From c492e8a0dddc12b9d630ee7ff0614dcafc213147 Mon Sep 17 00:00:00 2001 From: Timo Pagel Date: Mon, 23 Sep 2024 11:30:28 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=A4=96=20fmt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 18 + src/assets/YAML/generated/generated.yaml | 446 ++++++++++++----------- 2 files changed, 243 insertions(+), 221 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c70b82e..6ac4bed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,21 @@ +# [1.12.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.11.1...v1.12.0) (2024-09-23) + + +### Bug Fixes + +* de-duplicate API design validation ([c6d8242](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/c6d82427ddc272f27afc5d7eee36d91e96face14)) + + +### Features + +* add dependsOn for new patching activities ([72e26ad](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/72e26ad825e4a8458e39e5e93814ebf3bcb9aa71)) +* add includes ([bfb9a99](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/bfb9a993e85cd6c88f79ca314c3cf34e03c1d7be)) +* add uuid: resolution to name ([a2a55b3](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/a2a55b363e2c50ef7af9eaca814ef9137f61835d)) +* add vuln ([70ffec4](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/70ffec4ddb3ddb2112190b5ca30f97e80eef2d64)) +* add vuln ([58e67b7](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/58e67b76c7f4457aac333900bf2430e487a72f2d)) +* enhance source control platform requirements ([e8c57ff](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/e8c57ffb898839c26927d0fc827623935e48c82a)) +* enhance source control platform requirements ([2049504](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/2049504bfab5d284ecba144814260cad10864e60)) + ## [1.11.1](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.11.0...v1.11.1) (2024-07-31) diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml index 6fb028b..f50f922 100644 --- a/src/assets/YAML/generated/generated.yaml +++ b/src/assets/YAML/generated/generated.yaml @@ -43,7 +43,6 @@ Build and Deployment: - 8.31 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/a340f46b-6360-4cb8-847b-a0d3483d09d3 - isImplemented: false comments: "" tags: - none @@ -95,7 +94,6 @@ Build and Deployment: - 8.32 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f6f7737f-25a9-4317-8de2-09bf59f29b5b - isImplemented: false comments: "" tags: - none @@ -140,7 +138,6 @@ Build and Deployment: - 8.31 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 - isImplemented: false comments: "" tags: - none @@ -179,7 +176,6 @@ Build and Deployment: - 5.12 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/2858ac12-0179-40d9-9acf-1b839c030473 - isImplemented: false comments: "" tags: - none @@ -233,7 +229,6 @@ Build and Deployment: - 8.31 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/5786959d-0c6f-46a6-8e1c-a32ff1a50222 - isImplemented: false comments: "" tags: - none @@ -277,7 +272,6 @@ Build and Deployment: - 8.31 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/9f107927-61e9-4574-85ad-3f2b4bca8665 - isImplemented: false comments: "" tags: - none @@ -324,7 +318,6 @@ Build and Deployment: - 8.29 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0cb2626b-fb0d-4a0f-9688-57f787310d97 - isImplemented: false comments: "" tags: - none @@ -360,7 +353,6 @@ Build and Deployment: - 7.14 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/da4ff665-dcb9-4e93-9d20-48cdedc50fc2 - isImplemented: false comments: "" tags: - none @@ -404,7 +396,6 @@ Build and Deployment: - 8.32 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a - isImplemented: false comments: "" tags: - none @@ -1550,7 +1541,6 @@ Build and Deployment: - ApplicationConfigurationHardening openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/df428c9d-efa0-4226-9f47-a15bb53f822b - isImplemented: false tags: - secret teamsImplemented: @@ -1602,7 +1592,6 @@ Build and Deployment: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0de465a6-55a7-4343-af79-948bb5ff10ba - isImplemented: false comments: "" tags: - none @@ -1646,7 +1635,6 @@ Build and Deployment: - ApplicationConfigurationHardening openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/94a96f79-8bd6-4904-97c0-994ff88f176a - isImplemented: false tags: - secret teamsImplemented: @@ -1883,7 +1871,6 @@ Build and Deployment: - 8.14 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/85d52588-f542-4225-a338-20dc22a5508d - isImplemented: false comments: "" tags: - none @@ -1923,7 +1910,6 @@ Build and Deployment: - 8.31 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a854b48d-83bd-4f8d-8621-a0bdd470837f - isImplemented: false comments: "" tags: - none @@ -1974,7 +1960,6 @@ Build and Deployment: - ApplicationConfigurationHardening openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a511799b-045e-4b96-9843-7d63d8c1e2ad - isImplemented: false comments: "" tags: - none @@ -2009,7 +1994,6 @@ Build and