Merge pull request #215 from wurstbrot/level5

use 5 levels and adopt levels of activities

Author: wurstbrot

README.md

@@ -66,7 +66,6 @@ You can download your current state from the circular headmap and mount it again
 
 This approach also allows teams to perform self assessment with changes tracked in a repository.
 
-
 ## Amazon EC2 Instance
 
 1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -127,7 +127,7 @@ Build and Deployment:
         time: 2
         resources: 2
       usefulness: 4
-      level: 3
+      level: 5
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker-content-trust
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/in-toto
@@ -151,7 +151,7 @@ Build and Deployment:
         time: 2
         resources: 2
       usefulness: 3
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits-protection

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -11,7 +11,7 @@ Build and Deployment:
         time: 2
         resources: 1
       usefulness: 2
-      level: 4
+      level: 5
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/blue-green-deploymen
       dependsOn:
@@ -223,7 +223,7 @@ Build and Deployment:
         time: 2
         resources: 1
       usefulness: 4
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       dependsOn:
@@ -248,7 +248,7 @@ Build and Deployment:
         time: 1
         resources: 1
       usefulness: 2
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/martin-feature-toggles
@@ -266,27 +266,30 @@ Build and Deployment:
       isImplemented: false
       evidence: ""
       comments: ""
-    Usage of trusted images:
-      risk: Developers or operations might start random images in the production cluster
-        which have malicious code or known vulnerabilities.
-      measure: Create image assessment criteria, perform an evaluation of images and
-        create a whitelist of artifacts/container images/virtual machine images.
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/kubernetes-admission
+    Evaluation of the trust of used components:
+      risk:
+        - Application and system components like Open Source libraies or images can have implementation flaws or deployment flaws.
+        - Developers or operations might start random images in the production cluster 
+          which have malicious code or known vulnerabilities.
+      measure:
+        - Each components source is evaluated to be trusted. For example the source, number of developers included, email configuration used by maintainers to prevent maintainer account theft, typo-squatting, ...
+        - Create image assessment criteria, perform an evaluation of images and create a whitelist of artifacts/container images/virtual machine images.
       difficultyOfImplementation:
-        knowledge: 1
-        time: 1
+        knowledge: 3
+        time: 3
         resources: 1
       usefulness: 3
       level: 2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/kubernetes-admission
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/packj
       references:
         samm2:
-        - I-SD-2-A
+          - O-EM-1-A
         iso27001-2017:
-        - 15.1.1
-        - 15.1.2
-        - 15.1.3
-        - 14.1.3
+          - not explicitly covered by ISO 27001 - too specific
+          - 14.2.1
+          - 14.2.5
       isImplemented: false
       evidence: ""
       comments: ""

src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml

@@ -23,12 +23,14 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Automated PRs for patches:
-      risk: Known vulnerabilities components might stay for long and get exploited,
+      risk: Components with known (or unknown) vulnerabilities might stay for long and get exploited,
         even when a patch is available.
       measure: Fast patching of third party component is needed. The DevOps way is
-        to have an automated pull request for new components. This includes <ul> <li>Applications</li><li>Virtualized
-        operating system components (e.g. container images)</li> <li>Operating Systems</li><li>Infrastructure
-        as Code/GitOps (e.g. argocd)</li> </ul>
+        to have an automated pull request for new components. This includes 
+        * Applications
+        * Virtualized operating system components (e.g. container images)
+        * Operating Systems
+        * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform)
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -38,6 +40,8 @@ Build and Deployment:
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependabot
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/jenkins
+      # - $ref: src/assets/YAML/default/implementations.yaml#/implementations/argocd TODO
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/terraform
       references:
         samm2:
         - O-EM-1-B

src/assets/YAML/default/CultureAndOrganization/Design.yaml

@@ -10,7 +10,7 @@ Culture and Organization:
         time: 3
         resources: 2
       usefulness: 3
-      level: 3
+      level: 4
       dependsOn:
       - Conduction of simple threat modeling on technical level
       - Creation of threat modeling processes and standards
@@ -151,7 +151,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 4
-      level: 4
+      level: 5
       dependsOn:
       - Creation of simple abuse stories
       implementation:
@@ -233,8 +233,8 @@ Culture and Organization:
         knowledge: 1
         time: 1
         resources: 1
-      usefulness: 4
-      level: 1
+      usefulness: 3
+      level: 2
       implementation: []
       references:
         samm2: []

src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml

@@ -24,11 +24,30 @@ Culture and Organization:
       isImplemented: false
       evidence: ""
       comments: ""
+    Security Coaching:
+      risk: Even if security practices are understood, it doesn't mean that they get implemented.
+      measure: By coaching teams, teams are getting a better understanding and adoptiing security practices.
+      difficultyOfImplementation:
+        knowledge: 4
+        time: 3
+        resources: 1 # e.g. system resources
+      usefulness: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sammancoaching
+      level: 3
+      references:
+        samm2:
+          - G-EG-3-B
+        iso27001-2017:
+          - 7.1.1
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Aligning security in teams:
       risk: The concept of Security Champions might suggest that only he/she is responsible
         for security. However, everyone in the project team should be responsible
         for security.
-      measure: By aligning security SME with project teams, a higher security standard
+      measure: By aligning security Subject Matter Experts with project teams, a higher security standard
         can be achieved.
       difficultyOfImplementation:
         knowledge: 4
@@ -80,7 +99,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 3
-      level: 3
+      level: 5
       implementation: []
       references:
         samm2:
@@ -303,7 +322,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 3
-      level: 1
+      level: 2
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cwe25
       credits: |
@@ -382,7 +401,7 @@ Culture and Organization:
         time: 3
         resources: 1
       usefulness: 3
-      level: 2
+      level: 3
       credits: |
         AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
       implementation:

src/assets/YAML/default/CultureAndOrganization/Process.yaml

@@ -65,27 +65,5 @@ Culture and Organization:
       isImplemented: false
       evidence: ""
       comments: ""
-    Prevention of unauthorized installation:
-      risk: Unapproved components are used.
-      measure: Components must be whitelisted. Regular scans on the docker infrastructure
-        (e.g. cluster) need to be performed, to verify that only standardized base
-        images are used.
-      difficultyOfImplementation:
-        knowledge: 2
-        time: 1
-        resources: 1
-      usefulness: 3
-      level: 3
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/example-all-docker
-      comment: By preventing teams from trying out new components, innovation might
-        be hampered
-      references:
-        samm2: []
-        iso27001-2017:
-        - 12.5.1
-        - 12.6.1
-      isImplemented: false
-      evidence: ""
-      comments: ""
+
 ...