feat: add office hours, vuln management tools, epss

devsecopsmaturitymodel · Oct 15, 2024 · 09b3e8a · 09b3e8a
1 parent c492e8a
commit 09b3e8a
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 13 deletions.
diff --git a/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml b/src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml
@@ -27,9 +27,26 @@ Culture and Organization:
           - 7.2.2
         iso27001-2022:
           - 6.3
-      isImplemented: false
-      evidence: ""
-      comments: ""
+    Office Hours:
+      uuid: 185d5a74-19dc-4422-be07-44ea35226783
+      risk:
+        Developers and Operations are not in contact with the security team and therefore do not ask prior implementation of (known or unknown) threats-
+      measure:
+        As a security team, be open for questions and hints during defined office hours. x x d
+      difficultyOfImplementation:
+        knowledge: 1
+        time: 1
+        resources: 1
+      usefulness: 3
+      level: 3
+      implementation:
+      references:
+        samm2:
+          - G-EG-1-A
+        iso27001-2017:
+          - 7.2.2
+        iso27001-2022:
+          - 6.3
     Security Coaching:
       uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3
       risk: Training does not change behaviour. Therefore, even if security practices are understood, it's likely that they are not performed.

diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml
@@ -297,26 +297,33 @@ Test and Verification:
           - 8.8
           - 5.25
       implementation: []
-      isImplemented: false
-      evidence: ""
     Usage of a vulnerability management system:
       uuid: 85ba5623-84be-4219-8892-808837be582d
       risk:
         Maintenance of false positives in each tool enforces a high workload.
         In addition a correlation of the same finding from different tools is not
         possible.
       measure:
-        Aggregation of vulnerabilities in one tool reduce the workload to mark
-        false positives.
+        Aggregation of vulnerabilities in one tool reduce the workload to handle them, e.g. mark as false positives.
       difficultyOfImplementation:
         knowledge: 3
         time: 3
         resources: 2
       usefulness: 2
+      dependsOn:
+        - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
+        - uuid:6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion
+        - uuid:185d5a74-19dc-4422-be07-44ea35226783 # Office Hours
       level: 3
+      description: |-
+        For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended.
+        
+        To implement a security culture including training, office hours and security champions can help integrating 
+        security scanning at scale. Such activities help to understand why a vulnerability is potentially critical and needs handling.
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/SecObserve
       references:
         samm2:
           - I-DM-1-B
@@ -417,4 +424,4 @@ Test and Verification:
       tags:
         - vulnerability-mgmt
         - metrics
-        - vmm-measurements
+        - vmm-measurements
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml
@@ -318,6 +318,29 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
+    Exploit likelihood estimation:
+      uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
+      risk: |-
+        Without proper prioritization, organizations may waste time and effort on low-risk vulnerabilities while neglecting critical ones.
+      measure: Estimate the likelihood of exploitation by using data (CISA KEV) from the past or prediction models (EPSS).
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 4
+      level: 3
+      dependsOn:
+        - uuid:d918cd44-a972-43e9-a974-eff3f4a5dcfe # SCA for server
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cisa-kev
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/epss
+      references:
+        samm2:
+          - V-ST-2-A
+        iso27001-2017:
+          - 12.6.1
+        iso27001-2022:
+          - 8.8
     Software Composition Analysis (client side):
       uuid: 07fe8c4f-ae33-4409-b1b2-cf64cfccea86
       risk: Client side components might have vulnerabilities.
@@ -331,6 +354,7 @@ Test and Verification:
       dependsOn:
         - Defined build process
         - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
+        - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit

diff --git a/src/assets/YAML/default/implementations.yaml b/src/assets/YAML/default/implementations.yaml
@@ -479,6 +479,13 @@ implementations:
     url: https://github.com/faloker/purify/
     description: |
       The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
+  SecObserve:
+    uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
+    name: SecObserve
+    tags: [vulnerability management system]
+    url: https://github.com/MaibornWolff/SecObserve
+    description: |
+      The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
   see-other-actions-e:
     uuid: 44c08670-78dc-47ee-a4c1-2503ca6b6cf8
     name: See other actions, e.g. "Treatment of defects with severity high".
@@ -954,3 +961,17 @@ implementations:
     url: https://jira.atlassian.com/
     description: |-
       Jira is a bug tracking and project management tool developed by Atlassian, used by development teams for tracking issues, planning sprints, and managing software releases. It offers features for creating and managing tasks, assigning them to team members, and monitoring progress through customizable workflows and dashboards.
+  epss:
+    uuid: e39afc58-8195-4600-92c6-11922e3a141b
+    name: Exploit Prediction Scoring System
+    tags: [vulnerability]
+    url: https://www.first.org/epss/
+    description: |-
+      Estimates the likelihood that a software vulnerability will be exploited.
+  cisa-kev:
+    uuid: aa507341-9531-42cd-95cf-d7b51af47086
+    name: Known Exploited Vulnerabilities
+    tags: [vulnerability]
+    url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+    description: |-
+      A catalog of vulnerabilities that have been exploited.
diff --git a/src/assets/YAML/schemas/dsomm-schema-test-and-verification.json b/src/assets/YAML/schemas/dsomm-schema-test-and-verification.json
@@ -154,10 +154,7 @@
                 "usefulness",
                 "level",
                 "implementation",
-                "references",
-                "isImplemented",
-                "evidence",
-                "comments"
+                "references"
               ],
               "additionalProperties": false
             }
@@ -169,4 +166,4 @@
   "required": [
     "Test and Verification"
   ]
-}
+}