Deployment: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch Management/99415139-6b50-441b-89e1-0aa59accd43d - isImplemented: false comments: "" tags: - patching @@ -2021,16 +2005,14 @@ Build and Deployment: uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488 risk: Components with known (or unknown) vulnerabilities might stay for long and get exploited, even when a patch is available. - measure: Fast patching of third party component is needed. The DevOps way is - to have an automated pull request for new components. This includes * Applications - * Virtualized operating system components (e.g. container images) * Operating - Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository - or terraform) + measure: |- + Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes + * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform) difficultyOfImplementation: knowledge: 2 time: 2 resources: 2 - usefulness: 5 + usefulness: 4 level: 1 implementation: - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 @@ -2063,8 +2045,8 @@ Build and Deployment: - 12.6.1 - 14.2.5 iso27001-2022: - - 8.8 - - 8.27 + - "8.8" + - "8.27" openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch Management/8ae0b92c-10e0-4602-ba22-7524d6aed488 @@ -2198,7 +2180,6 @@ Build and Deployment: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch Management/34869eaf-f2e1-4926-b0bd-28c43402f057 - isImplemented: false comments: "" tags: - patching @@ -2248,7 +2229,6 @@ Build and Deployment: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch Management/16e39c8f-5336-4001-88ed-a552d2447531 - evidence: "" comments: "" tags: - patching @@ -2292,7 +2272,6 @@ Build and Deployment: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch Management/485a3383-7f2e-4dba-bb84-479377070904 - evidence: "" comments: "" tags: - patching @@ -2346,7 +2325,6 @@ Build and Deployment: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch Management/6b96e5a0-ce34-4ea4-a88f-469d3b84546e - isImplemented: false comments: "" tags: - patching @@ -2450,7 +2428,6 @@ Culture and Organization: - 8.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 - isImplemented: false comments: "" tags: - none @@ -2486,7 +2463,6 @@ Culture and Organization: - 8.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/48f97f31-931c-46eb-9b3e-e2fec0cd0426 - isImplemented: false comments: "" tags: - none @@ -2611,7 +2587,6 @@ Culture and Organization: - 8.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/47419324-e263-415b-815d-e7161b6b905e - isImplemented: false comments: "" tags: - none @@ -2658,7 +2633,6 @@ Culture and Organization: - 5.9 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/0a929c3e-ab9a-4206-8761-adf84b74622e - isImplemented: false comments: "" tags: - none @@ -2705,7 +2679,6 @@ Culture and Organization: - 5.9 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/bacf85b6-5bc0-405d-b5ba-a5d971467cc1 - isImplemented: false comments: "" tags: - none @@ -2759,7 +2732,6 @@ Culture and Organization: - 8.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e - isImplemented: false comments: "" tags: - none @@ -2769,9 +2741,9 @@ Culture and Organization: C: false Information security targets are communicated: uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885 - risk: Employees don't known their organizations security targets. Therefore - security is not considered during development and administration as much as - it should be. + risk: Employees don't know their organizations security targets. Therefore security + is not considered during development and administration as much as it should + be. measure: Transparent and timely communication of the security targets by senior management is essential to ensure teams' buy-in and support. difficultyOfImplementation: @@ -2791,7 +2763,6 @@ Culture and Organization: - 5.4 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/1b9281b9-48e2-4c01-9ac6-9db9931c4885 - isImplemented: false comments: "" tags: - none @@ -2836,7 +2807,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298 - isImplemented: false comments: "" tags: - none @@ -2873,7 +2843,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/f994a55d-71bb-45a4-a887-0a213d72c504 - isImplemented: false comments: "" tags: - none @@ -2910,7 +2879,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/bfdb576e-a416-4ec6-96fe-a078d58b2ff8 - isImplemented: false comments: "" tags: - none @@ -2950,7 +2918,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/95caef96-36ed-458c-a087-5c35d4f9dec2 - isImplemented: false comments: "" tags: - none @@ -2983,7 +2950,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/35446784-7610-40d9-af9e-d43f3173bf8c - isImplemented: false comments: "" tags: - none @@ -3020,7 +2986,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/534f60bf-0995-4314-bb9c-f0f2bf204694 - isImplemented: false comments: "" tags: - none @@ -3080,7 +3045,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 - isImplemented: false comments: "" tags: - none @@ -3130,7 +3094,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/9768f154-357a-4c06-af6f-d66570677c9b - isImplemented: false comments: "" tags: - none @@ -3173,7 +3136,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/31833d56-35af-4ef3-9300-f23d27646ce7 - isImplemented: false comments: "" tags: - none @@ -3215,7 +3177,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 - isImplemented: false comments: "" tags: - none @@ -3263,7 +3224,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/91b6f75b-9f4a-4d77-95a2-af7ad3222c7c - isImplemented: false comments: "" tags: - none @@ -3304,7 +3264,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 - isImplemented: false comments: "" tags: - none @@ -3355,7 +3314,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/7121b0c7-6ace-4d6b-95d0-94535dbccb57 - isImplemented: false comments: "" tags: - none @@ -3397,7 +3355,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/0b28367b-75a0-4bae-a926-3725c1bf9bb0 - isImplemented: false comments: "" tags: - none @@ -3428,7 +3385,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/58c46807-fee9-448b-b6dd-8050c464ab52 - isImplemented: false comments: "" tags: - none @@ -3486,7 +3442,6 @@ Culture and Organization: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education and Guidance/535f301a-e8e8-4eda-ad77-a08b035c92de - isImplemented: false comments: "" tags: - none @@ -3521,7 +3476,6 @@ Culture and Organization: - 8.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/3f63bdbc-c75f-4780-a941-e6ad42e894e1 - isImplemented: false comments: "" tags: - none @@ -3552,7 +3506,6 @@ Culture and Organization: - 8.15 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/b4193d32-3948-47e2-a326-3748c48019a1 - isImplemented: false comments: "" tags: - none @@ -3785,7 +3738,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application Hardening/b597928e-54d6-48a5-a806-8003dcd56aab - isImplemented: false comments: "" tags: - none @@ -3830,7 +3782,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application Hardening/ffe86caf-2fec-4630-b514-2db83983984d - isImplemented: false comments: "" dependsOn: - App. Hardening Level 2 (75%) @@ -3877,7 +3828,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application Hardening/03643ca2-03c2-472b-8e19-956bf02fe9b7 - isImplemented: false comments: "" dependsOn: - App. Hardening Level 1 @@ -3924,7 +3874,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a - isImplemented: false comments: "" dependsOn: - App. Hardening Level 2 @@ -3996,63 +3945,109 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development and Source Control/363a3eea-baf9-4010-88ca-bb8186a2989d - evidence: "" - comments: "" tags: - none teamsImplemented: Default: false B: false C: false - API design validation: - uuid: 948a4d51-ceb5-4ebd-bdc7-d74ea25e171c - risk: Creation of insecure or non-compliant API. - measure: | - Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP - and validate the specification using specific tools. - Checks should be integrated in IDEs and CI/CD pipelines. + Block force pushes: + uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 + risk: "Misuse of force push can lead to loss of work. It may overwrite remote + \nbranches without warning, potentially erasing valuable contributions from + team members. This can disrupt collaboration, \ncause data loss, and create + confusion in the development process.\n\nBypassing the pull request process + might remove an important code review step. \nThis increases the risk of merging + low-quality or buggy code into the main branch, potentially introducing bugs + in the codebase." + measure: Mandate blocking of force pushes in the version control platform. difficultyOfImplementation: knowledge: 2 - time: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dismiss stale PR approvals: + uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162 + risk: Intentional or accidental alterations in critical branches like main (or + master) through post-approval code additions. + measure: Implement a policy where any commits made after a pull request has + been approved automatically revoke that approval, necessitating a fresh review + and re-approval process. + difficultyOfImplementation: + knowledge: 2 + time: 1 resources: 2 usefulness: 4 level: 3 + dependsOn: + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 implementation: - - uuid: 261f243e-f89c-4169-b076-b22a03ec00be - name: Spectral + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops tags: - - linting - - api - - documentation - url: https://github.com/stoplightio/spectral - description: | - Spectral is a flexible JSON/YAML linter built with extensibility in mind. - It uses JSON/YAML path rules to describe the problems you want to find. - - uuid: d2c9403d-9da2-4518-b33f-8b74b9c5ca3f - name: API OAS Checker + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches tags: - - linting - - api - - documentation - url: https://github.com/italia/api-oas-checker - description: | - A tool to check OpenAPI specifications using a comprehensive ruleset based - on API best practices. + - source-code-protection + - scm + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules references: samm2: - - V-ST-1-A + - O-EM-1-A iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 - 14.2.1 - - 14.2.5 iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 - 8.25 - - 8.27 - - 8.28 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/948a4d51-ceb5-4ebd-bdc7-d74ea25e171c - isImplemented: false - comments: "" + and Source Control/ea6f69f7-54a5-4922-ac15-a77ff0c16162 tags: - none teamsImplemented: @@ -4093,7 +4088,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development and Source Control/517b0957-4981-4ac0-b4c7-0d8d1934c474 - isImplemented: false comments: "" tags: - none @@ -4101,14 +4095,15 @@ Implementation: Default: false B: false C: false - Source Control Protection: + Require a PR before merging: uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2 - risk: Intentional or accidental alterations in critical branches like master. + risk: Intentional or accidental alterations in critical branches like main (or + master). measure: Define source code management system policies (e.g. branch protection - rules, mandatory code reviews, ...) to ensure that changes to critical branches - are only possible under defined conditions. These policies can be implemented - at repository level or organization level, depending on the source code management - system. + rules, mandatory code reviews from at least one person, ...) to ensure that + changes to critical branches are only possible under defined conditions. These + policies can be implemented at repository level or organization level, depending + on the source code management system. difficultyOfImplementation: knowledge: 2 time: 1 @@ -4116,6 +4111,53 @@ Implementation: usefulness: 4 level: 2 implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Require status checks to pass: + uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee + risk: Organizations risk introducing broken builds, quality issues, and security + vulnerabilities into their codebase. + measure: Mandate passing of security related specified status checks, like successful + builds or static application security tests, before proceeding. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + implementation: - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a name: Improve code quality with branch policies url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops @@ -4138,18 +4180,14 @@ Implementation: samm2: - O-EM-1-A iso27001-2017: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - 6.1.2 - 14.2.1 iso27001-2022: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - 5.3 - 8.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2 - isImplemented: false - comments: "" + and Source Control/ac8730a2-ccc0-465c-9550-d91edae9d5ee tags: - none teamsImplemented: @@ -4186,8 +4224,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development and Source Control/066084c6-1135-4635-9cc5-9e75c7c5459f - isImplemented: false - comments: "" tags: - none teamsImplemented: @@ -4219,7 +4255,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/3a94d55e-fd82-4996-9eb3-20d23ff2a873 - isImplemented: false comments: "" tags: - none @@ -4260,7 +4295,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/5c61fd6b-8106-4c68-ac28-a8a42f1c67dc - isImplemented: false comments: "" tags: - none @@ -4332,7 +4366,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/5992c38c-8597-4035-89db-d15820d81c3a - isImplemented: false comments: "" tags: - none @@ -4373,7 +4406,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/6df508ef-86fc-4c22-bd9f-646c3127ce7d - isImplemented: false comments: "" tags: - none @@ -4446,7 +4478,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/dcf9601b-b4f2-4e25-9143-e39af75f7c33 - isImplemented: false comments: "" tags: - none @@ -4482,7 +4513,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/48e92bb1-fdba-40e8-b6c2-35de0d431833 - isImplemented: false comments: "" tags: - none @@ -4538,7 +4568,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/8b994601-575e-4ea5-b228-accb18c8e514 - isImplemented: false comments: "" tags: - none @@ -4585,7 +4614,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/4ce24abd-8ba6-494c-828d-4d193e28e4a1 - isImplemented: false comments: "" tags: - none @@ -4633,7 +4661,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/e5386abf-9154-4752-a1a8-c3a8900f732d - isImplemented: false comments: "" tags: - none @@ -4687,7 +4714,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/598e9f13-1ac8-4a01-b85e-8fab93ee81de - isImplemented: false comments: "" tags: - none @@ -4739,7 +4765,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/8098e416-e1ed-4ae4-a561-83efbe76bf57 - isImplemented: false comments: "" tags: - none @@ -4769,7 +4794,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/118b869b-3850-456e-98d9-1abdb85cbc5a - isImplemented: false comments: "" tags: - none @@ -4808,7 +4832,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/e14de741-94b3-447c-8b07-eea947d82e61 - isImplemented: false comments: "" tags: - none @@ -4849,7 +4872,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/070bb14b-e04a-4f3d-896a-a08eba7a35f9 - isImplemented: false comments: "" tags: - none @@ -4888,7 +4910,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/82e499d1-f463-4a4b-be90-68812a874af6 - isImplemented: false comments: "" tags: - none @@ -4922,7 +4943,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/f8e80f18-2503-4e3e-b3bc-7f67bb28defe - isImplemented: false comments: "" tags: - none @@ -4953,7 +4973,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/746025a6-dbfb-4087-a000-e46acab64ee1 - isImplemented: false comments: "" tags: - none @@ -4984,7 +5003,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/ad23be9c-5661-4f1f-81a3-5a5dc7061629 - isImplemented: false comments: "" tags: - none @@ -5015,7 +5033,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/0ff45fb8-7eef-46ed-9b3a-84c955cd7060 - isImplemented: false comments: "" tags: - none @@ -5047,7 +5064,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/ecb0184c-6bc9-45da-bbbb-a983797ffc93 - isImplemented: false comments: "" tags: - none @@ -5094,7 +5110,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/11b3848e-e931-4146-a35d-35409ada24ee - isImplemented: false comments: "" tags: - none @@ -5130,7 +5145,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/bfdacb52-1e3f-431d-ae72-d844a5e86415 - isImplemented: false comments: "" tags: - none @@ -5169,7 +5183,6 @@ Implementation: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure Hardening/760f1056-b0ee-4f22-a35b-f65446f944ca - isImplemented: false comments: "" tags: - none @@ -5254,7 +5267,7 @@ Implementation: B: false C: false WAF medium: - uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium risk: The threat from malicious inputs remains high, with exploits seeking to exploit any vulnerabilities present at the various points of entry to the application. @@ -5283,7 +5296,7 @@ Implementation: - 8.22 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b + Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium comments: ~ tags: - none @@ -5364,7 +5377,6 @@ Information Gathering: - 8.15 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/4eced38a-7904-4c45-adb0-50b663065540 - isImplemented: false comments: "" tags: - none @@ -5399,7 +5411,6 @@ Information Gathering: - 8.15 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccf4561d-253f-4762-adcb-bc4622fd6fc5 - isImplemented: false comments: "" tags: - none @@ -5465,7 +5476,6 @@ Information Gathering: risk: |- * No track of security-relevant events makes it harder to analyze an incident. * Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal. - isImplemented: false comments: "" tags: - none @@ -5520,7 +5530,6 @@ Information Gathering: - 5.31 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/613a73dc-4f60-49db-a6ce-4fb7bf8519f9 - isImplemented: false comments: "" tags: - none @@ -5561,7 +5570,6 @@ Information Gathering: - 8.15 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/7c735089-6a83-419f-8b27-c1e676cedea1 - isImplemented: false comments: "" tags: - none @@ -5594,7 +5602,6 @@ Information Gathering: - 8.8 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d03bc410-74a7-4e92-82cb-d01a020cb6bf - isImplemented: false comments: "" tags: - none @@ -5626,7 +5633,6 @@ Information Gathering: - 8.6 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ed715b38-c34b-40cd-83fd-ce807f306fc1 - isImplemented: false comments: "" tags: - none @@ -5661,7 +5667,6 @@ Information Gathering: - 8.31 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8a442d8e-0eb1-4793-a513-571aef982edd - isImplemented: false comments: "" tags: - none @@ -5700,7 +5705,6 @@ Information Gathering: - 8.8 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/1cd5e4b8-be36-4726-adc7-d8f843f47ac8 - isImplemented: false comments: "" tags: - none @@ -5741,7 +5745,6 @@ Information Gathering: - ISO 27001:2022 mapping is missing openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d0d681e7-d6de-4829-ac64-a9eb2546aa0d - isImplemented: false comments: "" tags: - none @@ -5773,7 +5776,6 @@ Information Gathering: - 8.6 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/7f36b9ba-bc05-4fd6-9a2a-73344c249722 - isImplemented: false comments: "" tags: - none @@ -5809,7 +5811,6 @@ Information Gathering: - 8.2 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e808028c-351c-42f1-bcd9-fba738d1fc55 - isImplemented: false comments: "" tags: - none @@ -5839,7 +5840,6 @@ Information Gathering: - 8.6 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/42170a71-d4c8-47af-bd71-bf36875fd05b - isImplemented: false comments: "" tags: - none @@ -5869,7 +5869,6 @@ Information Gathering: - ISO 27001:2022 mapping is missing openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/71699daf-b2a4-466b-a0b2-89f7dbb18506 - isImplemented: false comments: "" tags: - none @@ -5903,7 +5902,6 @@ Information Gathering: - 8.6 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/10e23a8c-22ff-4487-a706-87ccc9d0798e - isImplemented: false comments: "" tags: - none @@ -5936,7 +5934,6 @@ Information Gathering: - 5.26 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8746647c-638c-473f-8e17-82c068e4c311 - isImplemented: false comments: "" tags: - none @@ -5969,7 +5966,6 @@ Information Gathering: - 8.15 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e9a6d403-a467-445e-b98a-74f0c29da0b1 - isImplemented: false comments: "" tags: - none @@ -6002,7 +5998,6 @@ Information Gathering: - 8.6 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/f08a3219-6941-43ec-8762-4aff739f4664 - isImplemented: false comments: "" tags: - none @@ -6038,7 +6033,6 @@ Information Gathering: - 8.6 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/3d1f4c3b-f713-46d9-933a-54a014a26c03 - isImplemented: false comments: "" tags: - none @@ -6072,7 +6066,6 @@ Information Gathering: - 5.26 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d6f06ae8-401a-4f44-85df-1079247fa030 - isImplemented: false comments: "" tags: - none @@ -6103,7 +6096,6 @@ Information Gathering: - 8.6 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ded39bcf-4eaa-4c5f-9c94-09acde0a4734 - isImplemented: false comments: "" tags: - none @@ -6411,6 +6403,73 @@ Information Gathering: Default: false B: false C: false + SLA per criticality: + uuid: 123e4567-e89b-12d3-a456-426614174000 + risk: "Not communicating how many applications are adhering to SLAs based on + the criticality of vulnerabilities can lead to delayed remediation of \ncritical + security issues, increasing the risk of exploitation and potential damage + to the organization." + measure: "Measurement and communication of how many of the vulnerabilities handling + per severity for components like applications are aligned to SLAs. \nThis + is performed for the hole organization and doesn't need to be broken down + (yet) on team/product/application. \nAt least quarterly." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/123e4567-e89b-12d3-a456-426614174000 + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false Test and Verification: Application tests: High coverage of security related module and integration tests: @@ -6438,7 +6497,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application tests/67667c97-c33e-4306-a4e5-e7b1d8e10c5a - isImplemented: false comments: "" tags: - none @@ -6470,7 +6528,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application tests/f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 - isImplemented: false comments: "" tags: - none @@ -6514,7 +6571,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application tests/eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 - isImplemented: false tags: - none teamsImplemented: @@ -6548,7 +6604,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application tests/73aaae0b-5d68-4953-9fa4-fd25bf665f2a - isImplemented: false comments: "" tags: - none @@ -6606,7 +6661,6 @@ Test and Verification: - 5.1 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/7a82020c-94d1-471c-bbd3-5f7fe7df4876 - isImplemented: false comments: "" tags: - none @@ -6819,7 +6873,6 @@ Test and Verification: - 5.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/ce970c9b-da94-41cf-bd78-8c15357b7e8e - isImplemented: false comments: "" tags: - none @@ -6856,7 +6909,6 @@ Test and Verification: - 5.1 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/27337442-e4b1-4e87-8dc9-ce86fbb79a39 - isImplemented: false comments: "" tags: - none @@ -6900,7 +6952,6 @@ Test and Verification: - 5.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/c1acc8af-312e-4503-a817-a26220c993a0 - isImplemented: false comments: "" tags: - none @@ -6973,7 +7024,6 @@ Test and Verification: - 5.1 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/55f4c916-3a34-474d-ad96-9a9f7a4f6a83 - isImplemented: false comments: "" tags: - none @@ -7003,7 +7053,6 @@ Test and Verification: - 5.