Merge pull request #10 from devsecopsmaturitymodel/feat/vuln

Feat: Add includes

README.md

@@ -8,3 +8,13 @@ docker run -ti -v $(pwd)/src/assets/YAML/:/var/www/html/src/assets/YAML wurstbro
 # Afterwards, you can use the generated.yaml in a container
 docker  run -v $(pwd)/src/assets/YAML/generated/generated.yaml:/usr/share/nginx/html/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm
 ```
+
+## Credits
+
+* The dimension _Test and Verification_ is based on Christian Schneiders [Security DevOps Maturity Model (SDOMM)](https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html). _Application tests_ and _Infrastructure tests_ are added by Timo Pagel. Also, the sub-dimension _Static depth_ has been evaluated by security experts at [OWASP Stammtisch Hamburg](https://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative/Hamburg).
+* The sub-dimension <i>Process</i> has been added after a discussion with [Francois Raynaud](https://www.linkedin.com/in/francoisraynaud/) that reactive activities are missing.
+* Enhancement of my basic translation is performed by [Claud Camerino](https://github.com/clazba).
+* Adding ISO 27001:2017 mapping, [Andre Baumeier](https://github.com/AndreBaumeier).
+* [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md) for providing documentation on different DevSecOps practices which are copied&pasted/ (and adopted) (https://github.com/northdpole, https://github.com/ThunderSon)
+* The requirements from [level 0](https://github.com/AppSecure-nrw/security-belts/blob/master/white/) are based on/copied from [AppSecure NRW](https://appsecure.nrw/)
+* The sub dimension _Test KPI_, _Triage_, _Dynamic depth for app/infra_, _Static depth for app/infra_ and some other vulnerability management activities are based/inspired by [Vulnerability Managment Maturity Model - Cheat Sheet V1.6](TODO FRANCESCO LINK)

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -158,7 +158,7 @@ Build and Deployment:
       measure:
         Digitally signing artifacts for all steps during the build and especially
         docker images, helps to ensure their integrity and authenticity.
-      description: |-
+      description: |- 
         To perform a push to a GitHub repository, you must be authenticated. It's important to note that GitHub does not verify if the authenticated user's email address matches the one in the commit.
         To clearly identify the author of a commit for reviewers, commit signing is recommended.
       

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -49,7 +49,8 @@ Build and Deployment:
         Unused applications are not maintained and may contain vulnerabilities.
         Once exploited they can be used to attack other applications or
         to perform lateral movements within the organization.
-      measure: A clear decommissioning process ensures the removal of unused applications.
+      measure: |-
+        A clear decommissioning process ensures the removal of unused applications from the `Inventory of production components` and if implemented from `Inventory of production artifacts`.
       difficultyOfImplementation:
         knowledge: 1
         time: 2
@@ -129,8 +130,8 @@ Build and Deployment:
         d3f:
           - ApplicationConfigurationHardening
       isImplemented: false
-      evidence: ""
-      comments: ""
+      tags:
+        - secret
     Handover of confidential parameters:
       uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a
       risk:
@@ -169,19 +170,19 @@ Build and Deployment:
         d3f:
           - ApplicationConfigurationHardening
       isImplemented: false
-      evidence: ""
-      comments: ""
-    Inventory of dependencies:
+      tags:
+        - secret
+    Inventory of production dependencies:
       uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6
       risk:
-        In case a vulnerability of severity high or critical is known by the organization,
-        it needs to be known where an artifacts with that vulnerability is deployed
+        Delayed identification of components and their vulnerabilities in production.
+        In case a vulnerability is known by the organization, it needs to be known where an artifacts with that vulnerability is deployed
         with which dependencies.
       measure:
-        A documented inventory of dependencies used in images and containers
+        A documented inventory of dependencies used in artifacts like container images and containers
         exists.
       dependsOn:
-        - Defined deployment process
+        - uuid:83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
         - SBOM of components
       difficultyOfImplementation:
         knowledge: 2
@@ -190,7 +191,9 @@ Build and Deployment:
       usefulness: 3
       level: 3
       implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/backstage
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
           - I-SD-2-A
@@ -200,25 +203,60 @@ Build and Deployment:
         iso27001-2022:
           - 5.9
           - 5.12
-      isImplemented: false
-      evidence: ""
       comments: ""
-    Inventory of running artifacts:
+      tags:
+        - inventory
+        - sbom
