an artifact once and deploying it to different environments
means that only tested artifacts are allowed to reach the production environment
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 4
implementation:
- uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
name: Docker
url: https://github.com/moby/moby
tags: []
dependsOn:
- Defined build process
references:
samm2:
- I-SD-2-A
iso27001-2017:
- 14.3.1
- 14.2.8
- 12.1.4
iso27001-2022:
- 8.33
- 8.29
- 8.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a854b48d-83bd-4f8d-8621-a0bdd470837f
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of feature toggles:
uuid: a511799b-045e-4b96-9843-7d63d8c1e2ad
risk: Using environment variables to enable or disable features can lead to
a situation where a feature is accidentally enabled in the production environment.
measure: Usage of environment independent configuration parameter, called static
feature toggles, mitigates the risk of accidentally enabling insecure features
in production.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 2
level: 4
implementation:
- uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
name: Docker
url: https://github.com/moby/moby
tags: []
- uuid: 83be6c60-6633-4c32-98de-7ae065c143c9
name: Feature Toggles
tags:
- development
- architecture
url: https://martinfowler.com/articles/feature-toggles.html
description: |
Feature Toggles are a powerful technique, allowing teams to modify system behavior without changing code. (Pete Hodgson)
dependsOn:
- Same artifact for environments
references:
samm2: []
iso27001-2017:
- 14.3.1
- 14.2.8
- 14.2.9
- 12.1.4
iso27001-2022:
- 8.33
- 8.29
- 8.31
d3f:
- ApplicationConfigurationHardening
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a511799b-045e-4b96-9843-7d63d8c1e2ad
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Patch Management:
A patch policy is defined:
uuid: 99415139-6b50-441b-89e1-0aa59accd43d
risk: Vulnerabilities in running artifacts stay for long and might get exploited.
measure: A patch policy for all artifacts (e.g. in images) is defined. How often
is an image rebuilt?
difficultyOfImplementation:
knowledge: 3
time: 1
resources: 2
usefulness: 4
level: 1
implementation: []
references:
samm2:
- O-EM-1-B
iso27001-2017:
- 12.6.1
- 12.5.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.19
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/99415139-6b50-441b-89e1-0aa59accd43d
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Automated PRs for patches:
uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488
risk: Components with known (or unknown) vulnerabilities might stay for long
and get exploited, even when a patch is available.
measure: |-
Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes
* Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform)
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 4
level: 1
implementation:
- uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4
name: dependabot
tags:
- auto-pr
- patching
url: https://dependabot.com/
- uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971
name: Jenkins
tags: []
url: https://www.jenkins.io/
- uuid: 0d63f907-37fe-4375-88a5-a5e252732618
name: terraform
tags:
- IaC
url: https://www.terraform.io/
description: |
Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service.
- uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
name: renovate
tags:
- auto-pr
- patching
url: https://github.com/renovatebot/renovate
references:
samm2:
- O-EM-1-B
iso27001-2017:
- 12.6.1
- 14.2.5
iso27001-2022:
- "8.8"
- "8.27"
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/8ae0b92c-10e0-4602-ba22-7524d6aed488
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Automated deployment of automated PRs:
uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d
description: Automated merges of automated created PRs for outdated dependencies.
risk: Even if automated dependencies PRs are merged, they might not be deployed.
This results in vulnerabilities in running artifacts stay for too long and
might get exploited.
measure: |
After merging of an automated dependency PR, automated deployment is needed,
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 3
level: 3
dependsOn:
- Automated merge of automated PRs
implementation:
- uuid: 0d63f907-37fe-4375-88a5-a5e252732618
name: terraform
tags:
- IaC
url: https://www.terraform.io/
description: |
Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service.
- uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f
name: argoCD
tags:
- deployment
url: https://argo-cd.readthedocs.io/en/stable/
references:
samm2:
- O-EM-2-B
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/08f27c26-2c6a-47fe-9458-5e88f188085d
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Automated merge of automated PRs:
uuid: f2594f8f-1cd6-45f9-af29-eaf3315698eb
description: Automated merges of automated created PRs for outdated dependencies.
risk: Vulnerabilities in running artifacts stay for too long and might get exploited.
measure: |
A good practice is to merge trusted dependencies (e.g. spring boot) after a grace period like one week.
Often, patches, fixes and minor updates are automatically merged. Be aware that automated merging requires a high
automated test coverage. Enforcement of merging of pull requests after a grace period.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 3
level: 2
dependsOn:
- Automated PRs for patches
implementation:
- uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4
name: dependabot
tags:
- auto-pr
- patching
url: https://dependabot.com/
- uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
name: renovate
tags:
- auto-pr
- patching
url: https://github.com/renovatebot/renovate
references:
samm2:
- O-EM-2-B
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/f2594f8f-1cd6-45f9-af29-eaf3315698eb
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Nightly build of images (base images):
uuid: 34869eaf-f2e1-4926-b0bd-28c43402f057
description: |-
A base image is a pre-built image that serves as a starting point for building
new images or containers. These base images usually include an operating system,
necessary dependencies, libraries, and other components that are required to run
a specific application or service. Nightly builds of custom base images refer to
an automated process that occurs daily or on a scheduled basis, usually during
nighttime or off-peak hours, to create updated versions of custom base images.
risk: Vulnerabilities in running containers stay for too long and might get
exploited.
measure: Custom base images are getting build at least nightly. In case the
packages in the base image e.g. centos has changed, the build server
triggers the build of depending images.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 2
usefulness: 3
level: 2
implementation: []
references:
samm2:
- O-EM-1-B
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/34869eaf-f2e1-4926-b0bd-28c43402f057
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Reduction of the attack surface:
uuid: 16e39c8f-5336-4001-88ed-a552d2447531
description: |-
Distroless images are minimal, stripped-down base images that contain only the
essential components required to run your application. They do not include package
managers, shells, or any other tools that are commonly found in standard Linux
distributions. Using distroless images can help reduce the attack surface and
overall size of your container images.
risk: Components, dependencies, files or file access rights might have vulnerabilities,
but the they are not needed.
measure: Removal of unneeded components, dependencies, files or file access
rights. For container images the usage of distroless images is recommended.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 2
usefulness: 3
level: 2
implementation:
- uuid: ef647044-b675-47d3-9720-3ebc144ef37b
name: Distroless
tags: []
url: https://github.com/GoogleContainerTools/distroless
- uuid: be757cb3-63d6-4a63-9c4e-e10b746fd47a
name: Fedora CoreOS
tags: []
url: https://getfedora.org/coreos
- uuid: a92c4f8f-a918-406a-b1e5-70acfc0477bd
name: Distroless or Alpine
tags: []
url: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22
references:
samm2:
- I-SB-2
iso27001-2017:
- hardening is missing in ISO 27001
- 14.2.1
iso27001-2022:
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/16e39c8f-5336-4001-88ed-a552d2447531
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Usage of a maximum lifetime for images:
uuid: 485a3383-7f2e-4dba-bb84-479377070904
description: |-
The maximum lifetime for a Docker container refers to the duration a container
should be allowed to run before it is considered outdated, stale, or insecure.
There is not a fixed, universally applicable maximum lifetime for a Docker
container, as it varies depending on the specific use case, application
requirements, and security needs. As a best practice, it is essential to define
a reasonable maximum lifetime for containers to ensure that you consistently
deploy the most recent, patched, and secure versions of both your custom base
images and third-party images.
risk: Vulnerabilities in images of running containers stay for too long and
might get exploited. Long running containers have potential memory leaks.
A compromised container might get killed by restarting the container (e.g.
in case the attacker has not reached the persistence layer).
measure: A short maximum lifetime for images is defined, e.g. 30 days. The project
images, based on the nightly builded images, are deployed at leased once within
the defined lifetime. Third Party images are deployed at leased once within
the defined lifetime.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 2
usefulness: 3
level: 2
implementation: []
references:
samm2:
- O-EM-1-B
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/485a3383-7f2e-4dba-bb84-479377070904
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Usage of a short maximum lifetime for images:
uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e
description: |-
The maximum lifetime for a Docker container refers to the duration a container
should be allowed to run before it is considered outdated, stale, or insecure.
There is not a fixed, universally applicable maximum lifetime for a Docker
container, as it varies depending on the specific use case, application
requirements, and security needs. As a best practice, it is essential to define
a reasonable maximum lifetime for containers to ensure that you consistently
deploy the most recent, patched, and secure versions of both your custom base
images and third-party images.
risk: Vulnerabilities in running containers stay for too long and might get
exploited.
measure: |
A good practice is to perform the build and deployment daily or even just-in-time, when a new component (e.g. package) for the image is available.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 2
usefulness: 3
level: 4
implementation:
- uuid: 1a463242-b480-46f6-a912-b51ec1c1558d
name: "Sample concept: \n(1"
tags: []
description: "Sample concept: \n(1) each container has a set lifetime and
is killed / replaced with a new container multiple times a day where you
have some form of a graceful replacement to ensure no (short) service outage
will occur to the end users. \n(2) twice a day a rebuild of images is done.
The rebuilds are put into a automated testing pipeline. If the testing has
no blocking issues the new images will be released for deployment during
the next \"restart\" of a container. What has to be done, is to ensure the
new containers are deployed in some canary deployment manner, this will
ensure that if (and only if) something buggy has been introduced which breaks
functionality the canary deployment will make sure the \"older version\"
is being used and not the buggy newer one."
references:
samm2:
- O-EM-2-B
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch
Management/6b96e5a0-ce34-4ea4-a88f-469d3b84546e
comments: ""
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Culture and Organization:
Design:
Conduction of advanced threat modeling:
uuid: ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9
risk: Inadequate identification of business and technical risks.
measure: Threat modeling is performed by using reviewing user stories and producing
security driven data flow diagrams.
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 2
usefulness: 3
level: 4
dependsOn:
- Conduction of simple threat modeling on technical level
- Creation of threat modeling processes and standards
description: |
**Example High Maturity Scenario:**
Based on a detailed threat model defined and updated through code, the team decides the following:
* Local encrypted caches need to expire and auto-purged.
* Communication channels encrypted and authenticated.
* All secrets persisted in shared secrets store.
* Frontend designed with permissions model integration.
* Permissions matrix defined.
* Input is escaped output is encoded appropriately using well established libraries.
Source: OWASP Project Integration Project
implementation:
- uuid: c0533602-11b7-4838-93cc-a40556398163
name: Whiteboard
tags:
- defender
- threat-modeling
- collaboration
- whiteboard
url: https://en.wikipedia.org/wiki/Whiteboard
- uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1
name: Miro (or any other collaborative board)
tags:
- defender
- threat-modeling
- collaboration
- whiteboard
url: https://miro.com/
- uuid: 088794c4-3424-40d4-9084-4151587fc84d
name: Draw.io
tags:
- defender
- threat-modeling
- whiteboard
url: https://github.com/jgraph/drawio-desktop
- uuid: fd0f282b-a065-4464-beed-770c604a5f52
name: Threat Modeling Playbook
tags:
- owasp
- defender
- threat-modeling
- whiteboard
url: https://github.com/Toreon/threat-model-playbook
- uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52
name: OWASP SAMM
tags:
- threat-modeling
- owasp
- defender
url: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- uuid: e8332407-5149-459e-a2fe-c5c78c7ec55c
name: Threagile
tags:
- threat-modeling
url: https://github.com/Threagile/threagile
- uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617
name: Threat Matrix for Storage
url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/
tags:
- documentation
- storage
- cluster
- kubernetes
references:
samm2:
- D-TA-2-B
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 8.2.1
- 14.2.1
iso27001-2022:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 5.12
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Conduction of simple threat modeling on business level:
uuid: 48f97f31-931c-46eb-9b3e-e2fec0cd0426
risk: Business related threats are discovered too late in the development and
deployment process.
measure: Threat modeling of business functionality is performed during the product
backlog creation to facilitate early detection of security defects.
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 1
usefulness: 3
level: 3
implementation: []
references:
samm2:
- D-TA-2-B
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 8.2.1
- 14.2.1
iso27001-2022:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 5.12
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/48f97f31-931c-46eb-9b3e-e2fec0cd0426
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Conduction of simple threat modeling on technical level:
uuid: 47419324-e263-415b-815d-e7161b6b905e
risk: Technical related threats are discovered too late in the development and
deployment process.
measure: Threat modeling of technical features is performed during the product
sprint planning.
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 1
usefulness: 3
level: 1
implementation:
- uuid: c0533602-11b7-4838-93cc-a40556398163
name: Whiteboard
tags:
- defender
- threat-modeling
- collaboration
- whiteboard
url: https://en.wikipedia.org/wiki/Whiteboard
- uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1
name: Miro (or any other collaborative board)
tags:
- defender
- threat-modeling
- collaboration
- whiteboard
url: https://miro.com/
- uuid: 088794c4-3424-40d4-9084-4151587fc84d
name: Draw.io
tags:
- defender
- threat-modeling
- whiteboard
url: https://github.com/jgraph/drawio-desktop
- uuid: fd0f282b-a065-4464-beed-770c604a5f52
name: Threat Modeling Playbook
tags:
- owasp
- defender
- threat-modeling
- whiteboard
url: https://github.com/Toreon/threat-model-playbook
- uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52
name: OWASP SAMM
tags:
- threat-modeling
- owasp
- defender
url: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617
name: Threat Matrix for Storage
url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/
tags:
- documentation
- storage
- cluster
- kubernetes
description: |
# OWASP SAMM Description
Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.
Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system.
At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use.
Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage.
Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/
# OWASP Project Integration Description
There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one.
A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/).
OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/).
There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another.
> Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._
Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function.
This practice has the side effect that it trains non-security specialists to think like attackers.
The outcomes of this stage should help lay the foundation of secure design and considerations.
**Example Low Maturity Scenario:**
Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password.
Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext.
Frontend serves data over GraphQL as a thin layer between caching system and end user.
GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes.
Source: OWASP Project Integration Project
references:
samm2:
- D-TA-2-B
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 8.2.1
- 14.2.1
iso27001-2022:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 5.12
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/47419324-e263-415b-815d-e7161b6b905e
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Creation of advanced abuse stories:
uuid: 0a929c3e-ab9a-4206-8761-adf84b74622e
risk: Simple user stories are not going deep enough. Relevant security considerations
are performed. Security flaws are discovered too late in the development and
deployment process
measure: Advanced abuse stories are created as part of threat modeling activities.
difficultyOfImplementation:
knowledge: 4
time: 2
resources: 1
usefulness: 4
level: 5
dependsOn:
- Creation of simple abuse stories
implementation:
- uuid: bb5b8988-021b-452a-a914-bd36887b6860
name: Don't Forget EVIL User stories
tags: []
url: https://www.owasp.org/index.php/Agile_Software_Development
description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
and [Practical Security Stories and Security Tasks for Agile Development
Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)'
references:
samm2:
- D-TA-2-B
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of project management
- 6.1.5
- May be part of risk assessment
- 8.1.2
iso27001-2022:
- Not explicitly covered by ISO 27001
- May be part of project management
- 5.8
- May be part of risk assessment
- 5.9
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/0a929c3e-ab9a-4206-8761-adf84b74622e
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Creation of simple abuse stories:
uuid: bacf85b6-5bc0-405d-b5ba-a5d971467cc1
risk: User stories mostly don't consider security implications. Security flaws
are discovered too late in the development and deployment process.
measure: Abuse stories are created during the creation of user stories.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 3
implementation:
- uuid: bb5b8988-021b-452a-a914-bd36887b6860
name: Don't Forget EVIL User stories
tags: []
url: https://www.owasp.org/index.php/Agile_Software_Development
description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
and [Practical Security Stories and Security Tasks for Agile Development
Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)'
dependsOn:
- Conduction of simple threat modeling on technical level
- Creation of threat modeling processes and standards
references:
samm2:
- D-TA-2-B
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of project management
- 6.1.5
- May be part of risk assessment
- 8.1.2
iso27001-2022:
- Not explicitly covered by ISO 27001
- May be part of project management
- 5.8
- May be part of risk assessment
- 5.9
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/bacf85b6-5bc0-405d-b5ba-a5d971467cc1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Creation of threat modeling processes and standards:
uuid: dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e
risk: Inadequate identification of business and technical risks.
measure: Creation of threat modeling processes and standards through the organization
helps to enhance the security culture and provide more structure to the threat
model exercises.
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 2
usefulness: 3
level: 3
description: ""
implementation:
- uuid: fd0f282b-a065-4464-beed-770c604a5f52
name: Threat Modeling Playbook
tags:
- owasp
- defender
- threat-modeling
- whiteboard
url: https://github.com/Toreon/threat-model-playbook
- uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52
name: OWASP SAMM
tags:
- threat-modeling
- owasp
- defender
url: https://owaspsamm.org/model/design/threat-assessment/stream-b/
dependsOn:
- Conduction of simple threat modeling on technical level
references:
samm2:
- D-TA-3-B
iso27001-2017:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 8.2.1
- 14.2.1
iso27001-2022:
- Not explicitly covered by ISO 27001
- May be part of risk assessment
- 5.12
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Information security targets are communicated:
uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885
risk: Employees don't know their organizations security targets. Therefore security
is not considered during development and administration as much as it should
be.
measure: Transparent and timely communication of the security targets by senior
management is essential to ensure teams' buy-in and support.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 3
level: 2
implementation: []
references:
samm2: []
iso27001-2017:
- 5.1.1
- 7.2.1
iso27001-2022:
- 5.1
- 5.4
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/1b9281b9-48e2-4c01-9ac6-9db9931c4885
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Education and Guidance:
Ad-Hoc Security trainings for software developers:
uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298
risk: Understanding security is hard and personnel needs to be trained on it.
