feat: enhance source control platform requirements

Author: wurstbrot

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -53,15 +53,12 @@ Implementation:
           - 8.25 # Secure development lifecycle
           - 8.27 # Secure system architecture and engineering principles
           - 8.28 # Secure coding
-      isImplemented: false
-      evidence: ""
-      comments: ""
-    Source Control Protection:
+    Require a PR before merging:
       uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2
-      risk: Intentional or accidental alterations in critical branches like master.
+      risk: Intentional or accidental alterations in critical branches like main (or master).
       measure: >-
         Define source code management system policies (e.g. branch protection rules,
-        mandatory code reviews, ...)
+        mandatory code reviews from at least one person, ...)
         to ensure that changes to critical branches are only possible under defined conditions.
         These policies can be implemented at repository level or organization level,
         depending on the source code management system.
@@ -71,6 +68,33 @@ Implementation:
         resources: 2
       usefulness: 4
       level: 2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
+      references:
+        samm2:
+          - O-EM-1-A
+        iso27001-2017:
+          - Peer review - four eyes principle is not explicitly required by ISO 27001
+          - 6.1.2
+          - 14.2.1
+        iso27001-2022:
+          - Peer review - four eyes principle is not explicitly required by ISO 27001
+          - 5.3
+          - 8.25
+    Dismiss stale PR approvals:
+      uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162
+      risk: Intentional or accidental alterations in critical branches like main (or master) through post-approval code additions.
+      measure: >-
+        Implement a policy where any commits made after a pull request has been approved automatically revoke that approval, necessitating a fresh review and re-approval process.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 3
+      dependsOn:
+        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2 # Require a PR before merging
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
@@ -86,9 +110,6 @@ Implementation:
           - Peer review - four eyes principle is not explicitly required by ISO 27001
           - 5.3
           - 8.25
-      isImplemented: false
-      evidence: ""
-      comments: ""
     Versioning:
       uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f
       risk: Deployment of untracked artifacts.
@@ -116,9 +137,6 @@ Implementation:
           - Not explicitly covered by ISO 27001 - too specific
           - 5.37
           - 8.32
-      isImplemented: false
-      evidence: ""
-      comments: ""
     .gitignore:
       uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d
       risk: Unintended leakage of secrets, debug, or workstation specific data
@@ -144,5 +162,60 @@ Implementation:
           - Not explicitly covered by ISO 27001 - too specific
           - 5.37
           - 8.32
-      evidence: ""
-      comments: ""
+    Require status checks to pass:
+      uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee
+      risk: Organizations risk introducing broken builds, quality issues, and security vulnerabilities into their codebase.
+      measure: >-
+        Mandate passing of security related specified status checks, like successful builds or static application security tests, before proceeding.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 3
+      dependsOn:
+        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits-protection
+      references:
+        samm2:
+          - O-EM-1-A
+        iso27001-2017:
+          - 6.1.2
+          - 14.2.1
+        iso27001-2022:
+          - 5.3
+          - 8.25
+    Block force pushes:
+      uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17
+      risk: |-
+        Misuse of force push can lead to loss of work. It may overwrite remote 
+        branches without warning, potentially erasing valuable contributions from team members. This can disrupt collaboration, 
+        cause data loss, and create confusion in the development process.
+        
+        Bypassing the pull request process might remove an important code review step. 
+        This increases the risk of merging low-quality or buggy code into the main branch, potentially introducing bugs in the codebase.
+      measure: >-
+        Mandate blocking of force pushes in the version control platform.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 3
+      dependsOn:
+        - uuid:e7598ac4-b082-4e56-b7df-e2c6b426a5e2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/azuredevops
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-policies
+      references:
+        samm2:
+          - O-EM-1-A
+        iso27001-2017:
+          - 6.1.2
+          - 14.2.1
+        iso27001-2022:
+          - 5.3
+          - 8.25