devsecopsmaturitymodel
diff --git a/‎src/assets/YAML/default/BuildAndDeployment/Deployment.yaml‎
Lines changed: 17 additions & 14 deletions b/‎src/assets/YAML/default/BuildAndDeployment/Deployment.yaml‎
Lines changed: 17 additions & 14 deletions
diff --git a/‎src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml‎
Lines changed: 7 additions & 3 deletions b/‎src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎src/assets/YAML/default/CultureAndOrganization/Design.yaml‎
Lines changed: 3 additions & 3 deletions b/‎src/assets/YAML/default/CultureAndOrganization/Design.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml‎
Lines changed: 4 additions & 4 deletions b/‎src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/assets/YAML/default/Implementation/ApplicationHardening.yaml‎
Lines changed: 111 additions & 61 deletions b/‎src/assets/YAML/default/Implementation/ApplicationHardening.yaml‎
Lines changed: 111 additions & 61 deletions
diff --git a/‎src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml‎
Lines changed: 1 addition & 22 deletions b/‎src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml‎
Lines changed: 1 addition & 22 deletions
@@ -266,27 +266,30 @@ Build and Deployment:
       isImplemented: false
       evidence: ""
       comments: ""
-    Usage of trusted images:
-      risk: Developers or operations might start random images in the production cluster
-        which have malicious code or known vulnerabilities.
-      measure: Create image assessment criteria, perform an evaluation of images and
-        create a whitelist of artifacts/container images/virtual machine images.
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/kubernetes-admission
+    Evaluation of the trust of used components:
+      risk:
+        - Application and system components like Open Source libraies or images can have implementation flaws or deployment flaws.
+        - Developers or operations might start random images in the production cluster 
+          which have malicious code or known vulnerabilities.
+      measure:
+        - Each components source is evaluated to be trusted. For example the source, number of developers included, email configuration used by maintainers to prevent maintainer account theft, typo-squatting, ...
+        - Create image assessment criteria, perform an evaluation of images and create a whitelist of artifacts/container images/virtual machine images.
       difficultyOfImplementation:
-        knowledge: 1
-        time: 1
+        knowledge: 3
+        time: 3
         resources: 1
       usefulness: 3
       level: 2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/kubernetes-admission
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/packj
       references:
         samm2:
-        - I-SD-2-A
+          - O-EM-1-A
         iso27001-2017:
-        - 15.1.1
-        - 15.1.2
-        - 15.1.3
-        - 14.1.3
+          - not explicitly covered by ISO 27001 - too specific
+          - 14.2.1
+          - 14.2.5
       isImplemented: false
       evidence: ""
       comments: ""
 
@@ -26,9 +26,11 @@ Build and Deployment:
       risk: Known vulnerabilities components might stay for long and get exploited,
         even when a patch is available.
       measure: Fast patching of third party component is needed. The DevOps way is
-        to have an automated pull request for new components. This includes <ul> <li>Applications</li><li>Virtualized
-        operating system components (e.g. container images)</li> <li>Operating Systems</li><li>Infrastructure
-        as Code/GitOps (e.g. argocd)</li> </ul>
+        to have an automated pull request for new components. This includes 
+        * Applications
+        * Virtualized operating system components (e.g. container images)
+        * Operating Systems
+        * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform)
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -38,6 +40,8 @@ Build and Deployment:
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependabot
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/jenkins
+      # - $ref: src/assets/YAML/default/implementations.yaml#/implementations/argocd TODO
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/terraform
       references:
         samm2:
         - O-EM-1-B
 
@@ -10,7 +10,7 @@ Culture and Organization:
         time: 3
         resources: 2
       usefulness: 3
-      level: 3
+      level: 4
       dependsOn:
       - Conduction of simple threat modeling on technical level
       - Creation of threat modeling processes and standards
@@ -233,8 +233,8 @@ Culture and Organization:
         knowledge: 1
         time: 1
         resources: 1
-      usefulness: 4
-      level: 1
+      usefulness: 3
+      level: 2
       implementation: []
       references:
         samm2: []
 
@@ -29,8 +29,8 @@ Culture and Organization:
       measure: By coaching teams, teams are getting a better understanding and adoptiing security practices.
       difficultyOfImplementation:
         knowledge: 4
-        time: 2
-        resources: 1
+        time: 3
+        resources: 1 # e.g. system resources
       usefulness: 3
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sammancoaching
@@ -322,7 +322,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 3
-      level: 1
+      level: 2
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cwe25
       credits: |
@@ -401,7 +401,7 @@ Culture and Organization:
         time: 3
         resources: 1
       usefulness: 3
-      level: 2
+      level: 3
       credits: |
         AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
       implementation:
 