Otherwise, flaws like an SQL Injection might be introduced into the software
which might get exploited.
measure: Provide security awareness training for all personnel involved in software
development Ad-Hoc.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 3
level: 1
implementation:
- uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a
name: OWASP Juice Shop
tags:
- training
url: https://github.com/bkimminich/juice-shop
description: In case you do not have the budget to hire an external security
expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
name: OWASP Cheatsheet Series
tags:
- secure coding
url: https://cheatsheetseries.owasp.org/
references:
samm2:
- G-EG-1-A
iso27001-2017:
- 7.2.2
iso27001-2022:
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Aligning security in teams:
uuid: f994a55d-71bb-45a4-a887-0a213d72c504
risk: The concept of Security Champions might suggest that only he/she is responsible
for security. However, everyone in the project team should be responsible
for security.
measure: By aligning security Subject Matter Experts with project teams, a higher
security standard can be achieved.
difficultyOfImplementation:
knowledge: 4
time: 4
resources: 1
usefulness: 5
implementation:
- uuid: 8a044b74-17f2-4ffa-9dee-6b3bb6e4baf3
name: Involve Security SME
tags: []
description: Security SME are involved in discussion for requirements analysis,
software design and sprint planning to provide guidance and suggestions.
level: 4
references:
samm2:
- G-EG-3-B
iso27001-2017:
- 7.1.1
iso27001-2022:
- 6.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/f994a55d-71bb-45a4-a887-0a213d72c504
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Conduction of build-it, break-it, fix-it contests:
uuid: bfdb576e-a416-4ec6-96fe-a078d58b2ff8
risk: Understanding security is hard, even for security champions and the conduction
of security training often focuses on breaking a component instead of building
a component secure.
measure: The build-it, break-it, fix-it contest allows to train people with
security related roles like security champions the build, break and fix part
of a secure application. This increases the learning of building secure components.
difficultyOfImplementation:
knowledge: 5
time: 3
resources: 1
usefulness: 3
level: 3
implementation:
- uuid: 8d4c1849-f310-4c42-8148-2810b382bc6f
name: Build it Break it Fix it Contest
tags: []
url: https://builditbreakit.org/
references:
samm2:
- G-EG-2-A
iso27001-2017:
- 7.2.2
iso27001-2022:
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/bfdb576e-a416-4ec6-96fe-a078d58b2ff8
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Conduction of collaborative security checks with developers and system administrators:
uuid: 95caef96-36ed-458c-a087-5c35d4f9dec2
risk: Security checks by external companies do not increase the understanding
of an application/system for internal employees.
measure: Periodically security reviews of source code (SCA), in which security
SME, developers and operations are involved, are effective at increasing the
robustness of software and the security knowledge of the teams involved.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 1
usefulness: 3
level: 5
implementation: []
references:
samm2:
- G-EG-2-A
iso27001-2017:
- Mutual review of source code is not explicitly required in ISO 27001 may
be
- 7.2.2
- 12.6.1
- 12.7.1
iso27001-2022:
- Mutual review of source code is not explicitly required in ISO 27001 may
be
- 6.3
- 8.8
- 8.34
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/95caef96-36ed-458c-a087-5c35d4f9dec2
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Conduction of collaborative team security checks:
uuid: 35446784-7610-40d9-af9e-d43f3173bf8c
risk: Development teams limited insight over security practices.
measure: Mutual security testing the security of other teams project enhances
security awareness and knowledge.
difficultyOfImplementation:
resources: 2
knowledge: 4
time: 4
usefulness: 2
level: 4
implementation: []
references:
samm2:
- G-EG-1-A
- G-EG-2-A
iso27001-2017:
- Mutual security testing is not explicitly required in ISO 27001 may be
- 7.2.2
iso27001-2022:
- Mutual security testing is not explicitly required in ISO 27001 may be
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/35446784-7610-40d9-af9e-d43f3173bf8c
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Conduction of war games:
uuid: 534f60bf-0995-4314-bb9c-f0f2bf204694
risk: Understanding incident response plans during an incident is hard and ineffective.
measure: War Games like activities help train for incidents. Security SMEs create
attack scenarios in a testing environment enabling the trainees to learn how
to react in case of an incident.
difficultyOfImplementation:
knowledge: 4
time: 5
resources: 4
usefulness: 3
level: 4
implementation: []
references:
samm2:
- G-EG-2-A
iso27001-2017:
- War games are not explicitly required in ISO 27001 may be
- 7.2.2
- 16.1
- 16.1.5
iso27001-2022:
- War games are not explicitly required in ISO 27001 may be
- 6.3
- 5.24
- 5.26
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/534f60bf-0995-4314-bb9c-f0f2bf204694
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Each team has a security champion:
uuid: 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87
risk: No one feels directly responsible for security and the security champion
does not have enough time to allocate to each team.
measure: Each team defines an individual to be responsible for security. These
individuals are often referred to as 'security champions'
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 1
usefulness: 4
level: 2
description: |
Implement a program where each software development team has a member considered a "Security Champion" who is the liaison between Information Security and developers. Depending on the size and structure of the team the "Security Champion" may be a software developer, tester, or a product manager. The "Security Champion" has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. "Security Champions" have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support "Security Champions" for cultural reasons.
The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, "Security Champions" assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.
[Source: OWASP SAMM](https://owaspsamm.org/model/governance/education-and-guidance/stream-b/)
implementation:
- uuid: c191a515-3c10-4903-a889-70c8021f2ea1
name: OWASP Security Champions Playbook
tags:
- security champions
url: https://github.com/c0rdis/security-champions-playbook
references:
samm2:
- G-EG-1-B
- G-EG-2-B
iso27001-2017:
- Security champions are missing in ISO 27001 most likely
- 7.2.1
- 7.2.2
iso27001-2022:
- Security champions are missing in ISO 27001 most likely
- 5.4
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/6217fe11-5ed7-4cf4-9de4-555bcfa6fe87
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Office Hours:
uuid: 185d5a74-19dc-4422-be07-44ea35226783
risk: Developers and Operations are not in contact with the security team and
therefore do not ask prior implementation of (known or unknown) threats-
measure: As a security team, be open for questions and hints during defined
office hours. x x d
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 3
level: 3
implementation: ~
references:
samm2:
- G-EG-1-A
iso27001-2017:
- 7.2.2
iso27001-2022:
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/185d5a74-19dc-4422-be07-44ea35226783
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Regular security training for all:
uuid: 9768f154-357a-4c06-af6f-d66570677c9b
risk: Understanding security is hard.
measure: Provide security awareness training for all internal personnel involved
in software development on a regular basis like twice in a year for 1-3 days.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 2
usefulness: 4
level: 2
description: |
Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option.
Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level.
Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization.
[Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/)
implementation:
- uuid: 81476121-67dd-4ba9-a67b-e78a23050c28
name: OWASP JuiceShop
tags: []
url: https://github.com/bkimminich/juice-shop
description: |-
In case you do not have the budget to hire an external security expert, an option
is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday"
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
name: OWASP Cheatsheet Series
tags:
- secure coding
url: https://cheatsheetseries.owasp.org/
references:
samm2:
- G-EG-1-A
iso27001-2017:
- 7.2.2
iso27001-2022:
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/9768f154-357a-4c06-af6f-d66570677c9b
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Regular security training for externals:
uuid: 31833d56-35af-4ef3-9300-f23d27646ce7
risk: Understanding security is hard.
measure: Provide security awareness training for all personnel including externals
involved in software development on a regular basis.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 3
usefulness: 4
level: 4
implementation:
- uuid: 81476121-67dd-4ba9-a67b-e78a23050c28
name: OWASP JuiceShop
tags: []
url: https://github.com/bkimminich/juice-shop
description: |-
In case you do not have the budget to hire an external security expert, an option
is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday"
- uuid: 99080ac7-60cd-46af-93a1-a53a33597cba
name: https://cheatsheetseries.owasp.org/
tags:
- training
- secure coding
url: https://cheatsheetseries.owasp.org/
references:
samm2:
- G-EG-3-A
iso27001-2017:
- 7.2.2
iso27001-2022:
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/31833d56-35af-4ef3-9300-f23d27646ce7
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Regular security training of security champions:
uuid: f88d1b17-3d7d-4c3d-8139-ad44fc4942d4
risk: Understanding security is hard, even for security champions.
measure: Regular security training of security champions.
assessment: |
- Process Documentation: TODO
- Training Content: TOODO
difficultyOfImplementation:
knowledge: 4
time: 2
resources: 2
usefulness: 5
level: 2
implementation:
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
name: OWASP Cheatsheet Series
tags:
- secure coding
url: https://cheatsheetseries.owasp.org/
dependsOn:
- Each team has a security champion
references:
samm2:
- D-TA-2-B
- G-EG-1-A
iso27001-2017:
- Security champions are missing in ISO 27001
- 7.2.2
iso27001-2022:
- Security champions are missing in ISO 27001
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/f88d1b17-3d7d-4c3d-8139-ad44fc4942d4
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Reward of good communication:
uuid: 91b6f75b-9f4a-4d77-95a2-af7ad3222c7c
risk: Employees are not getting excited about security.
measure: Good communication and transparency encourages cross-organizational
support. Gamification of security is also known to help, examples include
T-Shirts, mugs, cups, gift cards and 'High-Fives'.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 1
usefulness: 3
level: 2
implementation:
- uuid: 8e1b4a8a-c53b-4b1e-90f6-c60b7e225098
name: Motivate people
tags:
- security champions
- gamification
- nudging
url: https://github.com/wurstbrot/security-pins
description: |-
Enhance motivation can be performed with the distribution of pins
as a reward, see [OWASP Security Pins Project](https://github.com/wurstbrot/security-pins)
- uuid: 22b63bdb-2003-4ac0-969d-b1e5268c2510
name: OWASP Top 10 Maturity Categories for Security Champions
tags:
- security champions
url: https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx
references:
samm2:
- G-EG-1-B
iso27001-2017:
- not required by ISO 27001
- interestingly enough A7.2.3 is requiring a process to handle misconduct
but nothing to promote good behavior.
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/91b6f75b-9f4a-4d77-95a2-af7ad3222c7c
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Security Coaching:
uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3
risk: Training does not change behaviour. Therefore, even if security practices
are understood, it's likely that they are not performed.
measure: By coaching teams on security topics using for example the samman coaching
method, teams internalize security practices as new habits in their development
process.
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 1
usefulness: 3
implementation:
- uuid: 9223be73-00da-400e-a910-3871734cff2f
name: sammancoaching
tags:
- documentation
- coaching
- education
url: https://sammancoaching.org/
description: |
Security coaches work with software development teams to help them adopt better security practices.
level: 3
references:
samm2:
- G-EG-3-B
iso27001-2017:
- 7.1.1
iso27001-2022:
- 6.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Security code review:
uuid: 7121b0c7-6ace-4d6b-95d0-94535dbccb57
risk: Understanding security is hard.
measure: |
The following areas of code tend to have a high-risk of containing security vulnerabilities:
- Crypto implementations / usage
- Parser, unparser
- System configuration
- Authentication, authorization
- Session management
- Request throttling
- :unicorn: (self-developed code, only used in that one software)
description: |
### Benefits
- New vulnerabilities may be found before reaching production.
- Old vulnerabilities are found and fixed.
assessment: |
- Present the performed reviews (including participants, findings, consequences) and assess whether it is reasonable.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 1
usefulness: 3
level: 2
implementation:
- uuid: c77f7ecd-76de-4611-bd6d-5b249f910c39
name: CWE Top 25 Most Dangerous Software Weaknesses
tags:
- documentation
- threat
url: https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
credits: |
AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
references:
samm2:
- V-ST-1-B
iso27001-2017:
- ISO 27001:2017 mapping is missing
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/7121b0c7-6ace-4d6b-95d0-94535dbccb57
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Security consulting on request:
uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0
risk: Not asking a security expert when questions regarding security appear
might lead to flaws.
measure: Security consulting to teams is given on request. The security consultants
can be internal or external.
difficultyOfImplementation:
knowledge: 3
time: 1
resources: 1
usefulness: 3
level: 1
implementation:
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
name: OWASP Cheatsheet Series
tags:
- secure coding
url: https://cheatsheetseries.owasp.org/
references:
samm2:
- G-EG-1-A
iso27001-2017:
- security consulting is missing in ISO 27001 may be
- 6.1.1
- 6.1.4
- 6.1.5
iso27001-2022:
- Security consulting is missing in ISO 27001 may be
- 5.2
- 5.6
- 5.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/0b28367b-75a0-4bae-a926-3725c1bf9bb0
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Security-Lessoned-Learned:
uuid: 58c46807-fee9-448b-b6dd-8050c464ab52
risk: After an incident, a similar incident might reoccur.
measure: Running a 'lessons learned' session after an incident helps drive continuous
improvement. Regular meetings with security champions are a good place to
share and discuss lessons learned.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 3
level: 3
implementation: []
references:
samm2:
- O-IM-3-B
iso27001-2017:
- 16.1.6
iso27001-2022:
- 5.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/58c46807-fee9-448b-b6dd-8050c464ab52
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple mob hacking:
uuid: 535f301a-e8e8-4eda-ad77-a08b035c92de
risk: Understanding security is hard.
measure: |
Participate with your whole team in a simple mob hacking session organized by the Security Champion Guild.
In the session the guild presents a vulnerable application and together you look at possible exploits.
Just like in mob programming there is one driver and several navigators.
description: |
### Guidelines for your simple mob hacking session
- All exploits happen via the user interface.
- No need for security/hacking tools.
- No need for deep technical or security knowledge.
- Use an insecure training app, e.g., [DVWA](https://dvwa.co.uk/) or [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/).
- Encourage active participation, e.g., use small groups.
- Allow enough time for everyone to run at least one exploit.
### Benefits
- The team gets an idea of how exploits can look like and how easy applications can be attacked.
- The team understands functional correct working software can be highly insecure and easy to exploit.
difficultyOfImplementation:
knowledge: 5
time: 3
resources: 1
usefulness: 3
level: 3
credits: |
AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
implementation:
- uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a
name: OWASP Juice Shop
tags:
- training
url: https://github.com/bkimminich/juice-shop
description: In case you do not have the budget to hire an external security
expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529
name: Damn Vulnerable Web Application
tags:
- training
description: Simple Application with intended vulnerabilities. HTML based.
references:
samm2:
- G-EG-1-A
iso27001-2017:
- 7.2.2
iso27001-2022:
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/535f301a-e8e8-4eda-ad77-a08b035c92de
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Process:
Approval by reviewing any new version:
uuid: 3f63bdbc-c75f-4780-a941-e6ad42e894e1
risk: An individual might forget to implement security measures to protect source
code or infrastructure components.
measure: On each new version (e.g. Pull Request) of source code or infrastructure
components a security peer review of the changes is performed (two eyes principle)
and approval given by the reviewer.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 3
implementation: []
references:
samm2: []
iso27001-2017:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 6.1.2
- 14.2.1
iso27001-2022:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 5.3
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/3f63bdbc-c75f-4780-a941-e6ad42e894e1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Definition of a change management process:
uuid: b4193d32-3948-47e2-a326-3748c48019a1
risk: The impact of a change is not controlled because these are not recorded
or documented.
measure: Each change of a system is automatically recorded and adequately logged.
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 1
usefulness: 3
level: 3
implementation: []
references:
samm2: []
iso27001-2017:
- 14.2.2
- 12.1.2
- 12.4.1
iso27001-2022:
- 8.32
- 8.15
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/b4193d32-3948-47e2-a326-3748c48019a1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Definition of simple BCDR practices for critical components:
uuid: c72da779-86cc-45b1-a339-190ce5093171
description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan
and a process that helps a business to return to normal operations if a disaster
occurs.
risk: If the disaster recovery actions are not clear, you risk slow reaction
and remediation delays. This applies to cyber attacks as well as natural emergencies,
such as a power outage.
measure: By understanding and documenting a business continuity and disaster
recovery (BCDR) plan, the overall availability of systems and applications
is increased. Success factors like responsibilities, Service Level Agreements,
Recovery Point Objectives, Recovery Time Objectives or Failover must be fully
documented and understood by the people involved in the recovery.
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 2
usefulness: 4
level: 1
implementation: []
references:
samm2: []
iso27001-2017:
- 17.1.1
iso27001-2022:
- 5.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/c72da779-86cc-45b1-a339-190ce5093171
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Determining the protection requirement:
uuid: 72737130-472c-4984-80f8-9ab2f1c2ed5d
risk: "Not defining the protection requirement of applications can lead to wrong
prioritization, delayed remediation of \ncritical security issues, increasing
the risk of exploitation and potential damage to the organization."
measure: "Defining the protection requirement. \nThe protection requirements
for an application should consider:\n- Processed data criticality\n- Application
accessibility (internal vs. external)\n- Regulatory compliance\n- Other relevant
factors"
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 2
dependsOn:
- Inventory of production components
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
tags:
- documentation
- vulnerability
- vulnerability management system
- uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
name: DefectDojo Client
tags:
- Defectdojo
- statistics
url: https://github.com/SDA-SE/defectdojo-client
description: |
This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/72737130-472c-4984-80f8-9ab2f1c2ed5d
tags:
- vulnerability-mgmt
- metrics
- vmm-measurements
teamsImplemented:
Default: false
B: false
C: false
Implementation:
Application Hardening:
App. Hardening Level 1:
uuid: cf819225-30cb-4702-8e32-60225eedc33d
risk: Using an insecure application might lead to a compromised application.
