devsecopsmaturitymodel
diff --git a/‎data-new/BuildAndDeployment/Sub-Dimensions.yaml‎
Lines changed: 65 additions & 33 deletions b/‎data-new/BuildAndDeployment/Sub-Dimensions.yaml‎
Lines changed: 65 additions & 33 deletions
diff --git a/‎data-new/CultureAndOrganization/Design.yaml‎
Lines changed: 15 additions & 7 deletions b/‎data-new/CultureAndOrganization/Design.yaml‎
Lines changed: 15 additions & 7 deletions
diff --git a/‎data-new/CultureAndOrganization/EducationAndGuidance.yaml‎
Lines changed: 42 additions & 18 deletions b/‎data-new/CultureAndOrganization/EducationAndGuidance.yaml‎
Lines changed: 42 additions & 18 deletions
diff --git a/‎data-new/CultureAndOrganization/Process.yaml‎
Lines changed: 3 additions & 1 deletion b/‎data-new/CultureAndOrganization/Process.yaml‎
Lines changed: 3 additions & 1 deletion
@@ -5,7 +5,11 @@ _meta:
     A markdown description of this dimension.
 _yaml_references:
   tools:
-    ci-cd: &ci-cd CI/CD tools, eg. Jenkins
+    ci-cd: &ci-cd
+      name: CI/CD tools
+      tags: [ci-cd]
+      description: |-
+        CI/CD tools such as jenkins, gitlab-ci or github-actions
 
 Build:
   Building and testing of artifacts in virtual environments:
@@ -31,8 +35,10 @@ Build:
     usefulness: 2
     level: 2
     implementation:
-    - Container technologies and orchestration like Docker, Kubernetes
-    - *ci-cd
+    - name: Container technologies and orchestration like Docker, Kubernetes
+      tags: []
+    - name: CI/CD tools, eg. Jenkins
+      tags: []
     references:
       samm2:
       - i-secure-build|A|2
@@ -55,7 +61,8 @@ Build:
     level: 1
     implementation:
     - *ci-cd
-    - Container technologies and orchestration like Docker, Kubernetes
+    - name: Container technologies and orchestration like Docker, Kubernetes
+      tags: []
     references:
       samm2:
       - i-secure-build|A|1
@@ -94,8 +101,12 @@ Build:
     usefulness: 4
     level: 3
     implementation:
-    - <a href="https://docs.docker.com/notary/getting_started/">Docker Content Trust</a>
-    - <a href="https://in-toto.github.io/">in-toto</a>
+    - name: Docker Content Trust
+      tags: []
+      url: https://docs.docker.com/notary/getting_started/
+    - name: in-toto
+      tags: []
+      url: https://in-toto.github.io/
     dependsOn:
     - Defined build process
     references:
@@ -119,8 +130,11 @@ Deployment:
     usefulness: 4
     level: 2
     implementation:
-    - A complete database backup might be performed*. For large and complex environments
-    - ' a Point in Time Recovery for databases should be implemented.'
+    - name: A complete database backup might be performed*. For large and complex
+        environments
+      tags: []
+    - name: a Point in Time Recovery for databases should be implemented.
+      tags: []
     dependsOn:
     - Defined deployment process
     references:
@@ -144,8 +158,9 @@ Deployment:
     usefulness: 2
     level: 4
     implementation:
-    - <a href='https://martinfowler.com/bliki/BlueGreenDeployment.html'>Blue/Green
-      Deployments</a>
+    - name: Blue/Green Deployments
+      tags: []
+      url: https://martinfowler.com/bliki/BlueGreenDeployment.html
     dependsOn:
     - Smoke Test
     references:
@@ -171,8 +186,9 @@ Deployment:
     usefulness: 4
     level: 1
     implementation:
-    - Jenkins
-    - ' Docker'
+    - *ci-cd
+    - name: Docker
+      tags: []
     references:
       samm2: i-secure-deployment|A|1
       iso27001-2017:
@@ -238,9 +254,12 @@ Deployment:
     usefulness: 2
     level: 3
     implementation:
-    - Docker
-    - ' Webserver'
-    - ' rolling update'
+    - name: Docker
+      tags: []
+    - name: Webserver
+      tags: []
+    - name: rolling update
+      tags: []
     dependsOn:
     - Defined deployment process
     samm2: i-secure-deployment|A|1
@@ -261,7 +280,8 @@ Deployment:
     usefulness: 4
     level: 3
     implementation:
-    - Docker
+    - name: Docker
+      tags: []
     dependsOn:
     - Defined build process
     samm: OE2-A
@@ -284,7 +304,8 @@ Deployment:
     usefulness: 2
     level: 3
     implementation:
-    - Docker
+    - name: Docker
+      tags: []
     dependsOn:
     - Same artifact for environments
     samm: EG1-B
@@ -300,8 +321,9 @@ Deployment:
     measure: Create image assessment criteria, perform an evaluation of images and
       create a whitelist of artifacts/container images/virtual machine images.
     implementation:
-    - Kubernetes Admission Controller can whitelist registries and/or whitelist a
-      signing key.
