use 5 levels and adopt levels of activities

add coaching

Author: wurstbrot

README.md

@@ -66,7 +66,6 @@ You can download your current state from the circular headmap and mount it again
 
 This approach also allows teams to perform self assessment with changes tracked in a repository.
 
-
 ## Amazon EC2 Instance
 
 1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -127,7 +127,7 @@ Build and Deployment:
         time: 2
         resources: 2
       usefulness: 4
-      level: 3
+      level: 5
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker-content-trust
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/in-toto
@@ -151,7 +151,7 @@ Build and Deployment:
         time: 2
         resources: 2
       usefulness: 3
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits-protection

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -11,7 +11,7 @@ Build and Deployment:
         time: 2
         resources: 1
       usefulness: 2
-      level: 4
+      level: 5
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/blue-green-deploymen
       dependsOn:
@@ -223,7 +223,7 @@ Build and Deployment:
         time: 2
         resources: 1
       usefulness: 4
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       dependsOn:
@@ -248,7 +248,7 @@ Build and Deployment:
         time: 1
         resources: 1
       usefulness: 2
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/martin-feature-toggles

src/assets/YAML/default/CultureAndOrganization/Design.yaml

@@ -151,7 +151,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 4
-      level: 4
+      level: 5
       dependsOn:
       - Creation of simple abuse stories
       implementation:

src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml

@@ -24,11 +24,30 @@ Culture and Organization:
       isImplemented: false
       evidence: ""
       comments: ""
+    Security Coaching:
+      risk: Even if security practices are understood, it doesn't mean that they get implemented.
+      measure: By coaching teams, teams are getting a better understanding and adoptiing security practices.
+      difficultyOfImplementation:
+        knowledge: 4
+        time: 2
+        resources: 1
+      usefulness: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sammancoaching
+      level: 3
+      references:
+        samm2:
+          - G-EG-3-B
+        iso27001-2017:
+          - 7.1.1
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Aligning security in teams:
       risk: The concept of Security Champions might suggest that only he/she is responsible
         for security. However, everyone in the project team should be responsible
         for security.
-      measure: By aligning security SME with project teams, a higher security standard
+      measure: By aligning security Subject Matter Experts with project teams, a higher security standard
         can be achieved.
       difficultyOfImplementation:
         knowledge: 4
@@ -80,7 +99,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 3
-      level: 3
+      level: 5
       implementation: []
       references:
         samm2:

src/assets/YAML/default/CultureAndOrganization/Process.yaml

@@ -65,27 +65,5 @@ Culture and Organization:
       isImplemented: false
       evidence: ""
       comments: ""
-    Prevention of unauthorized installation:
-      risk: Unapproved components are used.
-      measure: Components must be whitelisted. Regular scans on the docker infrastructure
-        (e.g. cluster) need to be performed, to verify that only standardized base
-        images are used.
-      difficultyOfImplementation:
-        knowledge: 2
-        time: 1
-        resources: 1
-      usefulness: 3
-      level: 3
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/example-all-docker
-      comment: By preventing teams from trying out new components, innovation might
-        be hampered
-      references:
-        samm2: []
-        iso27001-2017:
-        - 12.5.1
-        - 12.6.1
-      isImplemented: false
-      evidence: ""
-      comments: ""
+
 ...

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -10,7 +10,7 @@ Implementation:
         time: 1
         resources: 1
       usefulness: 2
-      level: 4
+      level: 5
       description: ""
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stylecop

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml

@@ -1,6 +1,29 @@
 ---
 Implementation:
   Infrastructure Hardening:
+    Prevention of unauthorized installation:
+      risk: Unapproved components are used.
+      measure: Components must be whitelisted. Regular scans on the docker infrastructure
+        (e.g. cluster) need to be performed, to verify that only standardized base
+        images are used.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 1
+      usefulness: 3
+      level: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/example-all-docker
+      comment: By preventing teams from trying out new components, innovation might
+        be hampered
+      references:
+        samm2: []
+        iso27001-2017:
+          - 12.5.1
+          - 12.6.1
+      isImplemented: false
+      evidence: ""
+      comments: ""
     2FA:
       risk: One factor authentication is more vulnerable to brute force attacks and
         is considered less secure.

src/assets/YAML/default/InformationGathering/Monitoring.yaml

@@ -190,7 +190,7 @@ Information Gathering:
         time: 3
         resources: 2
       usefulness: 5
-      level: 4
+      level: 5
       dependsOn:
       - Grouping of metrics
       implementation: []

src/assets/YAML/default/implementations.yaml

@@ -705,3 +705,9 @@ implementations:
     url: https://github.com/falcosecurity/falco
     description: |
       Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
+  sammancoaching:
+    name: sammancoaching
+    tags: [documentation, coaching, education]
+    url: https://sammancoaching.org/
+    description: |
+      Security coaches work with software development teams to help them adopt better security practices.