This might lead to total data theft or data modification.
measure: |
Following frameworks like the
* OWASP Application Security Verification Standard Level 1
* OWASP Mobile Application Security Verification Standard
in all applications provides a good baseline. Implement 95%-100% of the recommendations.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 2
dependsOn:
- App. Hardening Level 1 (50%)
description: |
To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jump-start the development process, but also do so securely.
[...]
### Planning aka Requirements Gathering & Analysis
The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security.
Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process.
These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations.
In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below.
Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md)
implementation:
- uuid: 88767cde-1610-402e-98ec-bc3575377183
name: OWASP ASVS
tags: []
url: https://owasp.org/www-project-application-security-verification-standard/
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
url: https://github.com/OWASP/owasp-masvs
- uuid: 596cb528-8981-4723-bcc3-22c261f26114
name: API Security Maturity Model for Authorization
tags:
- api
url: https://curity.io/resources/learn/the-api-security-maturity-model/
references:
samm2:
- D-SR-1-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/cf819225-30cb-4702-8e32-60225eedc33d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
App. Hardening Level 1 (50%):
uuid: b597928e-54d6-48a5-a806-8003dcd56aab
risk: Using an insecure application might lead to a compromised application.
This might lead to total data theft or data modification.
measure: |
Following frameworks like the
* OWASP Application Security Verification Standard Level 1
* OWASP Mobile Application Security Verification Standard
in all applications provides a good baseline. Implement 50% of the recommendations.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 1
description: |
To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely.
[...]
### Planning aka Requirements Gathering & Analysis
The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security.
Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process.
These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations.
In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below.
Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md)
implementation:
- uuid: 88767cde-1610-402e-98ec-bc3575377183
name: OWASP ASVS
tags: []
url: https://owasp.org/www-project-application-security-verification-standard/
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
url: https://github.com/OWASP/owasp-masvs
- uuid: 596cb528-8981-4723-bcc3-22c261f26114
name: API Security Maturity Model for Authorization
tags:
- api
url: https://curity.io/resources/learn/the-api-security-maturity-model/
references:
samm2:
- D-SR-1-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/b597928e-54d6-48a5-a806-8003dcd56aab
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
App. Hardening Level 2:
uuid: ffe86caf-2fec-4630-b514-2db83983984d
risk: Using an insecure application might lead to a compromised application.
This might lead to total data theft or data modification.
measure: |
Following frameworks like the
* OWASP Application Security Verification Standard Level 2
* OWASP Mobile Application Security Verification Standard Level 2
Implement 95%-100% of the recommendations.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 3
level: 4
implementation:
- uuid: 88767cde-1610-402e-98ec-bc3575377183
name: OWASP ASVS
tags: []
url: https://owasp.org/www-project-application-security-verification-standard/
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
url: https://github.com/OWASP/owasp-masvs
references:
samm2:
- D-SR-2-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/ffe86caf-2fec-4630-b514-2db83983984d
comments: ""
dependsOn:
- App. Hardening Level 2 (75%)
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
App. Hardening Level 2 (75%):
uuid: 03643ca2-03c2-472b-8e19-956bf02fe9b7
risk: Using an insecure application might lead to a compromised application.
This might lead to total data theft or data modification.
measure: |
Following frameworks like the
* OWASP Application Security Verification Standard Level 2
* OWASP Mobile Application Security Verification Standard Level 2
Implement 75% of the recommendations.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 3
level: 3
implementation:
- uuid: 88767cde-1610-402e-98ec-bc3575377183
name: OWASP ASVS
tags: []
url: https://owasp.org/www-project-application-security-verification-standard/
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
url: https://github.com/OWASP/owasp-masvs
references:
samm2:
- D-SR-2-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/03643ca2-03c2-472b-8e19-956bf02fe9b7
comments: ""
dependsOn:
- App. Hardening Level 1
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
App. Hardening Level 3:
uuid: 4cae98c2-4163-44ed-bb88-3c67c569533a
risk: Using an insecure application might lead to a compromised application.
This might lead to total data theft or data modification.
measure: |
Following frameworks like the
* OWASP Application Security Verification Standard Level 3
* OWASP Mobile Application Security Verification Standard
Implement 95%-100% of the recommendations.
difficultyOfImplementation:
knowledge: 4
time: 4
resources: 2
usefulness: 4
level: 5
implementation:
- uuid: 88767cde-1610-402e-98ec-bc3575377183
name: OWASP ASVS
tags: []
url: https://owasp.org/www-project-application-security-verification-standard/
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
url: https://github.com/OWASP/owasp-masvs
references:
samm2:
- D-SR-3-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a
dependsOn:
- App. Hardening Level 2
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Containers are running as non-root:
uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f
risk: |-
There are various reasons to run a container as non-root. Samples are listed:
## Container Escape Vectors
- Root privileges significantly increase the chance of breaking container isolation
- Root access can be leveraged to exploit kernel vulnerabilities
- Compromised root containers provide attackers with maximum privileges inside the container
- Greater potential for escaping container boundaries to the host system
## Host System Vulnerabilities
Root containers can potentially:
- Mount sensitive host filesystems
- Access critical device files
- Modify host network settings
- Interact with host system processes
- Override security controls
## Resource Management Issues
Root privileges may allow containers to:
- Bypass resource quotas and limits
- Modify control group (cgroup) settings
- Interfere with other containers' resources
- Circumvent memory and CPU restrictions
Security Boundary Weakening
- Violates the principle of least privilege
- Provides unnecessary elevated permissions
- Expands the potential attack surface
- Increases the impact of a successful compromise
measure: "Containers are running as non-root. This can be enforced in the image
itself or during runtime parameters \n(e.g. `podman run --user [...]`)."
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 2
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/a86c1fbc-28fd-4610-89a3-a7f73acfe45f
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Context-aware output encoding:
uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7
description: "**Input validation** stops malicious data from entering your system.
\\\n**Output encoding** neutralizes malicious data before rendering to user,
or the next system.\n\nInput validation and output encoding work together.
Apply both. \n\n**Context-aware output encoding** encodes data differently,
depending on its context. In the sample below the `{{bad_data}}` must be encoded
differently, depending on its context, to render safe HTML.\n\n```html\n{{bad_data}}
\nClick me\n\n\n``` \n"
risk: If an attacker manages to slip though your input validation, the attacker
may gain control over the user session or execute arbitrary actions.
measure: "* Use modern secure frameworks such as React/Angular/Vue/Svelte. The
default method here renders data in a safe way.\n* Use established and well-maintained
encoding libraries such as OWASP\u2019s Java Encoder and Microsoft\u2019s
AntiXSS.\n* Implement content security policies (CSP) to restrict the types
of content that can be loaded and executed.\n"
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 1
usefulness: 3
level: 1
implementation:
- uuid: 2d61e48f-bade-4332-a383-adc50c29673a
name: OWASP DOM based XSS Prevention CheatSheet
url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
tags: []
- uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc
name: CWE-838 Inappropriate Encoding for Output Context
tags:
- documentation
- cwe
url: https://cwe.mitre.org/data/definitions/838.html
references:
samm2:
- D-SR-1-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/e1f37abb-d848-4a3a-b3df-65e91a89dcb7
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Parametrization:
uuid: 00e91a8a-3972-4692-8679-674ab8547486
description: |
By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well.
This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed.
Pay attention to these two lines of code. They seem similar, but behave very differently.
* `sql.execute("SELECT * FROM table WHERE ID = " + id);`
* `sql.execute("SELECT * FROM table WHERE ID = ?", id);`
The second line is parameterized. The same principle applies to other types, such as command line execution, etc.
risk: "Systems vulnerable to injections may lead to data breaches, loss of data,
\nunauthorized alteration of data, or complete database compromise or downtime.\n\nThis
applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. \n"
measure: |
* Identify which of the types your application is using. Check that you use:
* Use _parametrized queries_ (or _prepared statements_)
* For database queries, you may also use:
* Use _stored procedures_ ()
* Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 1
usefulness: 3
level: 1
implementation:
- uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4
name: OWASP Parameterization CheatSheet
url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html
tags: []
references:
samm2:
- D-SR-1-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
Hardening/00e91a8a-3972-4692-8679-674ab8547486
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Secure headers:
uuid: 29318d60-18ce-4526-80ea-f5928e49f639
risk: |
Missing or misconfigured security headers can lead to various security vulnerabilities, e.g.:
- Cross-Site Scripting (XSS) due to missing Content Security Policy
- Clickjacking attacks due to missing X-Frame-Options
- Information disclosure through Server header exposure
- SSL/TLS downgrade attacks due to missing HSTS
- Cross-site scripting and injection due to missing security headers
measure: |
Implement and enforce security headers across all applications and services
Implementation Methods:
1. Reverse Proxy/Load Balancer: Configure at nginx/Apache level
2. Web Application: Implement in the application middleware
3. Service Mesh: Configure at the ingress controller level
4. Standard Docker Image: Use secure base images with preset headers
Remove or Secure:
- Server header: Hide server version information
- X-Powered-By: Remove technology stack information
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 4
level: 3
implementation:
- uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
name: OWASP Secure Headers Project
tags:
- header
- documentation
url: https://owasp.org/www-project-secure-headers/
description: "The OWASP Secure Headers Project (also called OSHP) describes
HTTP response headers that your application can use \nto increase the security
of your application. Once set, these HTTP response headers can restrict
modern browsers \nfrom running into easily preventable vulnerabilities.
The OWASP Secure Headers Project intends to raise awareness\nand use of
these headers."
meta:
implementationGuide: |
Essential headers:
- Content-Security-Policy: Define trusted sources for content
- Strict-Transport-Security: Enforce HTTPS connections
- X-Frame-Options: Prevent clickjacking attacks
- X-Content-Type-Options: Prevent MIME-type sniffing
- X-XSS-Protection: Enable browser's XSS filtering
- Referrer-Policy: Control information in the Referrer header
references:
samm2:
- D-SR-3-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/cre/620-421
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Development and Source Control:
.gitignore:
uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d
risk: Unintended leakage of secrets, debug, or workstation specific data
measure: .gitignore files help prevent accidental commits of secrets, debug,
or workstation specific data
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 5
level: 4
dependsOn: []
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.1
- 12.1.2
- 14.2.2
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.37
- 8.32
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
and Source Control/363a3eea-baf9-4010-88ca-bb8186a2989d
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Block force pushes:
uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17
risk: "Misuse of force push can lead to loss of work. It may overwrite remote
\nbranches without warning, potentially erasing valuable contributions from
team members. This can disrupt collaboration, \ncause data loss, and create
confusion in the development process.\n\nBypassing the pull request process
might remove an important code review step. \nThis increases the risk of merging
low-quality or buggy code into the main branch, potentially introducing bugs
in the codebase."
measure: Mandate blocking of force pushes in the version control platform.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 3
level: 3
dependsOn:
- Require a PR before merging
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
tags:
- source-code-protection
- scm
references:
samm2:
- O-EM-1-A
iso27001-2017:
- 6.1.2
- 14.2.1
iso27001-2022:
- 5.3
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
and Source Control/c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Dismiss stale PR approvals:
uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162
risk: Intentional or accidental alterations in critical branches like main (or
master) through post-approval code additions.
measure: Implement a policy where any commits made after a pull request has
been approved automatically revoke that approval, necessitating a fresh review
and re-approval process.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 4
level: 3
dependsOn:
- Require a PR before merging
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
tags:
- source-code-protection
- scm
- uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4
name: Enforcement of commit signing
tags:
- signing
url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
description: Usage of branch protection rules
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 6.1.2
- 14.2.1
iso27001-2022:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 5.3
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
and Source Control/ea6f69f7-54a5-4922-ac15-a77ff0c16162
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Local development linting & style checks performed:
uuid: 517b0957-4981-4ac0-b4c7-0d8d1934c474
risk: Insecure or unmaintainable code base.
measure: Integrate static code analysis tools in IDEs.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 2
level: 5
description: ""
implementation:
- uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe
name: How to enforce a consistent coding style in your projects
url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm
tags:
- ide
- linting
- uuid: aa5ded61-5380-4da6-9474-afc36a397682
name: In-Depth Linting of Your TypeScript While Coding
url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding
tags:
- ide
- linting
references:
samm2:
- V-ST-1-A
iso27001-2017:
- ISO 27001:2017 mapping is missing
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
and Source Control/517b0957-4981-4ac0-b4c7-0d8d1934c474
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Require a PR before merging:
uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2
risk: Intentional or accidental alterations in critical branches like main (or
master).
measure: Define source code management system policies (e.g. branch protection
rules, mandatory code reviews from at least one person, ...) to ensure that
changes to critical branches are only possible under defined conditions. These
policies can be implemented at repository level or organization level, depending
on the source code management system.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 4
level: 2
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
tags:
- source-code-protection
- scm
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 6.1.2
- 14.2.1
iso27001-2022:
- Peer review - four eyes principle is not explicitly required by ISO 27001
- 5.3
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Require status checks to pass:
uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee
risk: Organizations risk introducing broken builds, quality issues, and security
vulnerabilities into their codebase.
measure: Mandate passing of security related specified status checks, like successful
builds or static application security tests, before proceeding.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 4
level: 3
dependsOn:
- Require a PR before merging
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
tags:
- source-code-protection
- scm
- uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4
name: Enforcement of commit signing
tags:
- signing
url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
description: Usage of branch protection rules
references:
samm2:
- O-EM-1-A
iso27001-2017:
- 6.1.2
- 14.2.1
iso27001-2022:
- 5.3
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
and Source Control/ac8730a2-ccc0-465c-9550-d91edae9d5ee
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Versioning:
uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f
risk: Deployment of untracked artifacts.
measure: Version artifacts in order to identify deployed features and issues.
This includes application and infrastructure code, jenkins configuration,
container and virtual machine images.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 3
usefulness: 5
level: 1
dependsOn:
- Defined deployment process
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.1
- 12.1.2
- 14.2.2
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.37
- 8.32
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development
and Source Control/066084c6-1135-4635-9cc5-9e75c7c5459f
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Infrastructure Hardening:
Applications are running in virtualized environments:
uuid: 3a94d55e-fd82-4996-9eb3-20d23ff2a873
risk: Through a vulnerability in one service on a server, the attacker gains
access to other services running on the same server.
measure: Applications are running in a dedicated and isolated virtualized environments.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 5
usefulness: 3
level: 2
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/3a94d55e-fd82-4996-9eb3-20d23ff2a873
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Backup:
uuid: 5c61fd6b-8106-4c68-ac28-a8a42f1c67dc
risk: If errors are experienced during the deployment process you want to deploy
an old release. However, due to changes in the database this is often unfeasible.
measure: Performing automated periodical backups are used. Backup before deployment
can help facilitate deployments whilst testing the backup restore processes.
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 1
usefulness: 4
level: 2
implementation:
- uuid: ba7348e5-1abf-4c7d-8fbc-49f99460930b
name: A complete backup of persisted data might be performed*.
tags: []
- uuid: 9af7624e-0729-4eeb-b257-ebaf65f70355
name: A Point in Time Recovery for databases should be implemented.
tags: []
dependsOn:
- Defined deployment process
references:
samm2:
- TODO
iso27001-2017:
- 12.3
- 14.2.6
iso27001-2022:
- 8.13
- 8.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/5c61fd6b-8106-4c68-ac28-a8a42f1c67dc
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Baseline Hardening of the environment:
uuid: 5992c38c-8597-4035-89db-d15820d81c3a
risk: Using default configurations for a cluster environment leads to potential
risks.
measure: Harden environments according to best practices. Level 1 and partially
level 2 from hardening practices like 'CIS Kubernetes Bench for Security'
should be considered.