+    Inventory of production components:
+      uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f
+      risk: |-
+        An organization is unaware of components like applications in production. Not knowing existing applications in production leads to not assessing it.
+      measure: |-
+        A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production.
+        In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track.
+      dependsOn:
+        - Defined deployment process
+      difficultyOfImplementation:
+        knowledge: 1
+        time: 1
+        resources: 1
+      usefulness: 4
+      level: 1
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/backstage
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
+      references:
+        samm2:
+          - I-SD-2-A
+        iso27001-2017:
+          - 8.1
+          - 8.2
+        iso27001-2022:
+          - 5.9
+          - 5.12
+      tags:
+        - inventory
+    Inventory of production artifacts:
       uuid: 83057028-0b77-4d2e-8135-40969768ae88
       risk:
         In case a vulnerability of severity high or critical exists, it needs
         to be known where an artifacts (e.g. container image) with that vulnerability
         is deployed.
-      measure: A documented inventory or a possibility to gather the needed information.
+      measure: A documented inventory of artifacts in production like container images exists (gathered manually or automatically).
       dependsOn:
         - Defined deployment process
+        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 3
       usefulness: 3
-      level: 3
-      implementation: []
+      level: 2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/backstage
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
           - I-SD-2-A
@@ -228,9 +266,8 @@ Build and Deployment:
         iso27001-2022:
           - 5.9
           - 5.12
-      isImplemented: false
-      evidence: ""
-      comments: ""
+      tags:
+        - inventory
     Rolling update on deployment:
       uuid: 85d52588-f542-4225-a338-20dc22a5508d
       risk: While a deployment is performed, the application can not be reached.

src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml

@@ -214,7 +214,7 @@ Build and Deployment:
       comments: ""
       tags:
         - patching
-    Automated merge of automated PRs:
+    Automated merge of automated PRs: &automerge-PR
       uuid: f2594f8f-1cd6-45f9-af29-eaf3315698eb
       description: |-
         Automated merges of automated created PRs for outdated dependencies.
@@ -230,6 +230,8 @@ Build and Deployment:
         resources: 1
       usefulness: 3
       level: 2
+      dependsOn:
+        - Automated PRs for patches
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependabot
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/renovate
@@ -243,3 +245,21 @@ Build and Deployment:
       comments: ""
       tags:
         - patching
+    Automated deployment of automated PRs:
+      uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d
+      <<: *automerge-PR
+      risk:
+        Even if automated dependencies PRs are merged, they might not be deployed. This results in vulnerabilities in running artifacts stay for too long and might get exploited.
+      measure: |
+        After merging of an automated dependency PR, automated deployment is needed,
+      difficultyOfImplementation:
+        knowledge: 3
+        time: 3
+        resources: 1
+      usefulness: 3
+      level: 3
+      dependsOn:
+        - Automated merge of automated PRs
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/terraform
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/argocd

src/assets/YAML/default/CultureAndOrganization/Process.yaml

@@ -80,6 +80,40 @@ Culture and Organization:
           - 17.1.1
         iso27001-2022:
           - 5.29
-      isImplemented: false
-      evidence: ""
-      comments: ""
+    Determining the protection requirement:
+      uuid: 123e4567-e89b-12d3-a456-426614174000
+      risk: |-
+        Not defining the protection requirement of applications can lead to wrong prioritization, delayed remediation of 
+        critical security issues, increasing the risk of exploitation and potential damage to the organization.
+      measure: |-
+        Defining the protection requirement. 
+        The protection requirements for an application should consider:
+        - Processed data criticality
+        - Application accessibility (internal vs. external)
+        - Regulatory compliance
+        - Other relevant factors
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 1
+      usefulness: 3
+      level: 2
+      dependsOn:
+        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # inventory of production components
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/business-friendly-vulnerability-metrics
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
+      references:
+        samm2:
+          - I-DM-3-B
+        iso27001-2022:
+          - 5.25
+          - 5.12
+          - 5.13
+          - 5.10
+      tags:
+        - vulnerability-mgmt
+        - metrics
+        - vmm-measurements