feat: add vuln

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -49,7 +49,8 @@ Build and Deployment:
         Unused applications are not maintained and may contain vulnerabilities.
         Once exploited they can be used to attack other applications or
         to perform lateral movements within the organization.
-      measure: A clear decommissioning process ensures the removal of unused applications.
+      measure: |-
+        A clear decommissioning process ensures the removal of unused applications from the `Inventory of production components` and if implemented from `Inventory of production artifacts`.
       difficultyOfImplementation:
         knowledge: 1
         time: 2
@@ -129,8 +130,8 @@ Build and Deployment:
         d3f:
           - ApplicationConfigurationHardening
       isImplemented: false
-      evidence: ""
-      comments: ""
+      tags:
+        - secret
     Handover of confidential parameters:
       uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a
       risk:
@@ -169,19 +170,19 @@ Build and Deployment:
         d3f:
           - ApplicationConfigurationHardening
       isImplemented: false
-      evidence: ""
-      comments: ""
-    Inventory of dependencies:
+      tags:
+        - secret
+    Inventory of production dependencies:
       uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6
       risk:
-        In case a vulnerability of severity high or critical is known by the organization,
-        it needs to be known where an artifacts with that vulnerability is deployed
+        Delayed identification of components and their vulnerabilities in production.
+        In case a vulnerability is known by the organization, it needs to be known where an artifacts with that vulnerability is deployed
         with which dependencies.
       measure:
-        A documented inventory of dependencies used in images and containers
+        A documented inventory of dependencies used in artifacts like container images and containers
         exists.
       dependsOn:
-        - Defined deployment process
+        - uuid:83057028-0b77-4d2e-8135-40969768ae88 # Inventory of production artifacts
         - SBOM of components
       difficultyOfImplementation:
         knowledge: 2
@@ -190,7 +191,9 @@ Build and Deployment:
       usefulness: 3
       level: 3
       implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/backstage
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
           - I-SD-2-A
@@ -200,22 +203,29 @@ Build and Deployment:
         iso27001-2022:
           - 5.9
           - 5.12
-      isImplemented: false
-      evidence: ""
       comments: ""
-    Inventory of production applications:
+      tags:
+        - inventory
+        - sbom
+    Inventory of production components:
       uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f
-      risk:
-        An organization is unaware of applications in production.
-      measure: A documented inventory or applications exists (gathered manually or automatically)
+      risk: |-
+        An organization is unaware of components like applications in production. Not knowing existing applications in production leads to not assessing it.
+      measure: |-
+        A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production.
+        In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track.
       dependsOn:
+        - Defined deployment process
       difficultyOfImplementation:
-        knowledge: 2
-        time: 2
-        resources: 3
-      usefulness: 3
-      level: 3
-      implementation: []
+        knowledge: 1
+        time: 1
+        resources: 1
+      usefulness: 4
+      level: 1
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/backstage
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
           - I-SD-2-A
@@ -225,25 +235,28 @@ Build and Deployment:
         iso27001-2022:
           - 5.9
           - 5.12
-      isImplemented: false
-      evidence: ""
-      comments: ""
+      tags:
+        - inventory
     Inventory of production artifacts:
       uuid: 83057028-0b77-4d2e-8135-40969768ae88
       risk:
         In case a vulnerability of severity high or critical exists, it needs
         to be known where an artifacts (e.g. container image) with that vulnerability
         is deployed.
-      measure: A documented inventory or a possibility to gather the needed information.
+      measure: A documented inventory of artifacts in production like container images exists (gathered manually or automatically).
       dependsOn:
         - Defined deployment process
+        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 3
       usefulness: 3
-      level: 3
-      implementation: []
+      level: 2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/backstage
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
           - I-SD-2-A
@@ -253,9 +266,8 @@ Build and Deployment:
         iso27001-2022:
           - 5.9
           - 5.12
-      isImplemented: false
-      evidence: ""
-      comments: ""
+      tags:
+        - inventory
     Rolling update on deployment:
       uuid: 85d52588-f542-4225-a338-20dc22a5508d
       risk: While a deployment is performed, the application can not be reached.