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 2
usefulness: 4
level: 2
implementation:
- uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff
name: CIS Kubernetes Bench for Security
tags: []
url: https://www.cisecurity.org/cis-benchmarks/
- uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f
name: CIS Docker Bench for Security
tags: []
url: https://www.cisecurity.org/cis-benchmarks/
- uuid: f4d7c796-8574-4a88-ab00-98d245a115ef
name: For example for Cont
tags: []
description: 'For example for Containers: Deny running containers as root,
deny using advanced privileges, deny mounting of the hole filesystem, ...'
url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/
- uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b
name: Attack Matrix Cloud
tags:
- mitre
url: https://attack.mitre.org/matrices/enterprise/cloud/
description: Attack matrix for cloud
- uuid: 59881520-4c69-4922-a44e-99044a77de2b
name: Attack Matrix Containers
tags:
- mitre
url: https://attack.mitre.org/matrices/enterprise/cloud/
description: Attack matrix for containers
- uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935
name: Attack Matrix Kubernetes
tags:
- mitre
url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
description: Attack matrix for kubernetes
- uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af
name: Defend the core kubernetes security at every layer
url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/
tags:
- documentation
- cluster
- kubernetes
references:
samm2:
- O-EM-1-A
iso27001-2017:
- system hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/5992c38c-8597-4035-89db-d15820d81c3a
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Filter outgoing traffic:
uuid: 6df508ef-86fc-4c22-bd9f-646c3127ce7d
risk: A compromised infrastructure component might try to send out stolen data.
measure: Having a whitelist and explicitly allowing egress traffic provides
the ability to stop unauthorized data leakage.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 3
usefulness: 2
level: 3
dependsOn: []
implementation:
- uuid: 4a024319-4510-4a53-a8b6-8f35b6c01867
name: Open Policy Agent
tags: []
url: https://www.openpolicyagent.org/
- uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7
name: firewalls
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/6df508ef-86fc-4c22-bd9f-646c3127ce7d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Hardening of the Environment:
uuid: dcf9601b-b4f2-4e25-9143-e39af75f7c33
risk: Using default configurations for a cluster environment leads to potential
risks.
measure: Harden environments according to best practices. Level 2 and partially
level 3 from hardening practices like 'CIS Kubernetes Bench for Security'
should be considered.
difficultyOfImplementation:
knowledge: 4
time: 4
resources: 2
usefulness: 3
level: 4
implementation:
- uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff
name: CIS Kubernetes Bench for Security
tags: []
url: https://www.cisecurity.org/cis-benchmarks/
- uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f
name: CIS Docker Bench for Security
tags: []
url: https://www.cisecurity.org/cis-benchmarks/
- uuid: f4d7c796-8574-4a88-ab00-98d245a115ef
name: For example for Cont
tags: []
description: 'For example for Containers: Deny running containers as root,
deny using advanced privileges, deny mounting of the hole filesystem, ...'
url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/
- uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b
name: Attack Matrix Cloud
tags:
- mitre
url: https://attack.mitre.org/matrices/enterprise/cloud/
description: Attack matrix for cloud
- uuid: 59881520-4c69-4922-a44e-99044a77de2b
name: Attack Matrix Containers
tags:
- mitre
url: https://attack.mitre.org/matrices/enterprise/cloud/
description: Attack matrix for containers
- uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935
name: Attack Matrix Kubernetes
tags:
- mitre
url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
description: Attack matrix for kubernetes
- uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af
name: Defend the core kubernetes security at every layer
url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/
tags:
- documentation
- cluster
- kubernetes
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/dcf9601b-b4f2-4e25-9143-e39af75f7c33
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Immutable infrastructure:
uuid: 48e92bb1-fdba-40e8-b6c2-35de0d431833
risk: The availability of IT systems might be disturbed due to components failures
measure: Redundancies in the IT systems
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 3
dependsOn:
- Infrastructure as Code
implementation:
- uuid: b206481f-9c66-45e2-843c-37c5730580cd
name: Remove direct access to infrastructure
tags: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 17.2.1
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.14
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/48e92bb1-fdba-40e8-b6c2-35de0d431833
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Infrastructure as Code:
uuid: 8b994601-575e-4ea5-b228-accb18c8e514
risk: No tracking of changes in systems might lead to errors in the configuration.
In additions, it might lead to unauthorized changes. An examples is jenkins.
measure: Systems are setup by code. A full environment can be provisioned. In
addition, software like Jenkins 2 can be setup and configured in in code too.
The code should be stored in a version control system.
difficultyOfImplementation:
knowledge: 3
time: 5
resources: 4
usefulness: 4
level: 3
implementation:
- uuid: b0931397-2402-44f1-814b-63292ab4a339
name: GitOps
tags: []
url: https://www.redhat.com/en/topics/devops/what-is-gitops
- uuid: 73747d35-2185-4f22-94a0-723288fa283c
name: Ansible
tags: []
url: https://github.com/ansible/ansible
- uuid: 691c443f-b6e2-498d-94dc-778d8d51cfce
name: Chef
tags: []
url: https://github.com/chef/chef
- uuid: eb7f76a8-87e5-4394-af4c-c09487c85982
name: Puppet
tags: []
url: https://github.com/puppetlabs/puppet
- uuid: 321dcfe4-d2fc-4dd2-85bf-aac563958458
name: Jenkinsfile
tags: []
url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.1
- 12.1.2
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.37
- 8.32
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/8b994601-575e-4ea5-b228-accb18c8e514
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Isolated networks for virtual environments:
uuid: 4ce24abd-8ba6-494c-828d-4d193e28e4a1
risk: Virtual environments in default settings are able to access other virtual
environments on the network stack. By using virtual machines, it is often
possible to connect to other virtual machines. By using docker, one bridge
is used by default so that all containers on one host can communicate with
each other.
measure: The communication between virtual environments is controlled and regulated.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 3
usefulness: 5
level: 2
dependsOn: []
implementation:
- uuid: 9429d52c-203d-49ae-814f-1401210887cd
name: istio
tags: []
url: https://istio.io/
- uuid: fc0eda30-2bf7-466f-948e-e17584db9f30
name: bridges
tags: []
- uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7
name: firewalls
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/4ce24abd-8ba6-494c-828d-4d193e28e4a1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Limitation of system events:
uuid: e5386abf-9154-4752-a1a8-c3a8900f732d
risk: System events (system calls) can lead to privilege escalation.
measure: System calls are limited.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 5
level: 3
dependsOn:
- Audit of system events
implementation:
- uuid: 0cc7e68b-f7d9-4e66-8065-47d076129ffd
name: seccomp
tags: []
url: https://man7.org/linux/man-pages/man2/seccomp.2.html
- uuid: 73ab2e3d-11a7-459d-8b57-9337662bd1ff
name: strace
tags: []
url: https://man7.org/linux/man-pages/man1/strace.1.html
- uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012
name: Falco
tags:
- falco
- systemcall
- monitoring
url: https://github.com/falcosecurity/falco
description: |
Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
references:
samm2:
- O-EM-1-A
iso27001-2017:
- System hardening is not explicitly covered by ISO 27001 - too specific
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/e5386abf-9154-4752-a1a8-c3a8900f732d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
MFA:
uuid: 598e9f13-1ac8-4a01-b85e-8fab93ee81de
risk: One factor authentication is more vulnerable to brute force attacks and
is considered less secure.
measure: Two ore more factor authentication for all accounts on all (important)
systems and applications
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 4
level: 2
dependsOn:
- MFA for admins
implementation:
- uuid: e76a395a-8d6a-4e25-a175-6cf25409b755
name: Smartcard
tags: []
url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
- uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8
name: YubiKey
tags: []
url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
- uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8
name: SMS
tags: []
- uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d
name: TOTP
tags: []
url: https://d3fend.mitre.org/technique/d3f:One-timePassword/
references:
samm2:
- O-EM-1-A
iso27001-2017:
- 9.2.4
- 6.1.2
- 14.2.1
iso27001-2022:
- 5.17
- 5.3
- 8.25
d3f:
- Multi-factorAuthentication
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/598e9f13-1ac8-4a01-b85e-8fab93ee81de
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
MFA for admins:
uuid: 8098e416-e1ed-4ae4-a561-83efbe76bf57
risk: One factor authentication is more vulnerable to brute force attacks and
is considered less secure.
measure: Two ore more factor authentication for all privileged accounts on systems
and applications
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 4
level: 1
implementation:
- uuid: e76a395a-8d6a-4e25-a175-6cf25409b755
name: Smartcard
tags: []
url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
- uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8
name: YubiKey
tags: []
url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
- uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8
name: SMS
tags: []
- uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d
name: TOTP
tags: []
url: https://d3fend.mitre.org/technique/d3f:One-timePassword/
references:
samm2:
- O-EM-1-A
iso27001-2017:
- 9.2.4
- 6.1.2
- 14.2.1
iso27001-2022:
- 5.17
- 5.3
- 8.25
d3f:
- Multi-factorAuthentication
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/8098e416-e1ed-4ae4-a561-83efbe76bf57
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Microservice-architecture:
uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a
risk: Monolithic applications are hard to test.
measure: A microservice-architecture helps to have small components, which are
more easy to test.
difficultyOfImplementation:
knowledge: 4
time: 5
resources: 5
usefulness: 1
level: 5
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/118b869b-3850-456e-98d9-1abdb85cbc5a
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Production near environments are used by developers:
uuid: e14de741-94b3-447c-8b07-eea947d82e61
risk: In case an errors occurs in production, the developer need to be able
to create a production near environment on a local development environment.
measure: Usage of infrastructure as code helps to create a production near environment.
The developer needs to be trained in order to setup a local development environment.
In addition, it should be possible to create production like test data. Often
personal identifiable information is anonymized in order to comply with data
protection laws.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 3
usefulness: 4
level: 4
dependsOn:
- Defined deployment process
- Infrastructure as Code
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- 12.1.4
- 17.2.1
iso27001-2022:
- 8.31
- 8.14
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/e14de741-94b3-447c-8b07-eea947d82e61
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Role based authentication and authorization:
uuid: 070bb14b-e04a-4f3d-896a-a08eba7a35f9
risk: Everyone is able to get unauthorized access to information on systems
or to modify information unauthorized on systems.
measure: The usage of a (role based) access control helps to restrict system
access to authorized users.
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 1
usefulness: 3
level: 3
implementation:
- uuid: 04edc63e-d389-48dd-b365-552aaf4ea004
name: Directory Service
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:DirectoryService/
- uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e
name: Plugins
tags: []
dependsOn:
- Defined deployment process
- Defined build process
references:
samm2:
- O-EM-1-A
iso27001-2017:
- 9.4.1
iso27001-2022:
- 8.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/070bb14b-e04a-4f3d-896a-a08eba7a35f9
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple access control for systems:
uuid: 82e499d1-f463-4a4b-be90-68812a874af6
risk: Attackers a gaining access to internal systems and application interfaces
measure: All internal systems are using simple authentication
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 3
usefulness: 5
level: 1
dependsOn:
- Defined deployment process
implementation:
- uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9
name: HTTP-Basic Authentication
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/
- uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e
name: VPN
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/
references:
samm2:
- O-EM-1-A
iso27001-2017:
- 9.4.1
iso27001-2022:
- 8.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/82e499d1-f463-4a4b-be90-68812a874af6
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of a chaos monkey:
uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe
risk: Due to manual changes on a system, they are not replaceable anymore. In
case of a crash it might happen that a planned redundant system is unavailable.
In addition, it is hard to replay manual changes.
measure: A randomized periodically shutdown of systems makes sure, that nobody
will perform manual changes to a system.
difficultyOfImplementation:
knowledge: 3
time: 5
resources: 5
usefulness: 3
level: 4
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 17.1.3
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/f8e80f18-2503-4e3e-b3bc-7f67bb28defe
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of an security account:
uuid: 746025a6-dbfb-4087-a000-e46acab64ee1
risk: Having security auditing in the same account as infrastructure and applications
at the cloud provide might cause evil administrators (or threat actors taking
over an account of an administrator) to alter evidence like audit logs.
measure: Usage of a separate account dedicated for security activities.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 3
usefulness: 4
level: 2
implementation: ""
references:
samm2:
- I-SD-2-B
iso27001-2017:
- 10.1
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/746025a6-dbfb-4087-a000-e46acab64ee1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of edge encryption at transit:
uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629
risk: Evil actors might be able to perform a man in the middle attack and sniff
confidential information (e.g. authentication factors like passwords).
measure: |-
By using encryption at the edge of traffic in transit, it is impossible
or at least harder to sniff credentials or information being outside of the organization.
Using standard secure protocols like HTTPS is recommended.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 1
implementation: ""
references:
samm2:
- I-SD-2-B
iso27001-2017:
- 10.1
iso27001-2022:
- 8.24
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/ad23be9c-5661-4f1f-81a3-5a5dc7061629
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of encryption at rest:
uuid: 0ff45fb8-7eef-46ed-9b3a-84c955cd7060
risk: Evil actors might be able to access data and read information, e.g. from
physical hard disks.
measure: By using encryption at rest, it is impossible or at least harder to
to read information.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 2
implementation: ""
references:
samm2:
- I-SD-2-B
iso27001-2017:
- 10.1
iso27001-2022:
- 8.24
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/0ff45fb8-7eef-46ed-9b3a-84c955cd7060
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of internal encryption at transit:
uuid: ecb0184c-6bc9-45da-bbbb-a983797ffc93
risk: Evil actors within the organization of traffic in transit might be able
to perform a man in the middle attack and sniff confidential information (e.g.
authentication factors like passwords)
measure: By using encryption internally, e.g. inside of a cluster, it is impossible
or at least harder to sniff credentials.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 3
usefulness: 4
level: 3
implementation: ""
references:
samm2:
- I-SD-2-B
iso27001-2017:
- 10.1
iso27001-2022:
- 8.24
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/ecb0184c-6bc9-45da-bbbb-a983797ffc93
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of security by default for components:
uuid: 11b3848e-e931-4146-a35d-35409ada24ee
risk: Components (images, libraries, applications) are not hardened.
measure: Hardening of components is important, specially for image on which
other teams base on. Hardening should be performed on the operation system
and on the services inside (e.g. Nginx or a Java-Application).
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 1
usefulness: 3
level: 3
implementation:
- uuid: d7fb1f5a-05e3-49f7-ae67-00bfb8f8410c
name: 'For applications: Check default encoding'
tags: []
- uuid: 7e744f11-976e-46b6-88d4-f39b2965dfaf
name: managing secrets
tags: []
url: https://d3fend.mitre.org/technique/d3f:CredentialHardening/
- uuid: 520517ef-2911-4efc-8e1b-dcc9389aca45
name: crypto
tags: []
- uuid: ba6bd46c-2069-4f4d-b26c-7334a7553339
name: authentication
tags: []
url: https://d3fend.mitre.org/dao/artifact/d3f:Authentication/
dependsOn:
- Defined build process
references:
samm2:
- O-EM-1-A
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/11b3848e-e931-4146-a35d-35409ada24ee
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of test and production environments:
uuid: bfdacb52-1e3f-431d-ae72-d844a5e86415
risk: Security tests are not running regularly because test environments are
missing
measure: A test and a production like environment is used
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 5
usefulness: 4
level: 2
dependsOn:
- Defined deployment process
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.4
- 17.2.1
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.31
- 8.14
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/bfdacb52-1e3f-431d-ae72-d844a5e86415
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Virtual environments are limited:
uuid: 760f1056-b0ee-4f22-a35b-f65446f944ca
risk: Denial of service (internally by an attacker or unintentionally by a bug)
on one service effects other services
measure: All virtual environments are using resource limits on hard disks, memory
and CPU
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 3
usefulness: 3
level: 2
dependsOn:
- Applications are running in virtualized environments
implementation: []
references:
samm2:
- O-EM-1-A
iso27001-2017:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 12.1.3
- 13.1.3
- 17.2.1
iso27001-2022:
- Virtual environments are not explicitly covered by ISO 27001 - too specific
- 8.6
- 8.22
- 8.14
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/760f1056-b0ee-4f22-a35b-f65446f944ca
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
WAF Advanced:
uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced
risk: The presence of sophisticated threats necessitates a robust defense strategy
where application inputs are meticulously scrutinized for security breaches,
including advanced persistent threats and zero-day vulnerabilities.
measure: An advanced WAF protection level includes rigorous input validation,
rejecting any parameters not explicitly required, and custom rule sets that
are dynamically updated in response to emerging threats.
description: |
The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape.
difficultyOfImplementation:
knowledge: 5
time: 5
resources: 5
usefulness: 4
level: 5
dependsOn:
- WAF medium
implementation: []
references:
samm2:
- D-SR-3-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced
comments: ~
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
WAF baseline:
uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b
risk: Vulnerable input, such as exploits, can infiltrate the application via
numerous entry points, posing a significant security threat.
measure: Implementing a web application firewall (WAF) is a critical security
control. At a baseline level, the objective is to finely balance the reduction
of false positives, maintaining user experience, against a potential increase
in the less noticeable false negatives.
description: |
Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 3
usefulness: 3
level: 3
dependsOn:
- Context-aware output encoding
implementation: []
references:
samm2:
- D-SR-3-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b
comments: ~
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
WAF medium:
uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium
risk: The threat from malicious inputs remains high, with exploits seeking to
exploit any vulnerabilities present at the various points of entry to the
application.
measure: A WAF deployed with a medium level of protection strengthens the security
posture by striking a more advanced balance between the detection of genuine
threats and the minimization of false alarms.
description: |
Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic.
difficultyOfImplementation:
knowledge: 4
time: 5
resources: 4
usefulness: 3
level: 4
dependsOn:
- WAF baseline
implementation: []
references:
samm2:
- D-SR-3-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure
Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium
comments: ~
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Information Gathering:
Logging:
Centralized application logging:
uuid: fe875e17-ae4a-45f8-a359-244aa4fcbc04
risk: Local stored logs can be unauthorized manipulated by attackers with system
access or might be corrupt after an incident. In addition, it is hard to perform
an correlation of logs. This leads attacks, which can be performed silently.
measure: A centralized logging system is used and applications logs (including
application exceptions) are shipped to it.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 5
level: 3
dependsOn:
- Alerting
implementation: []
references:
samm2:
- O-IM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.15
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/fe875e17-ae4a-45f8-a359-244aa4fcbc04
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Centralized system logging:
uuid: 4eced38a-7904-4c45-adb0-50b663065540
risk: Local stored system logs can be unauthorized manipulated by attackers
or might be corrupt after an incident. In addition, it is hard to perform
a aggregation of logs.
measure: By using centralized logging logs are protected against unauthorized
modification.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 2
level: 1
implementation:
- uuid: 79f88310-d63e-471d-8e63-8c77f2281b66
name: rsyslog
url: https://www.rsyslog.com/
tags:
- tool
- logging
- uuid: 7a8fad2e-d642-4972-8501-74591b23feab
name: logstash
url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
tags:
- tool
- logging
references:
samm2:
- O-IM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.15
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/4eced38a-7904-4c45-adb0-50b663065540
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Correlation of security events:
uuid: ccf4561d-253f-4762-adcb-bc4622fd6fc5
risk: Detection of security related events with hints on different systems/tools/metrics
is not possible.
measure: Events are correlated on one system. For example the correlation and
visualization of failed login attempts combined with successful login attempts.
difficultyOfImplementation:
knowledge: 4
time: 4
resources: 4
usefulness: 3
level: 5
dependsOn:
- Visualized logging
- Alerting
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.15
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccf4561d-253f-4762-adcb-bc4622fd6fc5
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Logging of security events:
uuid: ccfdd0a8-991e-4269-ad77-c0a54ca655cb
description: |
Implement logging of security relevant events. The following events tend to be security relevant:
- successful/failed login/logout
- creation, change, and deletion of users
- errors during input validation and output creation
- exceptions and errors with security in their name
- transactions of value (e.g., financial transactions, costly operations)
- :unicorn: (special things of your application)
measure: Security-relevant events like login/logout or creation, change, deletion
of users should be logged.
assessment: |
- Show which events are logged.