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/b2f77606-3e6c-41e9-b72d-7c0b1d3d581d - isImplemented: false comments: "" tags: - none @@ -7106,7 +7155,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385 implementation: [] - isImplemented: false tags: - none teamsImplemented: @@ -7136,7 +7184,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9cac3341-fe83-4079-bef2-bfc4279eb594 implementation: [] - isImplemented: false tags: - none teamsImplemented: @@ -7230,7 +7277,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for applications/d0ba0be5-c573-405f-b905-b7a8f87a9cc7 - isImplemented: false comments: "" tags: - none @@ -7269,7 +7315,6 @@ Test and Verification: name: Ajax Spider tags: [] url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/ - isImplemented: false comments: "" tags: - none @@ -7326,7 +7371,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for applications/6a9cb303-0f98-48a8-bdcd-56d41c0012b8 - isImplemented: false comments: "" tags: - none @@ -7369,7 +7413,6 @@ Test and Verification: url: https://github.com/schemathesis/schemathesis description: | Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. - isImplemented: false comments: "" tags: - none @@ -7408,7 +7451,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for applications/845f06ec-148c-4c67-9755-7041911dcca5 - isImplemented: false comments: "" tags: - none @@ -9663,7 +9705,6 @@ Test and Verification: sprints, and managing software releases. It offers features for creating and managing tasks, assigning them to team members, and monitoring progress through customizable workflows and dashboards. - isImplemented: false comments: "" tags: - none @@ -9711,7 +9752,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for applications/07796811-37f9-467c-9ff2-48f346e77ff3 - isImplemented: false comments: "" tags: - none @@ -9753,7 +9793,6 @@ Test and Verification: - zap description: | Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools. - isImplemented: false assessment: For REST APIs, multiple OAuth2 scopes are used. comments: "" tags: @@ -9797,7 +9836,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for applications/5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea - isImplemented: false comments: "" tags: - none @@ -9833,7 +9871,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for infrastructure/ab5725aa-4d53-47b9-96df-c14b3fa93bcd - isImplemented: false comments: "" tags: - none @@ -9880,7 +9917,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for infrastructure/a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 - isImplemented: false comments: "" tags: - none @@ -9918,7 +9954,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for infrastructure/dccf1949-b9a8-4ce8-b992-6a4a7f3a623a - isImplemented: false dependsOn: - Evaluation of the trust of used components tags: @@ -9964,7 +9999,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for infrastructure/6532c1fe-9d23-4228-8722-558ddabca7d4 - isImplemented: false comments: "" tags: - none @@ -10005,7 +10039,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for infrastructure/6d2c3ac6-8afc-4af6-a5e9-6188341aca01 - isImplemented: false comments: "" tags: - none @@ -10058,7 +10091,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for infrastructure/7bb70764-9392-4462-935d-e55b2e148199 - isImplemented: false comments: "" tags: - none @@ -10094,7 +10126,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic depth for infrastructure/61e10f9c-e126-4ffa-af12-fdbe0d0a831f - isImplemented: false comments: "" tags: - none @@ -10114,8 +10145,8 @@ Test and Verification: knowledge: 2 time: 2 resources: 2 - usefulness: 4 - level: 2 + usefulness: 3 + level: 3 implementation: - uuid: 261f243e-f89c-4169-b076-b22a03ec00be name: Spectral @@ -10150,10 +10181,8 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99 - isImplemented: false dependsOn: - 2a44b708-734f-4463-b0cb-86dc46344b2f - comments: "" tags: - none teamsImplemented: @@ -10161,7 +10190,7 @@ Test and Verification: B: false C: false Dead code elimination: - uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 + uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d risk: Dead code increases the attack surface (use of hard coded credentials and variables, sensitive information) measure: Collection of unused code and then manual removal of unused code. @@ -10190,7 +10219,7 @@ Test and Verification: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 + depth for applications/a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d comments: "" tags: - none @@ -11399,7 +11428,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/6e180abc-7c98-4265-b4e9-852cb91b067b - isImplemented: false comments: "" tags: - none @@ -11462,7 +11490,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/07fe8c4f-ae33-4409-b1b2-cf64cfccea86 - isImplemented: false comments: "" tags: - none @@ -12677,7 +12704,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 - isImplemented: false comments: "" tags: - none @@ -12741,7 +12767,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/ee68331f-9b1d-4f61-844b-b2ea04753a84 - isImplemented: false comments: "" tags: - none @@ -12809,7 +12834,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/e237176b-bec5-447d-a926-e37d6dd60e4b - isImplemented: false comments: "" tags: - none @@ -12872,7 +12896,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/6c05c837-8c99-46e2-828b-7c903e27dba4 - isImplemented: false comments: "" tags: - none @@ -12929,7 +12952,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 - isImplemented: false comments: "" tags: - none @@ -12938,7 +12960,7 @@ Test and Verification: B: false C: false Test for Patch Deployment Time: - uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 + uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities in production artifacts. measure: | @@ -12970,7 +12992,7 @@ Test and Verification: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 + depth for applications/0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 comments: "" meta: implementationGuide: Self implementation. This activity is not repeated in @@ -12983,7 +13005,7 @@ Test and Verification: B: false C: false Test for Time to Patch: - uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 + uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities in production artifacts. measure: |- @@ -13023,7 +13045,7 @@ Test and Verification: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 + depth for applications/13af1227-3dd1-4d4f-a9e9-53deb793c18f comments: "" meta: implementationGuide: Usage of a version control platform API (e.g. github @@ -13036,7 +13058,7 @@ Test and Verification: B: false C: false Test libyear: - uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 + uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad risk: Vulnerabilities in running artifacts stay for long and might get exploited. measure: Test `libyear`, which provides a good insight how good patch management is. @@ -13070,7 +13092,7 @@ Test and Verification: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 + depth for applications/87b54313-fafd-4860-930f-5ef132b3e4ad comments: "" meta: implementationGuide: | @@ -13112,7 +13134,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/297be001-8d94-41ee-ab29-207020d423c0 - isImplemented: false comments: "" tags: - none @@ -13145,7 +13166,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/b217c8bb-5d61-4b41-a675-1083993f83b1 - isImplemented: false comments: "" tags: - none @@ -13194,7 +13214,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/7de0ae33-6538-45cd-8222-a1475647ba58 - isImplemented: false comments: "" tags: - none @@ -13249,7 +13268,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/26e1c6d5-5632-4ec7-80d2-e564b98732ad - isImplemented: false comments: "" tags: - none @@ -13290,7 +13308,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/621fb6a5-5c0a-4408-826a-068868bb031b - isImplemented: false comments: "" tags: - none @@ -13335,7 +13352,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b - isImplemented: false comments: "" tags: - none @@ -13380,7 +13396,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/837f8f90-adc2-4e6b-9ebb-60c2ee29494d - isImplemented: false comments: "" tags: - none @@ -13413,7 +13428,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/cb6321aa-0fbf-4996-9e08-05ab26ef4c1e - isImplemented: false comments: "" tags: - none @@ -13455,7 +13469,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/c6e3c812-56e2-41b0-ae01-b7afc41a004c - isImplemented: false comments: "" tags: - none @@ -13508,7 +13521,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/13367d8f-e37f-4197-a610-9ffca4fde261 - isImplemented: false comments: "" tags: - none @@ -13555,7 +13567,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/58825d22-1ce6-4748-af81-0ec9956e4129 - isImplemented: false comments: "" tags: - none @@ -13596,7 +13607,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc - isImplemented: false comments: "" tags: - none @@ -13656,7 +13666,6 @@ Test and Verification: openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for infrastructure/8fc3de67-7b8d-420b-8d24-f35928cfed6e - isImplemented: false tags: - none teamsImplemented: @@ -13694,7 +13703,6 @@ Test and Verification: - 8.8 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/79ef8103-e1ed-4055-8df8-fd2b2015bebe - isImplemented: false comments: "" tags: - none @@ -13730,7 +13738,6 @@ Test and Verification: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 - isImplemented: false comments: "" tags: - none @@ -13763,7 +13770,6 @@ Test and Verification: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/ab0a4b51-3b18-43f1-a6fc-a98e4b28453d - isImplemented: false comments: "" tags: - none @@ -13797,7 +13803,6 @@ Test and Verification: - 8.27 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/2ebfc421-8c76-415c-a3b0-fa518915bd10 - isImplemented: false comments: "" tags: - none @@ -13830,7 +13835,6 @@ Test and Verification: - 8.29 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/598897a2-358e-441f-984c-e12ec4f6110a - isImplemented: false comments: "" tags: - none @@ -13838,4 +13842,4 @@ Test and Verification: Default: false B: false C: false -... \ No newline at end of file +...