src/assets/YAML/default/InformationGathering/Logging.yaml

@@ -30,9 +30,6 @@ Information Gathering:
         iso27001-2022:
           - Not explicitly covered by ISO 27001 - too specific
           - 8.15
-      isImplemented: false
-      evidence: ""
-      comments: ""
     Centralized system logging:
       uuid: 4eced38a-7904-4c45-adb0-50b663065540
       risk:

src/assets/YAML/default/InformationGathering/MeasurementsAndMetrics.yaml

@@ -0,0 +1,60 @@
+# yaml-language-server: $schema=../../schemas/dsomm-schema-information-gathering.json
+---
+Information Gathering:
+  Test KPI:
+    #Number of vulnerabilities - appsec - vuln management ?
+    Number of vulnerabilities/severity:
+      uuid: bc548cba-cb82-4f76-bd4b-325d9d256279
+      risk: |-
+        Failing to convey the number of vulnerabilities by severity might undermine the effectiveness of product teams. This might lead to ignorance of findings.
+      measure: |-
+        Measurement and communication of vulnerabilities per severity for components like applications. At least quarterly.
+      description: |-
+        Communication can be performed in a simple way, e.g. text based during the build process.
+        This activity depends on at least one security testing implementation.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 3
+      level: 2
+      dependsOn: []
+      implementation: []
+      references:
+        samm2:
+          - I-DM-3-B
+        iso27001-2022:
+          - 5.25
+          - 5.12
+          - 5.13
+          - 5.10
+      tags:
+        - vulnerability-mgmt
+        - metrics
+    SLA per criticality:
+      uuid: 123e4567-e89b-12d3-a456-426614174000
+      risk: |-
+        Not communicating how many applications are adhering to SLAs based on the criticality of vulnerabilities can lead to delayed remediation of 
+        critical security issues, increasing the risk of exploitation and potential damage to the organization.
+      measure: |-
+        Measurement and communication of how much vulnerabilities handling per severity for components like applications are aligned to SLAs. 
+        At least quarterly.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 3
+      level: 3
+      dependsOn: []
+      implementation: []
+      references:
+        samm2:
+          - I-DM-3-B
+        iso27001-2022:
+          - 5.25
+          - 5.12
+          - 5.13
+          - 5.10
+      tags:
+        - vulnerability-mgmt
+        - metrics

src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml

@@ -152,7 +152,7 @@ Test and Verification:
           - 8.28 # Secure coding
       isImplemented: false
       dependsOn:
-        - Inventory of production applications
+        - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       comments: ""
     Static analysis for all components/libraries:
       uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054
@@ -167,7 +167,7 @@ Test and Verification:
       dependsOn:
         - Static analysis for important client side components
         - Static analysis for important server side components
-        - Inventory of production applications
+        - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation: []
       references:
         samm2:
@@ -202,7 +202,7 @@ Test and Verification:
       dependsOn:
         - Static analysis for important client side components
         - Static analysis for important server side components
-        - Inventory of production applications
+        - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-2-A
@@ -236,7 +236,7 @@ Test and Verification:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
       dependsOn:
         - Defined build process
-        - Inventory of production applications
+        - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-2-A
@@ -269,7 +269,7 @@ Test and Verification:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
       dependsOn:
         - Defined build process
-        - Inventory of production applications
+        - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       references:
         samm2:
           - V-ST-2-A
@@ -323,7 +323,7 @@ Test and Verification:
       level: 3
       dependsOn:
         - Defined build process
-        - Inventory of production applications
+        - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
@@ -353,7 +353,7 @@ Test and Verification:
       level: 2
       dependsOn:
         - Defined build process
-        - Inventory of production applications
+        - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-dependency-che
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack

src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml

@@ -121,7 +121,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Regular tests:
+    Regular automated tests:
       uuid: 598897a2-358e-441f-984c-e12ec4f6110a
       risk:
         After pushing source code to the version control system, any delay in

src/assets/YAML/default/implementations.yaml

@@ -788,7 +788,7 @@ implementations:
     uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
     name: Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM).
     url: https://github.com/DependencyTrack/dependency-track
-    tags: [sca, inventory, OpenSource, "Supply Chain", vulnerability]
+    tags: [sca, inventory, OpenSource, "Supply Chain", vulnerability, inventory]
   juice-shop:
     uuid: c021aa72-c71c-43e4-9573-717b74d6c19d
     name: OWASP Juice Shop
@@ -928,3 +928,17 @@ implementations:
     url: https://thehackernews.com/2022/11/top-5-api-security-myths-that-are.html
     description: |
       There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business
+  backstage:
+    uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
+    name: Backstage
+    tags: [documentation, inventory]
+    url: https://github.com/backstage/backstage
+    description: |
+      Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure.
+  image-metadata-collector:
+    uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c
+    name: Image Metadata Collector
+    tags: [documentation, inventory, kubernetes]
+    url: https://github.com/SDA-SE/image-metadata-collector/
+    description: |
+      Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API.