+    - name: Kubernetes Admission Controller can whitelist registries and/or whitelist
+        a signing key.
+      tags: []
     difficultyOfImplementation:
       knowledge: 1
       time: 1
@@ -385,8 +407,11 @@ Patch Management:
     - 12.6.1
     - 14.2.5
     implementation:
-    - <a href="https://dependabot.com/">dependabot</a>
-    - Jenkins
+    - name: dependabot
+      tags: []
+      url: https://dependabot.com/
+    - name: Jenkins
+      tags: []
   Usage of a maximum lifetime for images:
     risk:
     - Vulnerabilities in images of running containers stay for too long and might
@@ -420,16 +445,19 @@ Patch Management:
     iso27001-2017:
     - 12.6.1
     implementation:
-    - Sample concept:<br/>(1) each container has a set lifetime and is killed / replaced
-      with a new container multiple times a day where you have some form of a graceful
-      replacement to ensure no (short) service outage will occur to the end users.<br/>(2)
-      twice a day a rebuild of images is done. The rebuilds are put into a automated
-      testing pipeline. If the testing has no blocking issues the new images will
-      be released for deployment during the next "restart" of a container. What has
-      to be done, is to ensure the new containers are deployed in some canary deployment
-      manner, this will ensure that if (and only if) something buggy has been introduced
-      which breaks functionality the canary deployment will make sure the "older version"
-      is being used and not the buggy newer one.
+    - name: "Sample concept:  \n(1"
+      tags: []
+      description: "Sample concept:  \n(1) each container has a set lifetime and is\
+        \ killed / replaced with a new container multiple times a day where you have\
+        \ some form of a graceful replacement to ensure no (short) service outage\
+        \ will occur to the end users.  \n(2) twice a day a rebuild of images is done.\
+        \ The rebuilds are put into a automated testing pipeline. If the testing has\
+        \ no blocking issues the new images will be released for deployment during\
+        \ the next \"restart\" of a container. What has to be done, is to ensure the\
+        \ new containers are deployed in some canary deployment manner, this will\
+        \ ensure that if (and only if) something buggy has been introduced which breaks\
+        \ functionality the canary deployment will make sure the \"older version\"\
+        \ is being used and not the buggy newer one."
   Reduction of the attack surface:
     risk:
     - Components, dependencies, files or file access rights might have vulnerabilities,
@@ -447,5 +475,9 @@ Patch Management:
     - hardening is missing in ISO 27001
     - 14.2.1
     implementation:
-    - <a href="https://github.com/GoogleContainerTools/distroless">Distroless</a>
-    - <a href="https://getfedora.org/coreos?stream=stable">Fedora CoreOS</a>
+    - name: Distroless
+      tags: []
+      url: https://github.com/GoogleContainerTools/distroless
+    - name: Fedora CoreOS
+      tags: []
+      url: https://getfedora.org/coreos
@@ -62,7 +62,9 @@ Design:
     usefulness: 3
     level: 1
     implementation:
-    - <a href="https://github.com/Toreon/threat-model-playbook">Threat modeling Playbook</a>
+    - name: Threat modeling Playbook
+      tags: []
+      url: https://github.com/Toreon/threat-model-playbook
     md-description: |2
 
       Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage.