- Show a test for one event logging.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 4
level: 2
credits: |
[AppSecure-nrw](https://github.com/AppSecure-nrw/security-belts/blob/master/orange/logging-of-security-events.md)
implementation:
- uuid: 7a8fad2e-d642-4972-8501-74591b23feab
name: logstash
url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
tags:
- tool
- logging
- uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45
name: fluentd
tags:
- tool
url: https://www.fluentd.org/
- uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531
name: bash
tags:
- tool
url: https://www.gnu.org/software/bash/
- uuid: 5a5c7d99-41e8-454a-86ae-a638c9787d8c
name: OWASP Logging CheatSheet
url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
tags:
- logging
- documentation
references:
samm2:
- O-IM-1-A
iso27001-2017:
- 12.4.1
iso27001-2022:
- 8.15
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccfdd0a8-991e-4269-ad77-c0a54ca655cb
risk: |-
* No track of security-relevant events makes it harder to analyze an incident.
* Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal.
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
PII logging concept:
uuid: 613a73dc-4f60-49db-a6ce-4fb7bf8519f9
risk: Personal identifiable information (PII) is logged and the privacy law
(e.g. General Data Protection Regulation) is not followed.
measure: A concept how to log PII is documented and applied.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 1
level: 5
implementation:
- uuid: 79f88310-d63e-471d-8e63-8c77f2281b66
name: rsyslog
url: https://www.rsyslog.com/
tags:
- tool
- logging
- uuid: 7a8fad2e-d642-4972-8501-74591b23feab
name: logstash
url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
tags:
- tool
- logging
- uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45
name: fluentd
tags:
- tool
url: https://www.fluentd.org/
- uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531
name: bash
tags:
- tool
url: https://www.gnu.org/software/bash/
references:
samm2:
- O-IM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
- 18.1.1
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.15
- 5.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/613a73dc-4f60-49db-a6ce-4fb7bf8519f9
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Visualized logging:
uuid: 7c735089-6a83-419f-8b27-c1e676cedea1
risk: System and application protocols are not visualized properly which leads
to no or very limited logging assessment. Specially developers might have
difficulty to read applications logs with unusually tools like the Linux tool
'cat'
measure: Protocols are visualized in a simple to use real time monitoring system.
The GUI gives the ability to search for special attributes in the protocol.
difficultyOfImplementation:
knowledge: 1
time: 3
resources: 3
usefulness: 4
level: 2
dependsOn:
- Centralized system logging
- Centralized application logging
implementation:
- uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3
name: ELK-Stack
tags: []
url: https://www.elastic.co/elk-stack
references:
samm2:
- O-IM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.4.1
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.15
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/7c735089-6a83-419f-8b27-c1e676cedea1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Monitoring:
Advanced app. metrics:
uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf
risk: People are not looking into tests results. Vulnerabilities not recolonized,
even they are detected by tools.
measure: All defects from the dimension Test- and Verification are instrumented.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 2
usefulness: 4
level: 4
dependsOn:
- Simple application metrics
- Visualized metrics
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d03bc410-74a7-4e92-82cb-d01a020cb6bf
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Advanced availability and stability metrics:
uuid: ed715b38-c34b-40cd-83fd-ce807f306fc1
risk: Trends and advanced attacks are not detected.
measure: Advanced metrics are gathered in relation to availability and stability.
For example unplanned downtime's per year.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 2
usefulness: 4
level: 3
dependsOn:
- Simple application metrics
- Visualized metrics
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- 12.1.3
iso27001-2022:
- 8.6
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ed715b38-c34b-40cd-83fd-ce807f306fc1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Alerting:
uuid: 8a442d8e-0eb1-4793-a513-571aef982edd
risk: Incidents are discovered after they happened.
measure: |
Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically.
difficultyOfImplementation:
knowledge: 2
time: 5
resources: 5
usefulness: 5
level: 2
dependsOn:
- Visualized metrics
implementation: []
references:
samm2:
- I-DM-A 3
iso27001-2017:
- 16.1.2
- 16.1.4
- 12.1.4
iso27001-2022:
- 6.8
- 5.25
- 8.31
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8a442d8e-0eb1-4793-a513-571aef982edd
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Audit of system events:
uuid: 1cd5e4b8-be36-4726-adc7-d8f843f47ac8
risk: System events (system calls) trends and attacks are not detected.
measure: Gathering of system calls.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 4
level: 3
dependsOn:
- Visualized metrics
implementation:
- uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012
name: Falco
tags:
- falco
- systemcall
- monitoring
url: https://github.com/falcosecurity/falco
description: |
Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
references:
samm2:
- O-IM-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/1cd5e4b8-be36-4726-adc7-d8f843f47ac8
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Coverage and control metrics:
uuid: d0d681e7-d6de-4829-ac64-a9eb2546aa0d
risk: The effectiveness of configuration, patch and vulnerability management
is unknown.
measure: "Usage of Coverage- and control-metrics to show the effectiveness of
the security program. Coverage is the degree in \n which a specific
security control for a specific target group is applied with all resources.\n
\ The control degree shows the actual application of security standards
and security-guidelines. Examples are gathering information on anti-virus,
anti-rootkits, patch management, server configuration and vulnerability management."
difficultyOfImplementation:
knowledge: 3
time: 5
resources: 2
usefulness: 4
level: 4
dependsOn:
- Visualized metrics
implementation:
- uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d
name: https://ht.transpare
tags: []
url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD
description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf
references:
samm2:
- O-IM-2-A
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d0d681e7-d6de-4829-ac64-a9eb2546aa0d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Deactivation of unused metrics:
uuid: 7f36b9ba-bc05-4fd6-9a2a-73344c249722
risk: High resources are used while gathering unused metrics.
measure: Deactivation of unused metrics helps to free resources.
difficultyOfImplementation:
knowledge: 2
time: 5
resources: 5
usefulness: 5
level: 3
dependsOn:
- Visualized metrics
implementation: []
references:
samm2:
- O-IM-1-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.3
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.6
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/7f36b9ba-bc05-4fd6-9a2a-73344c249722
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Defense metrics:
uuid: e808028c-351c-42f1-bcd9-fba738d1fc55
risk: IDS/IPS systems like packet- or application-firewalls detect and prevent
attacks. It is not known how many attacks has been detected and blocked.
measure: |
Gathering of defense metrics like TCP/UDP sources enables to assume the geographic location of the request.
Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered.
difficultyOfImplementation:
knowledge: 3
time: 5
resources: 2
usefulness: 4
level: 4
dependsOn:
- Visualized metrics
- Filter outgoing traffic
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- 12.4.1
- 13.1.1
iso27001-2022:
- 8.15
- 8.2
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e808028c-351c-42f1-bcd9-fba738d1fc55
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Grouping of metrics:
uuid: 42170a71-d4c8-47af-bd71-bf36875fd05b
risk: The analysis of metrics takes long.
measure: Meaningful grouping of metrics helps to speed up analysis.
difficultyOfImplementation:
knowledge: 2
time: 4
resources: 2
usefulness: 2
level: 3
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 12.1.3
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.6
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/42170a71-d4c8-47af-bd71-bf36875fd05b
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Metrics are combined with tests:
uuid: 71699daf-b2a4-466b-a0b2-89f7dbb18506
risk: Changes might cause high load due to programming errors.
measure: Metrics during tests helps to identify programming errors.
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 2
usefulness: 5
level: 5
dependsOn:
- Grouping of metrics
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- not explicitly covered by ISO 27001
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/71699daf-b2a4-466b-a0b2-89f7dbb18506
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Monitoring of costs:
uuid: 10e23a8c-22ff-4487-a706-87ccc9d0798e
risk: Not monitoring costs might lead to unexpected high resource consumption
and a high invoice.
measure: Implement cost budgets. Setting of an alert threshold and sending out
errors when it is reached. In the best case, a second threshold with a limit
is set so that the cost can not go higher.
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 2
usefulness: 3
level: 2
dependsOn:
- Simple application metrics
- Simple system metrics
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- 12.1.3
iso27001-2022:
- 8.6
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/10e23a8c-22ff-4487-a706-87ccc9d0798e
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Screens with metric visualization:
uuid: 8746647c-638c-473f-8e17-82c068e4c311
risk: Security related information is discovered too late during an incident.
measure: By having an internal accessible screen with a security related dashboards
helps to visualize incidents.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 5
level: 4
dependsOn:
- Grouping of metrics
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.26
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8746647c-638c-473f-8e17-82c068e4c311
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple application metrics:
uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1
risk: Attacks on an application are not recognized.
measure: |-
Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include:
- Authentication attempts (successful/failed logins)
- Transaction volumes and patterns (e.g. orders, payments)
- API call rates and response times
- User session metrics
- Resource utilization
Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either:
- A legitimate event (unannounced marketing campaign, viral social media post)
- A security incident (automated bulk purchase bots, credential stuffing attack)
By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 5
level: 1
implementation:
- uuid: ddf221df-3517-42e4-b23d-c1d9a162744c
name: Prometheus
tags: []
url: https://prometheus.io/
references:
samm2:
- O-IM-1-A
iso27001-2017:
- 12.4.1
iso27001-2022:
- 8.15
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e9a6d403-a467-445e-b98a-74f0c29da0b1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple budget metrics:
uuid: f08a3219-6941-43ec-8762-4aff739f4664
risk: Not getting notified about reaching the end of the budget (e.g. due to
a denial of service) creates unexpected costs.
measure: Cloud providers often provide insight into budgets. A threshold and
alarming for the budget is set.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 5
level: 1
implementation:
- uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8
name: collected
tags: []
references:
samm2:
- O-IM-1-A
iso27001-2017:
- 12.1.3
iso27001-2022:
- 8.6
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/f08a3219-6941-43ec-8762-4aff739f4664
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple system metrics:
uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03
risk: Without simple metrics analysis of incidents are hard. In case an application
uses a lot of CPU from time to time, it is hard for a developer to find out
the source with Linux commands.
measure: Gathering of system metrics helps to identify incidents and specially
bottlenecks like in CPU usage, memory usage and hard disk usage.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 5
assessment: |
Are system metrics gathered?
level: 1
implementation:
- uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8
name: collected
tags: []
references:
samm2:
- O-IM-1-A
iso27001-2017:
- 12.1.3
iso27001-2022:
- 8.6
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/3d1f4c3b-f713-46d9-933a-54a014a26c03
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Targeted alerting:
uuid: d6f06ae8-401a-4f44-85df-1079247fa030
risk: People are bored (ignorant) of incident alarm messages, as they are not
responsible to react.
measure: By the definition of target groups for incidents people are only getting
alarms for incidents they are in charge for.
difficultyOfImplementation:
knowledge: 2
time: 5
resources: 5
usefulness: 5
level: 3
dependsOn:
- Alerting
implementation: []
references:
samm2:
- I-DM-A 3
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.26
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d6f06ae8-401a-4f44-85df-1079247fa030
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Visualized metrics:
uuid: ded39bcf-4eaa-4c5f-9c94-09acde0a4734
risk: Not visualized metrics lead to restricted usage of metrics.
measure: Metrics are visualized in real time in a user friendly way.
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 2
usefulness: 3
level: 2
dependsOn:
- Simple application metrics
- Simple system metrics
implementation: []
references:
samm2:
- O-IM-2-A
iso27001-2017:
- 12.1.3
iso27001-2022:
- 8.6
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ded39bcf-4eaa-4c5f-9c94-09acde0a4734
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test KPI:
Fix rate per repo/product:
uuid: cf0d600e-114d-4887-9059-d81c53805f0d
risk: "Not communicating how many applications are adhering to SLAs based on
the criticality of vulnerabilities can lead to delayed remediation of \ncritical
security issues, increasing the risk of exploitation and potential damage
to the organization."
measure: "Measurement and communication of the number of vulnerabilities handled
per severity level for components such as applications, ensuring alignment
with SLAs. \nThe rate should be broken down by team, product, application,
repository, and/or service. This analysis should be conducted at least quarterly."
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
tags:
- documentation
- vulnerability
- vulnerability management system
- uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
name: DefectDojo Client
tags:
- Defectdojo
- statistics
url: https://github.com/SDA-SE/defectdojo-client
description: |
This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
KPI/cf0d600e-114d-4887-9059-d81c53805f0d
tags:
- vulnerability-mgmt
- metrics
- vmm-measurements
teamsImplemented:
Default: false
B: false
C: false
Generation of response statistics:
uuid: c922981b-65ed-40f3-a947-96fee9a0125f
risk: No or delayed reaction to findings leads to potential exploitation of
findings.
measure: Creation and response statistics (e.g. Mean Time to Resolution) of
findings. This is also referred to as _Mean Time to Resolve_.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
dependsOn:
- Usage of a vulnerability management system
level: 3
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
tags:
- documentation
- vulnerability
- vulnerability management system
- uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
name: DefectDojo Client
tags:
- Defectdojo
- statistics
url: https://github.com/SDA-SE/defectdojo-client
description: |
This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
references:
samm2:
- I-DM-2-B
iso27001-2017:
- 16.1.4
- 8.2.3
iso27001-2022:
- 5.25
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
KPI/c922981b-65ed-40f3-a947-96fee9a0125f
tags:
- vulnerability-mgmt
- metrics
- vmm-measurements
comments: The [DefectDojo-Client](https://github.com/SDA-SE/defectdojo-client/tree/master/statistic-client)
generates statistics from OWASP DefectDojo and places the results in a [Github
repository](https://github.com/pagel-pro/cluster-image-scanner-all-results).
teamsImplemented:
Default: false
B: false
C: false
Number of vulnerabilities/severity:
uuid: bc548cba-cb82-4f76-bd4b-325d9d256279
risk: Failing to convey the number of vulnerabilities by severity might undermine
the effectiveness of product teams. This might lead to ignorance of findings.
measure: Measurement and communication of vulnerabilities per severity for components
like applications. At least quarterly.
description: |-
Communication can be performed in a simple way, e.g. text based during the build process.
This activity depends on at least one security testing implementation.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 2
dependsOn: []
implementation: []
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
KPI/bc548cba-cb82-4f76-bd4b-325d9d256279
tags:
- vulnerability-mgmt
- metrics
- vmm-measurement
teamsImplemented:
Default: false
B: false
C: false
Number of vulnerabilities/severity/layer:
uuid: 0ec92899-a5cb-4649-984b-2fb1d6c784ad
risk: Failing to convey the number of vulnerabilities by severity and layer
(app/infra) might undermine the effectiveness of product teams. This might
lead to ignorance of findings.
measure: Measurement and communication of vulnerabilities per severity for components
like applications and split it depending on the layer (e.g. app/infra). At
least quarterly.
description: |-
Communication can be performed in a simple way, e.g. text based during the build process.
This activity depends on at least one security testing implementation.
Layers to consider (SCA):
- Cloud provider (if insights are possible)
- Runtimes, e.g. Kubernetes nodes
- Base images and container images
- Application
Layers to consider SAST/DAST:
- Cloud provider
- Runtime, e.g. Kubernetes
- Base images and container images
- Application
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 2
dependsOn: []
implementation: []
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
KPI/0ec92899-a5cb-4649-984b-2fb1d6c784ad
tags:
- vulnerability-mgmt
- metrics
- vmm-measurement
teamsImplemented:
Default: false
B: false
C: false
Patching mean time to resolution via PR:
uuid: 86d490b9-d798-4a5b-a011-ab9688014c46
risk: Without measuring Mean Time to Resolution (MTTR) related to patching,
it is challenging to identify delays in the patching process. Unaddressed
vulnerabilities can be exploited by attackers, leading to potential security
breaches and data loss.
measure: "Measurement and communication of patching Mean Time to Resolution
(MTTR) in alignment with Service Level Agreements (SLAs), conducted at least
on a quarterly basis.\nThis includes the measurement of the existence of a
properly configured automated pull request (PR) tool (e.g., Dependabot or
Renovate) in a repository. \nIn addition, the measurement of the time from
opening an automated PR to merging it.\n\nAverage time to patch is visualized
per component/project/team."
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 2
usefulness: 3
level: 2
dependsOn:
- Automated PRs for patches
implementation: []
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
KPI/86d490b9-d798-4a5b-a011-ab9688014c46
tags:
- patching
- metrics
- vmm-measurements
teamsImplemented:
Default: false
B: false
C: false
Patching mean time to resolution via production:
uuid: 77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f
risk: Without measuring Mean Time to Resolution (MTTR) related to patching,
it is challenging to identify delays in the patching process. Unaddressed
vulnerabilities can be exploited by attackers, leading to potential security
breaches and data loss.
measure: |-
Measurement and communication of the time from the availability of a patch to its deployment in production in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis.