@@ -1,78 +1,68 @@
 ---
 Implementation:
   Application Hardening:
-    App. Hardening Level 2:
-      risk: Using an insecure application might lead to a compromised application.
-        This might lead to total data theft or data modification.
-      measure: |
-        Following frameworks like the
-          <ul>
-            <li>OWASP Application Security Verification Standard Level 2</li>
-            <li>OWASP Mobile Application Security Verification Standard Level 2</li>
-          </ul>
-      difficultyOfImplementation:
-        knowledge: 4
-        time: 4
-        resources: 2
-      usefulness: 4
-      level: 2
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-asvs
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
-      references:
-        samm2:
-        - D-SR-2-A
-        iso27001-2017:
-        - hardening is not explicitly covered by ISO 27001 - too specific
-        - 13.1.3
-      isImplemented: false
-      evidence: ""
-      comments: ""
-    App. Hardening Level 3:
+    App. Hardening Level 1 (50%):
       risk: Using an insecure application might lead to a compromised application.
         This might lead to total data theft or data modification.
       measure: |
         Following frameworks like the
-          <ul>
-            <li>OWASP Application Security Verification Standard Level 3</li>
-            <li>OWASP Mobile Application Security Verification Standard Maturity Requirements</li>
-          </ul>
-          and gain around 75% coverage of both.
+        * OWASP Application Security Verification Standard Level 1
+        * OWASP Mobile Application Security Verification Standard
+        
+        in all applications provides a good baseline. Implement 50% of the recommendations.
       difficultyOfImplementation:
-        knowledge: 4
-        time: 4
-        resources: 2
-      usefulness: 4
-      level: 3
+        knowledge: 2
+        time: 2
+        resources: 1
+      usefulness: 3
+      level: 1
+      description: |
+        To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely.
+
+        [...]
+
+        ### Planning aka Requirements Gathering & Analysis
+        The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security.
+
+        ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png)
+
+        Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process.
+
+        These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations.
+
+        In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below.
+
+        Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md)
       implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-asvs
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-asvs
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/apimaturity
       references:
         samm2:
-        - D-SR-3-A
+          - D-SR-1-A
         iso27001-2017:
-        - hardening is not explicitly covered by ISO 27001 - too specific
-        - 13.1.3
+          - hardening is not explicitly covered by ISO 27001 - too specific
+          - 13.1.3
       isImplemented: false
       evidence: ""
       comments: ""
-    Application Hardening Level 1:
+    App. Hardening Level 1:
       risk: Using an insecure application might lead to a compromised application.
         This might lead to total data theft or data modification.
       measure: |
         Following frameworks like the
-          <ul>
-            <li>OWASP Application Security Verification Standard Level 1</li>
-            <li>OWASP Mobile Application Security Verification Standard Level 1</li>
-          </ul>
-
-        in all applications provides a good baseline.
+        * OWASP Application Security Verification Standard Level 1
+        * OWASP Mobile Application Security Verification Standard
+        
+        in all applications provides a good baseline. Implement 95%-100% of the recommendations.
       difficultyOfImplementation:
-        knowledge: 4
-        time: 4
-        resources: 2
+        knowledge: 2
+        time: 2
+        resources: 1
       usefulness: 4
-      level: 1
+      level: 2
+      dependsOn:
+        - App. Hardening Level 1 (50%)
       description: |
         To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely.
 
@@ -103,22 +93,80 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
-    Full Coverage of App. Hardening Level 3:
+
+    App. Hardening Level 2 (75%):
       risk: Using an insecure application might lead to a compromised application.
         This might lead to total data theft or data modification.
       measure: |
         Following frameworks like the
-          <ul>
-            <li>OWASP Application Security Verification Standard Level 3</li>
-            <li>OWASP Mobile Application Security Verification Standard Maturity Requirements</li>
-          </ul>
-          and gain around 95% coverage of both.
+        * OWASP Application Security Verification Standard Level 2
+        * OWASP Mobile Application Security Verification Standard Level 2
+        
+        Implement 75% of the recommendations.
+      difficultyOfImplementation:
+        knowledge: 3
+        time: 3
+        resources: 1
+      usefulness: 3
+      level: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-asvs
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
+      references:
+        samm2:
+          - D-SR-2-A
+        iso27001-2017:
+          - hardening is not explicitly covered by ISO 27001 - too specific
+          - 13.1.3
+      isImplemented: false
+      evidence: ""
+      comments: ""
+      dependsOn:
+        - App. Hardening Level 1
+    App. Hardening Level 2:
+      risk: Using an insecure application might lead to a compromised application.
+        This might lead to total data theft or data modification.
+      measure: |
+        Following frameworks like the
+        * OWASP Application Security Verification Standard Level 2
+        * OWASP Mobile Application Security Verification Standard Level 2
+        
+        Implement 95%-100% of the recommendations.
+      difficultyOfImplementation:
+        knowledge: 3
+        time: 3
+        resources: 1
+      usefulness: 3
+      level: 4
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-asvs
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
+      references:
+        samm2:
+          - D-SR-2-A
+        iso27001-2017:
+          - hardening is not explicitly covered by ISO 27001 - too specific
+          - 13.1.3
+      isImplemented: false
+      evidence: ""
+      comments: ""
+      dependsOn:
+        - App. Hardening Level 2 (75%)
+    App. Hardening Level 3:
+      risk: Using an insecure application might lead to a compromised application.
+        This might lead to total data theft or data modification.
+      measure: |
+        Following frameworks like the
+        * OWASP Application Security Verification Standard Level 3
+        * OWASP Mobile Application Security Verification Standard
+        
+        Implement 95%-100% of the recommendations.
       difficultyOfImplementation:
         knowledge: 4
         time: 4
         resources: 2
       usefulness: 4
-      level: 4
+      level: 5
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-asvs
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
@@ -131,4 +179,6 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
+      dependsOn:
+        - App. Hardening Level 2
 ...
@@ -22,27 +22,6 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
-    Pre-Commit checks and validations:
-      risk: Using an insecure application might lead to a compromised application.
-        This might lead to total data theft or data modification.
-      measure: |
-        Implement pre-commit checks to prevent secrets & other security issues being commit to source code.
-      difficultyOfImplementation:
-        knowledge: 4
-        time: 4
-        resources: 2
-      usefulness: 4
-      level: 2
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/pre-commit-microsoft
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/pre-commit-synopsis
-      references:
-        samm2:
-        - V-ST-1-A
-        iso27001-2017: []
-      isImplemented: false
-      evidence: ""
-      comments: ""
     API design validation:
       risk: Creation of insecure or non-compliant API.
       measure: |
@@ -54,7 +33,7 @@ Implementation:
         time: 2
         resources: 2
       usefulness: 4
-      level: 2
+      level: 3
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stoplight-spectral
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/api-oas-checker