@@ -126,9 +128,12 @@ Design:
     - may be part of risk assessment
     - 8.1.2
     implementation:
-    - <a href='https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories'>Don't
-      Forget EVIL User Stories</a> and <a href='http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf'>Practical
-      Security Stories and Security Tasks for Agile Development Environments</a>
+    - name: "[Don't Forget EVIL U"
+      tags: []
+      url: https://www.owasp.org/index.php/Agile_Software_Development
+      description: "[Don't Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)\
+        \ and [Practical Security Stories and Security Tasks for Agile Development\
+        \ Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)"
   Creation of simple abuse stories:
     risk:
     - User stories mostly don't consider security implications. Security flaws are
@@ -148,9 +153,12 @@ Design:
     - may be part of risk assessment
     - 8.1.2
     implementation:
-    - <a href='https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories'>Don't
-      Forget EVIL User Stories</a> and <a href='http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf'>Practical
-      Security Stories and Security Tasks for Agile Development Environments</a>
+    - name: "[Don't Forget EVIL U"
+      tags: []
+      url: https://www.owasp.org/index.php/Agile_Software_Development
+      description: "[Don't Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)\
+        \ and [Practical Security Stories and Security Tasks for Agile Development\
+        \ Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)"
   Information security targets are communicated:
     risk:
     - Employees don't known their organizations security targets. Therefore security
 
@@ -14,10 +14,15 @@ Education and Guidance:
     level: 1
     samm: EG1-A
     implementation:
-    - In case you do not have the budget to hire an external security expert, an option
-      is to use the <a href="https://github.com/bkimminich/juice-shop">OWASP Juice
-      Shop</a> on a "hacking Friday"
-    - https://cheatsheetseries.owasp.org/
+    - name: OWASP JuiceShop
+      tags: []
+      url: https://github.com/bkimminich/juice-shop
+      description: "In case you do not have the budget to hire an external security\
+        \ expert, an option\nis to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop)\
+        \ on a \"hacking Friday\""
+    - name: https://cheatsheetseries.owasp.org/
+      tags: []
+      url: https://cheatsheetseries.owasp.org/
     iso27001-2017:
     - 7.2.2
   Regular security training for all:
@@ -35,10 +40,15 @@ Education and Guidance:
     iso27001-2017:
     - 7.2.2
     implementation:
-    - In case you do not have the budget to hire an external security expert, an option
-      is to use the <a href="https://github.com/bkimminich/juice-shop">OWASP Juice
-      Shop</a> on a "hacking Friday"
-    - https://cheatsheetseries.owasp.org/
+    - name: OWASP JuiceShop
+      tags: []
+      url: https://github.com/bkimminich/juice-shop
+      description: "In case you do not have the budget to hire an external security\
+        \ expert, an option\nis to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop)\
+        \ on a \"hacking Friday\""
+    - name: https://cheatsheetseries.owasp.org/
+      tags: []
+      url: https://cheatsheetseries.owasp.org/
   Security consulting on request:
     risk:
     - Not asking a security expert when questions regarding security appear might
@@ -90,9 +100,11 @@ Education and Guidance:
     iso27001-2017:
     - 7.2.2
     implementation:
-    - Often, external employees are not invited for internal trainings. This activity focuses
-      on providing security trainings to internal as well as external employees. It
-      is conducted every two weeks for around one hour.
+    - name: Train internal and external resources
+      tags: []
+      description: Often, external employees are not invited for internal trainings.
+        This activity focuses on providing security trainings to internal as well
+        as external employees. It is conducted every two weeks for around one hour.
   Each team has a security champion:
     risk:
     - No one feels directly responsible for security and the security champion does
@@ -111,7 +123,9 @@ Education and Guidance:
     - 7.2.1
     - 7.2.2
     implementation:
-    - OWASP Security Champions Playbook: https://github.com/c0rdis/security-champions-playbook
+    - name: 'OWASP Security Champions Playbook'
+      tags: []
+      url: https://github.com/c0rdis/security-champions-playbook
   Security-Lessoned-Learned:
     risk:
     - After an incident, a similar incident might reoccur.
@@ -181,7 +195,9 @@ Education and Guidance:
     iso27001-2017:
     - 7.2.2
     implementation:
-    - https://builditbreakit.org/
+    - name: https://builditbreakit.org/
+      tags: []
+      url: https://builditbreakit.org/
   Conduction of war games:
     risk:
     - Understanding incident response plans during an incident is hard and ineffective.
@@ -217,10 +233,15 @@ Education and Guidance:
     - interestingly enough A7.2.3 is requiring a process to handle misconduct but
       nothing to promote good behavior.
     implementation:
-    - Enhance motivation can be performed with the distribution of pins as a reward,
-      see <a href='https://github.com/wurstbrot/security-pins'>OWASP Security Pins
-      Project</a>
-    - https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx
+    - name: Motivate people
+      tags: []
+      url: https://github.com/wurstbrot/security-pins
+      description: |-
+        Enhance motivation can be performed with the distribution of pins
+        as a reward, see [OWASP Security Pins Project](https://github.com/wurstbrot/security-pins)
+    - name: OWASP_Top_10_Maturity_Categories_for_Security_Champions
+      tags: []
+      url: https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx
   Aligning security in teams:
     risk:
     - The concept of Security Champions might suggest that only he/she is responsible
@@ -233,7 +254,10 @@ Education and Guidance:
       time: 5
       resources: 1
     implementation:
-    - Security SME are involved in discussion for requirements analysis, software design and sprint planning to provide guidance and suggestions.
+    - name: Involve Security SME
+      tags: []
+      description: Security SME are involved in discussion for requirements analysis,
+        software design and sprint planning to provide guidance and suggestions.
     usefulness: 5
     level: 4
     samm: EG2-B
 
@@ -67,6 +67,8 @@ Process:
     - 12.5.1
     - 12.6.1
     implementation:
-    - 'Example: All docker images used by teams need to be based on standard images.'
+    - name: 'Example: All docker images used by teams need to be based on standard
+        images.'
+      tags: []
     comment: By preventing teams from trying out new components, innovation might
       be hampered