Average time to patch is visualized per component/project/team.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 2
usefulness: 3
level: 4
dependsOn:
- Patching mean time to resolution via PR
- Automated PRs for patches
implementation: []
references:
samm2:
- I-DM-3-B
iso27001-2017:
- 16.1.4
iso27001-2022:
- 5.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
KPI/77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f
tags:
- patching
- metrics
- vmm-measurements
teamsImplemented:
Default: false
B: false
C: false
SLA per criticality:
uuid: 51f3fce5-b5c8-4683-8c41-e785fe4f3b5f
risk: "Not communicating how many applications are adhering to SLAs based on
the criticality of vulnerabilities can lead to delayed remediation of \ncritical
security issues, increasing the risk of exploitation and potential damage
to the organization."
measure: "Measurement and communication of how many of the vulnerabilities handling
per severity for components like applications are aligned to SLAs. \nThis
is performed for the hole organization and doesn't need to be broken down
(yet) on team/product/application. \nAt least quarterly."
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
dependsOn: []
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
tags:
- documentation
- vulnerability
- vulnerability management system
- uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
name: DefectDojo Client
tags:
- Defectdojo
- statistics
url: https://github.com/SDA-SE/defectdojo-client
description: |
This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test
KPI/51f3fce5-b5c8-4683-8c41-e785fe4f3b5f
tags:
- vulnerability-mgmt
- metrics
- vmm-measurements
teamsImplemented:
Default: false
B: false
C: false
Test and Verification:
Application tests:
High coverage of security related module and integration tests:
uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a
risk: Vulnerabilities are rising due to code changes in a complex microservice
environment in not important components.
measure: Implementation of security related tests via unit tests and integration
tests. Including the test of libraries, in case the are not tested already.
difficultyOfImplementation:
knowledge: 5
time: 5
resources: 3
usefulness: 3
level: 5
implementation: []
references:
samm2:
- V-ST-3-B
iso27001-2017:
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
tests/67667c97-c33e-4306-a4e5-e7b1d8e10c5a
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Security integration tests for important components:
uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715
risk: Vulnerabilities are rising due to code changes in a complex microservice
environment.
measure: Implementation of essential security related integration tests. For
example for authentication and authorization.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 2
usefulness: 2
level: 3
references:
samm2:
- V-ST-3-B
iso27001-2017:
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
tests/f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Security unit tests for important components:
uuid: eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075
risk: Vulnerabilities are rising due to code changes.
measure: Usage of unit tests to test important security related features like
authentication and authorization.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 2
usefulness: 3
level: 2
comments: |
The integration of module tests takes place during development instead, it highlights vulnerabilities in sub-routines, functions, modules, libraries etc. checked.
A sample implementation of unit tests are explained in the video [Shift-Left-Security with the Security Test Pyramid - Andreas Falk](https://www.youtube.com/watch?v=TzFZy3f7d8E) starting with minute 9.
implementation:
- uuid: cc2eec82-f3a7-4ae5-9ccb-3d75352b2e4d
name: JUnit
tags:
- unittest
url: https://junit.org/junit5/
- uuid: fd56720a-ad4b-487c-b4c3-897a688672c4
name: Karma
tags: []
url: https://karma-runner.github.io
references:
samm2:
- V-ST-3-B
iso27001-2017:
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
tests/eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Smoke Test:
uuid: 73aaae0b-5d68-4953-9fa4-fd25bf665f2a
risk: During a deployment an error might happen which leads to non-availability
of the system, a part of the system or a feature.
measure: Integration tests are performed against the production environment
after each deployment.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 2
level: 4
implementation: []
dependsOn:
- Defined deployment process
references:
samm2:
- V-ST-3-B
iso27001-2017:
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
tests/73aaae0b-5d68-4953-9fa4-fd25bf665f2a
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Consolidation:
Advanced visualization of defects:
uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876
risk: Correlation of the vulnerabilities of different tools to have an overview
of the the overall security level per component/project/team is not given.
measure: Findings are visualized per component/project/team.
difficultyOfImplementation:
knowledge: 2
time: 4
resources: 1
usefulness: 2
level: 4
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
tags:
- documentation
- vulnerability
- vulnerability management system
references:
samm2:
- I-DM-3-B
iso27001-2017:
- 16.1.4
- 8.2.1
- 8.2.2
- 8.2.3
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/7a82020c-94d1-471c-bbd3-5f7fe7df4876
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Fix based on accessibility:
uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed
risk: Overwhelming volume of security findings from automated testing tools.
This might lead to ignorance of findings.
measure: Implement a simple risk-based prioritization framework for vulnerability
remediation based on accessibility of the applications.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 3
meta:
implementationGuide: |-
Develop a scoring system for asset accessibility, considering factors like:
- Whether the asset is internet-facing (highly recommended)
- The number of network hops required to reach the asset (recommended)
- Authentication requirements for access (recommended)
dependsOn:
- Treatment of defects with severity high or higher
- Inventory of production components
implementation: ~
references:
samm2:
- I-DM-3-B
iso27001-2017:
- 16.1.4
- 8.2.1
- 8.2.2
- 8.2.3
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/0c10a7f7-f78f-49f2-943d-19fdef248fed
tags:
- vuln-action
- defect-management
teamsImplemented:
Default: false
B: false
C: false
Integration in development process:
uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d
risk: "Not integrating vulnerability handling into the development process may
result in product teams ignoring findings. \n\nSecurity joke: We will gain
100% false negatives."
measure: Integration of findings into the development process. E.g. adding findings
to the backlog of products teams.
description: |-
Validating Findings by Security Engineers Pros:
- Ensures accuracy and relevance of findings before they reach product teams
- Reduces false positives, saving development teams time and effort
- Might provides a layer of expertise in assessing the severity and impact of vulnerabilities
Validating Findings by Security Engineers Cons:
- Requires a sufficient number of skilled security engineers, which might be challenging for some organizations
- May slow down the process if security engineers are overloaded with validation tasks
- For Software Composition Analysis findings (known vulnerabilities) I, as a sec. eng., struggle to analysis if it is a false positive/true positive due to a lack of insights in the application
Pushing Findings Directly to Product Teams Pros:
- Accelerates the process by immediately notifying product teams of potential vulnerabilities
- Empowers product teams to take swift action in addressing security issues
Pushing Findings Directly to Product Teams Cons:
- Increases the workload on product teams, potentially leading to frustration
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
dependsOn: []
implementation:
- uuid: 889444eb-de68-4367-bada-a66f8cb9733a
name: Jira
tags:
- documentation
- issue
- proprietary
url: https://jira.atlassian.com/
description: Jira is a bug tracking and project management tool developed
by Atlassian, used by development teams for tracking issues, planning sprints,
and managing software releases. It offers features for creating and managing
tasks, assigning them to team members, and monitoring progress through customizable
workflows and dashboards.
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
name: DefectDojo Client
tags:
- Defectdojo
- statistics
url: https://github.com/SDA-SE/defectdojo-client
description: |
This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/aaffa73f-59f6-4267-b0ab-732f3d13e90d
tags:
- vulnerability-mgmt
- vmm-measurements
teamsImplemented:
Default: false
B: false
C: false
Integration of vulnerability issues into the development process:
uuid: ce970c9b-da94-41cf-bd78-8c15357b7e8e
risk: To read console output of the build server to search for vulnerabilities
might be difficult. Also, to check a vulnerability management system might
not be a daily task for a developer.
measure: Vulnerabilities are tracked in the teams issue system (e.g. jira).
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 2
level: 3
implementation:
- uuid: aaad322e-806e-4c51-b78d-6551f7dc376a
name: SAST
tags: []
description: 'At SAST (Static Application Security Testing): Server-side /
client-side teams can easily be recorded. With microservice architecture
individual microservices can be used usually Teams.'
url: https://d3fend.mitre.org/dao/artifact/d3f:StaticAnalysisTool/
- uuid: 9d4bd377-11ec-4054-9c9e-9bfb99ac9609
name: DAST
tags: []
description: 'At DAST (Dynamic Application Security Testing): vulnerabilities
are classified and can be assigned to server-side and client-side teams.'
url: https://d3fend.mitre.org/dao/artifact/d3f:DynamicAnalysisTool/
references:
samm2:
- I-DM-2-B
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.4
- 16.1.5
- 16.1.6
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.25
- 5.26
- 5.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/ce970c9b-da94-41cf-bd78-8c15357b7e8e
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Reproducible defect tickets:
uuid: 27337442-e4b1-4e87-8dc9-ce86fbb79a39
risk: Vulnerability descriptions are hard to understand by staff from operations
and development.
measure: Vulnerabilities include the test procedure to give the staff from operations
and development the ability to reproduce vulnerabilities. This enhances the
understanding of vulnerabilities and therefore the fix have a higher quality.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 2
usefulness: 2
level: 4
implementation: []
references:
samm2:
- I-DM-2-B
iso27001-2017:
- 16.1.4
- 8.2.1
- 8.2.2
- 8.2.3
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/27337442-e4b1-4e87-8dc9-ce86fbb79a39
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple false positive treatment:
uuid: c1acc8af-312e-4503-a817-a26220c993a0
risk: As false positive occur during each test, all vulnerabilities might be
ignored. Specially, if tests are automated an run daily.
measure: |-
Findings from security tests must be triaged and outcomes persisted/documented to:
- Prevent re-analysis of known issues in subsequent test runs
- Track accepted risks vs false positives
- Enable consistent decision-making across teams
At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings.
Samples for false positive handling:
- [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html)
- [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/)
- [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status)
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 4
level: 1
implementation:
- uuid: bb9d0f2d-f8bc-46b5-bbc7-7dbcf927191c
name: OWASP Defect Dojo
tags: []
url: https://github.com/DefectDojo/django-DefectDojo
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
references:
samm2:
- I-DM-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 16.1.6
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 5.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/c1acc8af-312e-4503-a817-a26220c993a0
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple visualization of defects:
uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83
risk: The security level of a component is not visible. Therefore, the motivation
to enhance the security is not give.
measure: Vulnerabilities are simple visualized.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 2
implementation:
- uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207
name: OWASP Dependency Check
tags:
- OpenSource
- Supply Chain
- vulnerability
url: https://owasp.org/www-project-dependency-check/
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track is an intelligent Component Analysis platform that
allows organizations to identify and reduce risk in the software supply
chain. Dependency-Track takes a unique and highly beneficial approach by
leveraging the capabilities of Software Bill of Materials (SBOM).
url: https://github.com/DependencyTrack/dependency-track
tags:
- sca
- inventory
- OpenSource
- Supply Chain
- vulnerability
- inventory
- uuid: ef80cd34-d3ba-4406-a4fa-4cf6f30c2e81
name: LogParser Jenkins Plugins
tags: []
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
references:
samm2:
- I-DM-1-B
iso27001-2017:
- 16.1.4
- 8.2.1
- 8.2.2
- 8.2.3
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/55f4c916-3a34-474d-ad96-9a9f7a4f6a83
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Treatment of all defects:
uuid: b2f77606-3e6c-41e9-b72d-7c0b1d3d581d
risk: Vulnerabilities with severity low are not visible.
measure: All vulnerabilities are added to the quality gate.
difficultyOfImplementation:
knowledge: 3
time: 4
resources: 1
usefulness: 2
level: 5
implementation: []
references:
samm2:
- I-DM-2-B
iso27001-2017:
- 16.1.4
- 12.6.1
iso27001-2022:
- 8.8
- 5.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/b2f77606-3e6c-41e9-b72d-7c0b1d3d581d
tags:
- vuln-action
- defect-management
comments: ""
teamsImplemented:
Default: false
B: false
C: false
Treatment of defects per protection requirement:
uuid: 2b7cc923-bdaf-43e3-8fb4-a995b7783969
risk: "Not defining the protection requirement of applications can lead to wrong
prioritization, delayed remediation of \ncritical security issues, increasing
the risk of exploitation and potential damage to the organization."
measure: "Defining the protection requirement and the corresponding handling
of vulnerabilities per severity for components like applications are aligned
to SLAs. \n This is performed for the hole organization and doesn't need to
be broken down (yet) on team/product/application. \n At least quarterly."
description: |-
The protection requirements for an application should consider:
- Data criticality
- Application accessibility (internal vs. external)
- Regulatory compliance
- Other relevant factors
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
dependsOn: []
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
tags:
- documentation
- vulnerability
- vulnerability management system
- uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f
name: DefectDojo Client
tags:
- Defectdojo
- statistics
url: https://github.com/SDA-SE/defectdojo-client
description: |
This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.
references:
samm2:
- I-DM-3-B
iso27001-2022:
- 5.25
- 5.12
- 5.13
- 5.1
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/2b7cc923-bdaf-43e3-8fb4-a995b7783969
tags:
- vulnerability-mgmt
- metrics
- vmm-measurements
teamsImplemented:
Default: false
B: false
C: false
Treatment of defects with severity high or higher:
uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385
risk: Vulnerabilities with severity high or higher are not visible.
measure: Vulnerabilities with severity high or higher are added to the quality
gate.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 1
comments: False positive analysis, specially for static analysis, is time consuming.
references:
samm2:
- I-DM-2-B
iso27001-2017:
- 16.1.4
- 12.6.1
iso27001-2022:
- 8.8
- 5.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385
implementation: []
tags:
- vuln-action
- defect-management
teamsImplemented:
Default: false
B: false
C: false
Treatment of defects with severity middle:
uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594
risk: Vulnerabilities with severity middle are not visible.
measure: Vulnerabilities with severity middle are added to the quality gate.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 3
comments: False positive analysis, specially for static analysis, is time consuming.
references:
samm2:
- I-DM-2-B
iso27001-2017:
- 16.1.4
- 12.6.1
iso27001-2022:
- 8.8
- 5.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9cac3341-fe83-4079-bef2-bfc4279eb594
implementation: []
tags:
- vuln-action
- defect-management
teamsImplemented:
Default: false
B: false
C: false
Usage of a vulnerability management system:
uuid: 85ba5623-84be-4219-8892-808837be582d
risk: Maintenance of false positives in each tool enforces a high workload.
In addition a correlation of the same finding from different tools is not
possible.
measure: Aggregation of vulnerabilities in one tool reduce the workload to handle
them, e.g. mark as false positives.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 2
usefulness: 2
dependsOn:
- Exploit likelihood estimation
- Each team has a security champion
- Office Hours
level: 3
description: "For known vulnerabilities a processes to estimate the exploit
ability of a vulnerability is recommended.\n\nTo implement a security culture
including training, office hours and security champions can help integrating
\nsecurity scanning at scale. Such activities help to understand why a vulnerability
is potentially critical and needs handling."
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
tags:
- vulnerability management system
- owasp
url: https://github.com/DefectDojo/django-DefectDojo
description: |
DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
- uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9
name: Purify
tags:
- vulnerability management system
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
name: SecObserve
tags:
- vulnerability management system
url: https://github.com/MaibornWolff/SecObserve
description: |
The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
references:
samm2:
- I-DM-1-B
iso27001-2017:
- 12.6.1
- 16.1.3
- 16.1.4
- 16.1.5
- 16.1.6
iso27001-2022:
- 8.8
- 6.8
- 5.25
- 5.26
- 5.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/85ba5623-84be-4219-8892-808837be582d
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Dynamic depth for applications:
Coverage analysis:
uuid: d0ba0be5-c573-405f-b905-b7a8f87a9cc7
risk: Parts of the service are not still covered by tests.
measure: Check that there are no missing paths in the application with coverage-tools.
difficultyOfImplementation:
knowledge: 4
time: 5
resources: 3
usefulness: 4
level: 5
implementation:
- uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366
name: OWASP Code Pulse
tags: []
url: https://www.owasp.org/index.php/OWASP_Code_Pulse
- uuid: f011de6e-ab7c-4ec7-af55-03427271ab32
name: Coverage.py
tags:
- testing
- coverage
url: https://github.com/nedbat/coveragepy
description: |
Code coverage measurement for Python
references:
samm2:
- V-ST-2-A
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
- part of periodic review, PDCA
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/d0ba0be5-c573-405f-b905-b7a8f87a9cc7
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Coverage of client side dynamic components:
uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e
risk: Parts of the service are not covered during the scan, because JavaScript
is not getting executed. Therefore, the coverage of client-side dynamic components
is limited, leading to potential security risks and undetected vulnerabilities.
measure: Usage of a spider which executes dynamic content like JavaScript, e.g.
via Selenium.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 4
level: 2
dependsOn:
- Usage of different roles
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/9711f871-f79d-4573-8d4f-d2c98fd0d18e
implementation:
- uuid: 6583fd5f-4314-4b39-9265-de72f861c8cb
name: Ajax Spider
tags: []
url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Coverage of hidden endpoints:
uuid: 6a9cb303-0f98-48a8-bdcd-56d41c0012b8
risk: Hidden endpoints of the service are not getting tracked.
measure: Hidden endpoints are getting detected and included in the vulnerability
scan.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 1
usefulness: 5
level: 3
implementation:
- uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b
name: cURL
tags: []
url: https://curl.se/
- uuid: 7ce77258-bf65-4e7a-9627-daf765ee1d77
name: OpenAPI Specifications
tags: []
url: https://spec.openapis.org/
- uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801
name: OWASP Zap
tags:
- vulnerability
- scanner
url: https://github.com/zaproxy/zaproxy
description: |
The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ...
