use 5 levels and adopt levels of activities

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml

@@ -23,7 +23,7 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Automated PRs for patches:
-      risk: Known vulnerabilities components might stay for long and get exploited,
+      risk: Components with known (or unknown) vulnerabilities might stay for long and get exploited,
         even when a patch is available.
       measure: Fast patching of third party component is needed. The DevOps way is
         to have an automated pull request for new components. This includes 

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -60,7 +60,7 @@ Implementation:
         time: 1
         resources: 2
       usefulness: 4
-      level: 1
+      level: 2
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
@@ -100,32 +100,4 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
-    MFA to SCM:
-      risk: Unauthorized access to source code.
-      measure: >-
-        Enforce Multi-Factor authentication to source code management platforms.
-        These policies can be implemented at repository level or organization level,
-        depending on the source code management system.
-      difficultyOfImplementation:
-        knowledge: 2
-        time: 1
-        resources: 2
-      usefulness: 4
-      level: 1
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/yubikey
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/totp
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/smartcard
-      references:
-        samm2:
-        - O-EM-1-A
-        iso27001-2017:
-        - 5.17    # Authentication information
-        - 6.1.2   # Segregation of duties.
-        - 14.2.1  # Secure development policies.
-        d3f:
-        - Multi-factorAuthentication
-      isImplemented: false
-      evidence: ""
-      comments: ""
 ...

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml

@@ -1,30 +1,61 @@
 ---
 Implementation:
   Infrastructure Hardening:
-    2FA:
+    MFA for admins:
       risk: One factor authentication is more vulnerable to brute force attacks and
         is considered less secure.
-      measure: Two factor authentication for all privileged accounts on systems and
+      measure: Two ore more factor authentication for all privileged accounts on systems and
         applications
       difficultyOfImplementation:
-        knowledge: 3
-        time: 2
-        resources: 3
+        knowledge: 2
+        time: 1
+        resources: 2
       usefulness: 4
-      level: 2
+      level: 1
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/smartcard
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/yubikey
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sms
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/totp
       references:
         samm2:
-        - TODO
+          - O-EM-1-A
         iso27001-2017:
-        - not explicitly covered by ISO 27001 - too specific
-        - 9.1.1
-        - 9.4.2
-        - 14.2.5
+          - 5.17    # Authentication information
+          - 6.1.2   # Segregation of duties.
+          - 14.2.1  # Secure development policies.
+        d3f:
+          - Multi-factorAuthentication
+      isImplemented: false
+      evidence: ""
+      comments: ""
+    MFA:
+      risk: One factor authentication is more vulnerable to brute force attacks and
+        is considered less secure.
+      measure: Two ore more factor authentication for all accounts on all (important) systems and
+        applications
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 4
+      level: 2
+      dependsOn:
+        - MFA for admins
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/smartcard
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/yubikey
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sms
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/totp
+      references:
+        samm2:
+          - O-EM-1-A
+        iso27001-2017:
+          - 5.17    # Authentication information
+          - 6.1.2   # Segregation of duties.
+          - 14.2.1  # Secure development policies.
+        d3f:
+          - Multi-factorAuthentication
       isImplemented: false
       evidence: ""
       comments: ""
@@ -96,7 +127,7 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
-    Immutable Infrastructure:
+    Immutable infrastructure:
       risk: The availability of IT systems might be disturbed due to components failures
       measure: Redundancies in the IT systems
       difficultyOfImplementation:
@@ -197,7 +228,7 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
-    Microservice-Architecture:
+    Microservice-architecture:
       risk: Monolithic applications are hard to test.
       measure: A microservice-architecture helps to have small components, which are
         more easy to test.
@@ -290,7 +321,7 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
-    Baseline Hardening of the Envirnoment:
+    Baseline Hardening of the envirnoment:
       risk: Using default configurations for a cluster environment leads to potential
         risks.
       measure: Harden environments according to best practices. Level 1 and

src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml

@@ -213,7 +213,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Test of client side components with known vulnerabilities:
+    Software Composition Analysis (client side):
       risk: Client side components might have vulnerabilities.
       measure: Tests for known vulnerabilities in components via Software Composition Analysis of the frontend are performed.
       difficultyOfImplementation:
@@ -237,7 +237,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Test of server side components with known vulnerabilities:
+    Software Composition Analysis (server side):
       risk: Server side components might have vulnerabilities.
       measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware)
         are performed.
@@ -274,8 +274,8 @@ Test and Verification:
       usefulness: 1
       level: 4
       dependsOn:
-      - Test of server side components with known vulnerabilities
-      - Test of client side components with known vulnerabilities
+      - Software Composition Analysis (server side)
+      - Software Composition Analysis (client side)
       - Static analysis for all self written components
       implementation: []
       references:

src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml

@@ -18,7 +18,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Check for image lifetime:
+    Test for image lifetime:
       risk: Old container images in production indicate that patch management is not
         performed and therefore vulnerabilities might exists.
       measure: Check the image age of containers in production.
@@ -39,7 +39,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Check for known vulnerabilities:
+    Test for known vulnerabilities:
       risk: Known vulnerabilities in infrastructure components like container images
         might get exploited.
       measure: Check for known vulnerabilities
@@ -49,9 +49,11 @@ Test and Verification:
         resources: 1
       usefulness: 4
       level: 4
+      description: Subscribing to github projects and reading release notes might help. Software Composition Analysis for infrastructe might help, but is often too fine-granular.
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/https-github-com-a
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/registries-like-quay
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
       references:
         samm2:
         - V-ST-2-A
@@ -60,7 +62,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Check for malware:
+    Test for malware:
       risk: Third party might include  malware. Ether due to the maintainer (e.g.
         typo squatting of an image name and using the wrong image) or by an attacker
         on behalf of the maintainer with stolen credentials.
@@ -82,7 +84,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Check for new image version:
+    Test for new image version:
       risk: When a new version of an image is available, it might fix security vulnerabilities.
       measure: Check for new images of containers in production.
       difficultyOfImplementation:
@@ -127,7 +129,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Stored Secrets:
+    Test for stored Secrets:
       risk: Stored secrets in git history, in container images or directly in code
         shouldn't exists because they might be exposed to unauthorized parties.
       measure: Test for secrets in code, container images and history