- uuid: c9bbecf2-567b-4422-b29a-67b16385f32b
name: Schemathesis
tags:
- testing
- api
- documentation
url: https://github.com/schemathesis/schemathesis
description: |
Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema.
dependsOn:
- Usage of different roles
references:
samm2:
- V-ST-2-A
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/6a9cb303-0f98-48a8-bdcd-56d41c0012b8
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Coverage of more input vectors:
uuid: 5e0ff85b-ec89-4ef0-96b1-5695fa0025dc
risk: Parts of the service are not covered. For example specially formatted
or coded parameters are not getting detected as parameter (e.g. parameters
in REST-like URLs, parameters in JSON-Format or base64-coded parameters).
measure: Special parameter and special encodings are defined, so that they get
fuzzed by the used vulnerability scanners.
difficultyOfImplementation:
knowledge: 5
time: 5
resources: 1
usefulness: 4
level: 3
dependsOn:
- Usage of different roles
references:
samm2:
- V-ST-2-A
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/5e0ff85b-ec89-4ef0-96b1-5695fa0025dc
implementation:
- uuid: c9bbecf2-567b-4422-b29a-67b16385f32b
name: Schemathesis
tags:
- testing
- api
- documentation
url: https://github.com/schemathesis/schemathesis
description: |
Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema.
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Coverage of sequential operations:
uuid: 845f06ec-148c-4c67-9755-7041911dcca5
risk: Sequential operations like workflows (e.g. login -> put products in the
basket
measure: Sequential operations are defined and checked by the vulnerability
scanner in the defined order.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 5
level: 3
implementation:
- uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b
name: cURL
tags: []
url: https://curl.se/
dependsOn:
- Usage of different roles
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 14.2.8
- 14.2.3
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/845f06ec-148c-4c67-9755-7041911dcca5
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Coverage of service to service communication:
uuid: 22aab0ef-76ce-4b8c-979c-3699784330db
risk: Service to service communication is not covered.
measure: Service to service communication is dumped and checked.
difficultyOfImplementation:
knowledge: 4
time: 5
resources: 2
usefulness: 3
level: 5
dependsOn:
- Simple Scan
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/22aab0ef-76ce-4b8c-979c-3699784330db
implementation:
- uuid: 000b55f9-e6fd-4649-8290-27876a0409e2
name: Citrus Fresh Integration Testing
tags:
- framework
- testing
url: https://citrusframework.org/
description: Integration Test framework with focus on messaging applications
and Microservices.
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Simple Scan:
uuid: 07796811-37f9-467c-9ff2-48f346e77ff3
risk: Deficient security tests are performed. Simple vulnerabilities are not
detected and missing security configurations (e.g. headers) are not set. Fast
feedback is not given.
measure: A simple scan is performed to get a security baseline. In case the
test is done in under 10 minutes, it should be part of the build and deployment
process.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 1
level: 2
dependsOn:
- Defined build process
implementation:
- uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801
name: OWASP Zap
tags:
- vulnerability
- scanner
url: https://github.com/zaproxy/zaproxy
description: |
The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ...
- uuid: 83ae1e92-5eb9-4467-b3d3-fd2f96e6ab63
name: Arachni
url: https://github.com/Arachni/arachni
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/07796811-37f9-467c-9ff2-48f346e77ff3
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of different roles:
uuid: 65a2d7d9-5441-46bf-a4e3-f76919857750
risk: Parts of the service are not covered during the scan, because a login
is not performed.
measure: Integration of authentication with all roles used in the service.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 2
level: 2
dependsOn:
- Simple Scan
references:
samm2:
- V-ST-2-A
iso27001-2017:
- not explicitly covered by ISO 27001 - too specific
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/65a2d7d9-5441-46bf-a4e3-f76919857750
implementation:
- uuid: 7eb37566-02d5-4fff-8dcf-8fcd1c8197f3
name: Zest
url: https://www.zaproxy.org/docs/desktop/addons/zest/
tags:
- zap
description: |
Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools.
assessment: For REST APIs, multiple OAuth2 scopes are used.
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Usage of multiple scanners:
uuid: 5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea
risk: Each vulnerability scanner has different opportunities. By using just
one scanner, some vulnerabilities might not be found.
measure: Usage of multiple spiders and scanner enhance the coverage and the
vulnerabilities.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 5
usefulness: 1
level: 4
dependsOn:
- Usage of different roles
implementation:
- uuid: f220b299-0917-4750-96c5-d81cd402b4df
name: OWASP secureCodeBox
tags:
- vulnerability
- scanner-orchestration
url: https://github.com/secureCodeBox/secureCodeBox
description: |
secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for applications/5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Dynamic depth for infrastructure:
Load tests:
uuid: ab5725aa-4d53-47b9-96df-c14b3fa93bcd
risk: As it is unknown how many requests the systems and applications can serve,
due to an unexpected load the availability is disturbed.
measure: Load test against the production system or a production near system
is performed.
difficultyOfImplementation:
knowledge: 3
time: 2
resources: 5
usefulness: 3
level: 4
implementation: []
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 12.1.3
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.6
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for infrastructure/ab5725aa-4d53-47b9-96df-c14b3fa93bcd
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for exposed services:
uuid: a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8
risk: Standard network segmentation and firewalling has not been performed,
leading to world open cluster management ports.
measure: With the help of tools the network configuration of unintentional exposed
cluster(s) are tested. To identify clusters, all subdomains might need to
be identified with a tool like OWASP Amass to perform port scans based o the
result.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 2
dependsOn:
- Isolated networks for virtual environments
usefulness: 2
level: 2
implementation:
- uuid: 08111dc3-bdc4-47d8-8f2e-10bb50a86882
name: nmap
tags: []
url: https://nmap.org/
- uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a
name: OWASP Amass
tags: []
url: https://github.com/OWASP/Amass
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 13.1.3
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.22
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for infrastructure/a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for unauthorized installation:
uuid: dccf1949-b9a8-4ce8-b992-6a4a7f3a623a
risk: Unapproved components are used.
measure: Components must be whitelisted. Regular scans on the docker infrastructure
(e.g. cluster) need to be performed, to verify that only standardized base
images are used.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 3
level: 3
implementation:
- uuid: 349cf64c-abea-40bb-bd07-9c98ce648fa4
name: 'Example: All docker images used by teams need to be based on standard
images.'
tags: []
comments: By preventing teams from trying out new components, innovation might
be hampered
references:
samm2: []
iso27001-2017:
- 12.5.1
- 12.6.1
iso27001-2022:
- 8.19
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for infrastructure/dccf1949-b9a8-4ce8-b992-6a4a7f3a623a
dependsOn:
- Evaluation of the trust of used components
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for unused Resources:
uuid: 6532c1fe-9d23-4228-8722-558ddabca7d4
risk: Unused resources, specially secrets, might be still valid, but are exposing
information. As an attacker, I compromise a system, gather credentials and
try to use them.
measure: Test for unused resources helps to identify unused resources.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 2
level: 5
implementation:
- uuid: 8fea20ad-e332-4aa8-b1f1-aa9deb635dc1
name: K8sPurger
tags:
- vulnerability
- scanner
- dast
- infrastructure
url: https://github.com/yogeshkk/K8sPurger
description: |
Hunt Unused Resources In Kubernetes.
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 13.1.3
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.22
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for infrastructure/6532c1fe-9d23-4228-8722-558ddabca7d4
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test network segmentation:
uuid: 6d2c3ac6-8afc-4af6-a5e9-6188341aca01
risk: Wrong or no network segmentation of pods makes it easier for an attacker
to access a database and extract or modify data.
measure: Cluster internal test needs to be performed. Integration of fine granulated
network segmentation (also between pods in the same namespace).
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 2
implementation:
- uuid: fffa6fb9-1fae-4852-88dc-c7086961330c
name: netassert
tags: []
url: https://github.com/controlplaneio/netassert
dependsOn:
- Isolated networks for virtual environments
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 13.1.3
- 14.2.3
- 14.2.8
iso27001-2022:
- 8.22
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for infrastructure/6d2c3ac6-8afc-4af6-a5e9-6188341aca01
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test of the configuration of cloud environments:
uuid: 7bb70764-9392-4462-935d-e55b2e148199
risk: Standard hardening practices for cloud environments are not performed
leading to vulnerabilities.
measure: With the help of tools the configuration of virtual environments are
tested.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 2
implementation:
- uuid: 893d9f37-2142-4490-996c-e43b55064d3d
name: kubescape
url: https://github.com/armosec/kubescape
tags:
- kubernetes
- vulnerability
- misconfiguration
description: _Testing if Kubernetes is deployed securely as defined in Kubernetes
Hardening Guidance by to NSA and CISA_
- uuid: 2af7204c-a25c-4625-9775-889978386407
name: kube-hunter
tags: []
url: https://github.com/aquasecurity/kube-hunter
- uuid: d45fba7d-f176-4f06-a33c-434b17ec8a8f
name: openVAS
tags: []
url: https://www.openvas.org/
references:
samm2: []
iso27001-2017:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
iso27001-2022:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 8.8
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for infrastructure/7bb70764-9392-4462-935d-e55b2e148199
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Weak password test:
uuid: 61e10f9c-e126-4ffa-af12-fdbe0d0a831f
risk: Weak passwords in components like applications or systems, specially for
privileged accounts, lead to take over of that account.
measure: Automatic brute force attacks are performed. Specially the usage of
standard accounts like 'admin' and employee user-ids is recommended.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 1
level: 3
implementation:
- uuid: b99c9d52-dd1a-4aef-8699-65173cf978ce
name: HTC Hydra
tags:
- password
url: https://www.htc-cs.com/en/products/htc-hydra/
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 9.4.3
iso27001-2022:
- 5.17
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic
depth for infrastructure/61e10f9c-e126-4ffa-af12-fdbe0d0a831f
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Static depth for applications:
API design validation:
uuid: 017d9e26-42b5-49a4-b945-9f59b308fb99
risk: Creation of insecure or non-compliant API.
measure: |
Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP
and validate the specification using specific tools.
Checks should be integrated in IDEs and CI/CD pipelines.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
implementation:
- uuid: 261f243e-f89c-4169-b076-b22a03ec00be
name: Spectral
tags:
- linting
- api
- documentation
url: https://github.com/stoplightio/spectral
description: |
Spectral is a flexible JSON/YAML linter built with extensibility in mind.
It uses JSON/YAML path rules to describe the problems you want to find.
- uuid: d2c9403d-9da2-4518-b33f-8b74b9c5ca3f
name: API OAS Checker
tags:
- linting
- api
- documentation
url: https://github.com/italia/api-oas-checker
description: |
A tool to check OpenAPI specifications using a comprehensive ruleset based
on API best practices.
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 14.2.1
- 14.2.5
iso27001-2022:
- 8.25
- 8.27
- 8.28
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99
dependsOn:
- Inventory of production components
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Dead code elimination:
uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d
risk: Dead code increases the attack surface (use of hard coded credentials
and variables, sensitive information)
measure: Collection of unused code and then manual removal of unused code.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 1
level: 5
implementation:
- uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
name: PMD
tags: []
dependsOn:
- Defined build process
references:
samm2:
- V-ST-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Exclusion of source code duplicates:
uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711
risk: Duplicates in source code might influence the stability of the application.
measure: Automatic Detection and manual removal of duplicates in source code.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 1
level: 5
implementation:
- uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
name: PMD
tags: []
dependsOn:
- Defined build process
references:
samm2:
- V-ST-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Exploit likelihood estimation:
uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
risk: Without proper prioritization, organizations may waste time and effort
on low-risk vulnerabilities while neglecting critical ones.
measure: Estimate the likelihood of exploitation by using data (CISA KEV) from
the past or prediction models (EPSS).
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 4
level: 3
dependsOn:
- Software Composition Analysis (server side)
implementation:
- uuid: aa507341-9531-42cd-95cf-d7b51af47086
name: Known Exploited Vulnerabilities
tags:
- vulnerability
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
description: A catalog of vulnerabilities that have been exploited.
- uuid: e39afc58-8195-4600-92c6-11922e3a141b
name: Exploit Prediction Scoring System
tags:
- vulnerability
url: https://www.first.org/epss/
description: Estimates the likelihood that a software vulnerability will be
exploited.
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Local development security checks performed:
uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b
risk: Creating and developing code contains code smells and quality issues.
measure: |
Integration of quality and linting plugins with interactive development environment (IDEs).
Implement pre-commit checks to prevent secrets & other security issues being commit to source code.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 4
level: 3
implementation:
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
tags:
- ide
- sast
- uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82
name: DevSecOps control Pre-commit
url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop
tags:
- pre-commit
- uuid: 8da8d115-0f4e-40f0-a3ce-484a49e845fb
name: Building your DevSecOps pipeline 5 essential activities
url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/
tags:
- pre-commit
references:
samm2:
- V-ST-1-A
iso27001-2017:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
iso27001-2022:
- Hardening is not explicitly covered by ISO 27001 - too specific
- 8.22
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/6e180abc-7c98-4265-b4e9-852cb91b067b
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Software Composition Analysis (client side):
uuid: 07fe8c4f-ae33-4409-b1b2-cf64cfccea86
risk: Client side components might have vulnerabilities.
measure: Tests for known vulnerabilities in components via Software Composition
Analysis of the frontend are performed.
difficultyOfImplementation:
knowledge: 1
time: 2
resources: 1
usefulness: 2
level: 3
dependsOn:
- Defined build process
- Inventory of production components
- Exploit likelihood estimation
implementation:
- uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7
name: retire.js
tags: []
url: https://github.com/RetireJS/retire.js/
- uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3
name: npm audit
tags: []
url: https://docs.npmjs.com/cli/audit
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track is an intelligent Component Analysis platform that
allows organizations to identify and reduce risk in the software supply
chain. Dependency-Track takes a unique and highly beneficial approach by
leveraging the capabilities of Software Bill of Materials (SBOM).
url: https://github.com/DependencyTrack/dependency-track
tags:
- sca
- inventory
- OpenSource
- Supply Chain
- vulnerability
- inventory
- uuid: 5c0e817b-204e-4301-a315-2f7cc180c240
name: Dependabot
tags:
- dependency
- dependency-management
- scm
url: https://github.com/dependabot/dependabot-core
description: |
Dependabot creates pull requests to keep your dependencies secure and up-to-date.
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/07fe8c4f-ae33-4409-b1b2-cf64cfccea86
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Software Composition Analysis (server side):
uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe
description: Use a tool like trivy and concentrate on application related vulnerabilities.
At this stage, ignore vulnerabilities in container base images used in the
service.
risk: Server side components might have vulnerabilities.
measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware)
are performed.
difficultyOfImplementation:
knowledge: 1
time: 3
resources: 1
usefulness: 5
level: 2
dependsOn:
- Defined build process
- Inventory of production components
implementation:
- uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207
name: OWASP Dependency Check
tags:
- OpenSource
- Supply Chain
- vulnerability
url: https://owasp.org/www-project-dependency-check/
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track is an intelligent Component Analysis platform that
allows organizations to identify and reduce risk in the software supply
chain. Dependency-Track takes a unique and highly beneficial approach by
leveraging the capabilities of Software Bill of Materials (SBOM).
url: https://github.com/DependencyTrack/dependency-track
tags:
- sca
- inventory
- OpenSource
- Supply Chain
- vulnerability
- inventory
- uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7
name: retire.js
tags: []
url: https://github.com/RetireJS/retire.js/
- uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3
name: npm audit
tags: []
url: https://docs.npmjs.com/cli/audit
- uuid: 5c0e817b-204e-4301-a315-2f7cc180c240
name: Dependabot
tags:
- dependency
- dependency-management
- scm
url: https://github.com/dependabot/dependabot-core
description: |
Dependabot creates pull requests to keep your dependencies secure and up-to-date.
- uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
name: https://github.com/aquasecurity/trivy
tags: []
url: https://github.com/aquasecurity/trivy
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/d918cd44-a972-43e9-a974-eff3f4a5dcfe
tags:
- vmm-testing
teamsImplemented:
Default: false
B: false
C: false
Static analysis for all components/libraries:
uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054
risk: Used components like libraries and legacy applications might have vulnerabilities
measure: Usage of a static analysis for all used components.
difficultyOfImplementation:
knowledge: 2
time: 4
resources: 2
usefulness: 3
level: 5
dependsOn:
- Static analysis for important client side components
- Static analysis for important server side components
- Inventory of production components
implementation: []
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/f4ff841d-3b2a-45d9-853e-5ec7ecbcb054
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Static analysis for all self written components:
uuid: ee68331f-9b1d-4f61-844b-b2ea04753a84
risk: Parts in the source code of the frontend or middleware have vulnerabilities.
measure: Usage of static analysis tools for all parts of the middleware and
frontend. Static analysis uses for example string matching algorithms and/or
dataflow analysis.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 4
implementation:
- uuid: 6a0948a7-4781-4858-9766-f4303971b28b
name: eslint
tags: []
url: https://eslint.org/
- uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078
name: FindSecurityBugs
tags: []
- uuid: cccc2882-62ab-4175-afa1-58471017e8ed
name: jsprime
tags: []
url: https://github.com/dpnishant/jsprime
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
tags:
- ide
- sast
dependsOn:
- Static analysis for important client side components
- Static analysis for important server side components
- Inventory of production components
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/ee68331f-9b1d-4f61-844b-b2ea04753a84
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Static analysis for important client side components:
uuid: e237176b-bec5-447d-a926-e37d6dd60e4b
risk: Important parts in the source code of the frontend have vulnerabilities.
measure: Usage of static analysis tools for important parts of the frontend
are used. Static analysis uses for example string matching algorithms and/or
dataflow analysis.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 3
implementation:
- uuid: 6a0948a7-4781-4858-9766-f4303971b28b
name: eslint
tags: []
url: https://eslint.org/
- uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078
name: FindSecurityBugs
tags: []
- uuid: cccc2882-62ab-4175-afa1-58471017e8ed
name: jsprime
tags: []
url: https://github.com/dpnishant/jsprime
- uuid: 3a8ba0ea-37dc-4124-983b-bbf9b4443d75
name: '[bdd-mobile-security'
tags: []
url: https://github.com/ing-bank/bdd-mobile-security-automation-framework
description: '[bdd-mobile-security-automation-framework](https://github.com/ing-bank/bdd-mobile-security-automation-framework)'
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
tags:
- ide
- sast
dependsOn:
- Defined build process
- Inventory of production components
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/e237176b-bec5-447d-a926-e37d6dd60e4b
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Static analysis for important server side components:
uuid: 6c05c837-8c99-46e2-828b-7c903e27dba4
risk: Important parts in the source code of the middleware have vulnerabilities.
measure: Usage of static analysis tools for important parts of the middleware
are used. Static analysis uses for example string matching algorithms and/or
dataflow analysis.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 3
implementation:
- uuid: 6a0948a7-4781-4858-9766-f4303971b28b
name: eslint
tags: []
url: https://eslint.org/
- uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078
name: FindSecurityBugs
tags: []
- uuid: cccc2882-62ab-4175-afa1-58471017e8ed
name: jsprime
tags: []
url: https://github.com/dpnishant/jsprime
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
tags:
- ide
- sast
dependsOn:
- Defined build process
- Inventory of production components
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/6c05c837-8c99-46e2-828b-7c903e27dba4
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Stylistic analysis:
uuid: efa52cc8-6c5c-4ba2-a3d2-7164b0402f34
risk: Unclear or obfuscated code might have unexpected behavior.
measure: Analysis of compliance to style guides of the source code ensures that
source code formatting rules are met (e.g. indentation, loops, ...).
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 1
level: 5
implementation:
- uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
name: PMD
tags: []
- uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe
name: How to enforce a consistent coding style in your projects
url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm
tags:
- ide
- linting
- uuid: aa5ded61-5380-4da6-9474-afc36a397682
name: In-Depth Linting of Your TypeScript While Coding
url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding
tags:
- ide
- linting
- uuid: 94a7a85e-8064-46b4-929a-9e03fa292a9f
name: Super-Linter
tags:
- linting
- scm
url: https://github.com/github/super-linter
description: |
Lint code bases to catch common errors and enforce code style
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
- 14.2.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/efa52cc8-6c5c-4ba2-a3d2-7164b0402f34
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for Patch Deployment Time:
uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2
risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities
in production artifacts.
measure: |
Test of the Patch Deployment Time.
This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 3
level: 3
implementation:
- uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb
name: PMD
tags: []
dependsOn:
- Automated PRs for patches
- Defined build process
references:
samm2:
- V-ST-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2
comments: ""
meta:
implementationGuide: Self implementation. This activity is not repeated in
the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure
as well.
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Test for Time to Patch:
uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f
risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities
in production artifacts.
measure: |-
Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs)
This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 3
level: 2
implementation:
- uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4
name: dependabot
tags:
- auto-pr
- patching
url: https://dependabot.com/
- uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
name: renovate
tags:
- auto-pr
- patching
url: https://github.com/renovatebot/renovate
dependsOn:
- Automated PRs for patches
references:
samm2:
- V-ST-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/13af1227-3dd1-4d4f-a9e9-53deb793c18f
comments: ""
meta:
implementationGuide: Usage of a version control platform API (e.g. github
API) can be used to fetch the information. Consider that `Measure libyears`
might be an alternative to this activity.
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Test libyear:
uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad
risk: Vulnerabilities in running artifacts stay for long and might get exploited.
measure: Test `libyear`, which provides a good insight how good patch management
is.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 3
level: 2
implementation:
- uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33
name: libyear
tags:
- patching
- build
url: https://libyear.com/
description: A simple measure of software dependency freshness. It is a single
number telling you how up-to-date your dependencies are.
dependsOn:
- Defined build process
references:
samm2:
- V-ST-2-A
iso27001-2017:
- Not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
iso27001-2022:
- Not explicitly covered by ISO 27001 - too specific
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/87b54313-fafd-4860-930f-5ef132b3e4ad
comments: ""
meta:
implementationGuide: |
`libyear` can be integrated into the build process and flag or even better break the build in case the defined threshold (e.g. 30 years) is reached.
An alternative approach is to determine `libyear` based on deployed artifacts (which requires more effort in implementation).
tags:
- patching
teamsImplemented:
Default: false
B: false
C: false
Usage of multiple analyzers:
uuid: 297be001-8d94-41ee-ab29-207020d423c0
risk: Each vulnerability analyzer has different opportunities. By using just
one analyzer, some vulnerabilities might not be found.
measure: Usage of multiple static tools to find more vulnerabilities.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 5
usefulness: 1
level: 4
dependsOn:
- Software Composition Analysis (server side)
- Software Composition Analysis (client side)
- Static analysis for all self written components
implementation: []
references:
samm2:
- V-ST-3-A
iso27001-2017:
- 12.6.1
- 14.2.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/297be001-8d94-41ee-ab29-207020d423c0
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Static depth for infrastructure:
Analyze logs:
uuid: b217c8bb-5d61-4b41-a675-1083993f83b1
risk: Not aware of attacks happening.
measure: Check logs for keywords.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
implementation:
- uuid: 1adf1ac0-8572-407b-a358-3976d9a225e2
name: SigmaHQ
tags: []
url: https://github.com/SigmaHQ/sigma
references:
samm2: []
iso27001-2017:
- ISO 27001:2017 mapping is missing
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/b217c8bb-5d61-4b41-a675-1083993f83b1
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Correlate known vulnerabilities in infrastructure with new image versions:
uuid: 7de0ae33-6538-45cd-8222-a1475647ba58
risk: TODO.
measure: TODO
difficultyOfImplementation:
knowledge: 2
time: 5
resources: 4
usefulness: 1
level: 4
dependsOn:
- Usage of a maximum lifetime for images
implementation:
- uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc
name: Anchore.io
tags: []
url: https://anchore.com/
- uuid: f10f5423-4dff-4bb7-99c8-9ce214645071
name: Clair
tags: []
url: https://github.com/quay/clair
- uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531
name: OpenSCAP
tags: []
url: https://www.open-scap.org/
- uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5
name: Vuls
tags: []
url: https://github.com/future-architect/vuls
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 12.6.1
- 14.2.1
iso27001-2022:
- 8.8
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/7de0ae33-6538-45cd-8222-a1475647ba58
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Software Composition Analysis:
uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad
risk: Known vulnerabilities in infrastructure components like container images
might get exploited.
measure: Check for known vulnerabilities
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 4
level: 4
description: Subscribing to Github projects and reading release notes might
help. Software Composition Analysis for infrastructure might help, but is
often too fine-granular.
implementation:
- uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
name: https://github.com/aquasecurity/trivy
tags: []
url: https://github.com/aquasecurity/trivy
- uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57
name: Registries like quay
tags: []
description: Registries like quay, dockerhub provide (commercial) offerings,
often not suitable for distroless images
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track is an intelligent Component Analysis platform that
allows organizations to identify and reduce risk in the software supply
chain. Dependency-Track takes a unique and highly beneficial approach by
leveraging the capabilities of Software Bill of Materials (SBOM).
url: https://github.com/DependencyTrack/dependency-track
tags:
- sca
- inventory
- OpenSource
- Supply Chain
- vulnerability
- inventory
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/26e1c6d5-5632-4ec7-80d2-e564b98732ad
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test cluster deployment resources:
uuid: 621fb6a5-5c0a-4408-826a-068868bb031b
risk: The deployment configuration (e.g. kubernetes deployment resources) might
contain unsecured configurations.
measure: Test the deployment configuration for virtualized environments for
unsecured configurations.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 3
level: 2
implementation:
- uuid: 1e58f8d2-61e2-45bb-a17c-51516d0cc9ba
name: kubesec
tags: []
url: https://kubesec.io
references:
samm2:
- V-ST-1-A
iso27001-2017:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
iso27001-2022:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 8.8
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/621fb6a5-5c0a-4408-826a-068868bb031b
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for image lifetime:
uuid: ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b
risk: Old container images in production indicate that patch management is not
performed and therefore vulnerabilities might exists.
measure: Check the image age of containers in production.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 2
level: 2
implementation:
- url: https://github.com/SDA-SE/clusterscanner
uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
name: ClusterScanner
tags:
- docker
- image
- container
- vulnerability
- misconfiguration
- security-tools
- scanning
description: Discover vulnerabilities and container image misconfiguration
in production environments.
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 12.6.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for malware:
uuid: 837f8f90-adc2-4e6b-9ebb-60c2ee29494d
risk: Third party might include malware. Ether due to the maintainer (e.g.
typo squatting of an image name and using the wrong image) or by an attacker
on behalf of the maintainer with stolen credentials.
measure: Check for malware in components (e.g. container images, VM baseline
images, libraries).
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 3
level: 3
implementation:
- url: https://github.com/SDA-SE/clusterscanner
uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
name: ClusterScanner
tags:
- docker
- image
- container
- vulnerability
- misconfiguration
- security-tools
- scanning
description: Discover vulnerabilities and container image misconfiguration
in production environments.
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.2.1
iso27001-2022:
- 8.7
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/837f8f90-adc2-4e6b-9ebb-60c2ee29494d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for new image version:
uuid: cb6321aa-0fbf-4996-9e08-05ab26ef4c1e
risk: When a new version of an image is available, it might fix security vulnerabilities.
measure: Check for new images of containers in production.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 1
usefulness: 2
level: 3
implementation: []
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
- 14.2.5
- 12.2.1
iso27001-2022:
- 8.8
- 8.7
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/cb6321aa-0fbf-4996-9e08-05ab26ef4c1e
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test for stored secrets:
uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c
risk: Stored secrets in git history, in container images or directly in code
shouldn't exists because they might be exposed to unauthorized parties.
measure: Test for secrets in code, container images and history
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 2
level: 1
implementation:
- uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6
name: truffleHog
tags: []
url: https://github.com/dxa4481/truffleHog
- uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835
name: go-pillage-registries
tags: []
url: https://github.com/nccgroup/go-pillage-registries
references:
samm2:
- V-ST-1-A
iso27001-2017:
- vcs usage is not explicitly covered by ISO 27001 - too specific
- 9.4.3
- 10.1.2
iso27001-2022:
- vcs usage is not explicitly covered by ISO 27001 - too specific
- 5.17
- 8.24
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/c6e3c812-56e2-41b0-ae01-b7afc41a004c
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test of infrastructure components for known vulnerabilities:
uuid: 13367d8f-e37f-4197-a610-9ffca4fde261
risk: Infrastructure components might have vulnerabilities.
measure: Test for known vulnerabilities in infrastructure components. Often,
the only way to respond to known vulnerabilities in operating system packages
is to accept the risk and wait for a patch. As the patch needs to be applied
fast when it is available, this activity depends on 'Usage of a maximum life
for images'.
difficultyOfImplementation:
knowledge: 2
time: 5
resources: 2
usefulness: 1
level: 4
dependsOn:
- Usage of a maximum lifetime for images
implementation:
- uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc
name: Anchore.io
tags: []
url: https://anchore.com/
- uuid: f10f5423-4dff-4bb7-99c8-9ce214645071
name: Clair
tags: []
url: https://github.com/quay/clair
- uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531
name: OpenSCAP
tags: []
url: https://www.open-scap.org/
- uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5
name: Vuls
tags: []
url: https://github.com/future-architect/vuls
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 12.6.1
- 14.2.1
iso27001-2022:
- 8.8
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/13367d8f-e37f-4197-a610-9ffca4fde261
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test of virtualized environments:
uuid: 58825d22-1ce6-4748-af81-0ec9956e4129
risk: Virtualized environments (e.g. via Container Images) might contains
unsecure configurations.
measure: Test virtualized environments for unsecured configurations.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 3
level: 2
implementation:
- uuid: 73419fb5-b13d-4242-83ec-86f36c7d73d5
name: Dive to inspect a container images
tags: []
url: https://github.com/wagoodman/dive
- url: https://github.com/SDA-SE/clusterscanner
uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
name: ClusterScanner
tags:
- docker
- image
- container
- vulnerability
- misconfiguration
- security-tools
- scanning
description: Discover vulnerabilities and container image misconfiguration
in production environments.
references:
samm2:
- V-ST-1-A
iso27001-2017:
- ISO 27001:2017 mapping is missing
iso27001-2022:
- ISO 27001:2022 mapping is missing
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/58825d22-1ce6-4748-af81-0ec9956e4129
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test the cloud configuration:
uuid: 46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc
risk: Standard hardening practices for cloud environments are not performed
leading to vulnerabilities.
measure: With the help of tools, the configuration of virtual environments are
tested.
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
level: 2
implementation:
- uuid: 8aeefd29-6220-45bf-aead-83eba2e9d055
name: kube-bench
tags: []
url: https://github.com/aquasecurity/kube-bench
references:
samm2:
- V-ST-1-A
iso27001-2017:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
iso27001-2022:
- System hardening is not explicitly covered by ISO 27001 - too specific
- 8.8
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test the definition of virtualized environments:
uuid: 8fc3de67-7b8d-420b-8d24-f35928cfed6e
risk: The definition of virtualized environments (e.g. via Dockerfile)
might contain unsecure configurations.
measure: Test the definition of virtualized environments for unsecured configurations.
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 2
usefulness: 3
level: 2
meta:
implementationGuide: For containier (images), test that the images are following
best practices like distroless or non-root.
implementation:
- uuid: 94d993ad-ef6e-4d9f-b7a8-27ea68dc3005
name: Dockerfile with hadolint
tags: []
url: https://github.com/hadolint/hadolint
- uuid: 95b717cd-5ad3-40b5-993b-13a63c382b1b
name: Deployment with kube-score
tags: []
url: https://github.com/zegl/kube-score
- uuid: eba2685d-2d25-4961-8e4e-2957e7c07c30
name: dockerfilelint
tags:
- sast
- docker
- dockerfile
url: https://github.com/replicatedhq/dockerfilelint
description: dockerfilelint is an node module that analyzes a Dockerfile and
looks for common traps, mistakes and helps enforce best practices.
references:
samm2:
- V-ST-1-A
iso27001-2017:
- System hardening, virtual environments are not explicitly covered by ISO
27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
- 14.2.1
iso27001-2022:
- System hardening, virtual environments are not explicitly covered by ISO
27001 - too specific
- 8.8
- 8.32
- 8.29
- 8.25
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for infrastructure/8fc3de67-7b8d-420b-8d24-f35928cfed6e
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Test-Intensity:
Creation and application of a testing concept:
uuid: 79ef8103-e1ed-4055-8df8-fd2b2015bebe
risk: Scans might use a too small or too high test intensity.
measure: A testing concept considering the amount of time per scan/intensity
is created and applied. A dynamic analysis needs more time than a static analysis.
The dynamic scan, depending on the test intensity might be performed on every
commit, every night, every week or once in a month.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 3
usefulness: 2
level: 4
implementation: []
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 14.2.2
- 14.2.3
- 14.2.1
- 14.2.5
- 12.6.1
iso27001-2022:
- 8.25
- 8.32
- 8.27
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/79ef8103-e1ed-4055-8df8-fd2b2015bebe
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Deactivating of unneeded tests:
uuid: 1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5
risk: As tools cover a wide range of different vulnerability tests, they might
not match the used components. Therefore, they need more time and resources
as they need and the feedback loops takes too much time.
measure: Unneeded tests are deactivated. For example in case the service is
using a Mongo database and no mysql database, the dynamic scan doesn't need
to test for sql injections.
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 1
usefulness: 1
level: 3
implementation: []
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
- 14.2.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Default settings for intensity:
uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d
risk: Time pressure and ignorance might lead to false predictions for the test
intensity.
measure: The intensity of the used tools are not modified to save time.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 1
level: 1
implementation: []
references:
samm2:
- V-ST-1-A
iso27001-2017:
- 12.6.1
- 14.2.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/ab0a4b51-3b18-43f1-a6fc-a98e4b28453d
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
High test intensity:
uuid: 2ebfc421-8c76-415c-a3b0-fa518915bd10
risk: A too small intensity or a too high confidence might lead to not visible
vulnerabilities.
measure: A deep scan with high test intensity and a low confidence threshold
is performed.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 5
usefulness: 3
level: 3
implementation: []
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
- 14.2.1
- 14.2.5
iso27001-2022:
- 8.8
- 8.25
- 8.27
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/2ebfc421-8c76-415c-a3b0-fa518915bd10
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Regular automated tests:
uuid: 598897a2-358e-441f-984c-e12ec4f6110a
risk: After pushing source code to the version control system, any delay in
receiving feedback on defects makes them harder for the developer to remediate.
measure: On each push and/or at given intervals automatic security tests are
performed.
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 2
level: 2
implementation: []
references:
samm2:
- I-SB-3-A
iso27001-2017:
- 14.2.3
- 14.2.8
- 14.2.9
iso27001-2022:
- 8.32
- 8.29
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/598897a2-358e-441f-984c-e12ec4f6110a
comments: ""
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
...