Review Build & Deployment, level 1

Author: vbakke

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -28,7 +28,7 @@ Build and Deployment:
       level: 2
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ci-cd-tools
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technology
       references:
         samm2:
           - I-SB-2-A
@@ -42,37 +42,42 @@ Build and Deployment:
     Defined build process:
       uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b
       description: |
-        A *build process* include more than just compiling your source code. 
-        It also includes steps such as managing (third party) dependencies, 
-        environment configuration, running the unit tests, etc. 
-        
-        A *defined build process* has automated these steps to ensure consistency.
+        A *build process* includes more than just compiling your source code. It also covers:
+        - Managing (third party) dependencies
+        - Environment configuration
+        - Running unit and integration tests
+        - Security scanning and compliance checks
+        - Artifact creation and storage
+        - Deployment preparation
 
-        This can be done with a Jenkinsfile, Maven, or similar tools.
+        A *defined build process* automates these steps to ensure consistency, reproducibility, and security. Automation reduces human error and enforces security controls. Use tools such as Jenkins, GitHub Actions, GitLab CI, or Maven to codify the process.
       risk:
-        Performing builds without a defined process is error prone; for example,
-        as a result of incorrect security related configuration.
+        Performing builds without a defined and automated process is error-prone and increases the risk of security misconfigurations, unauthorized changes, and supply chain attacks.
       measure:
-        A well defined build process lowers the possibility of errors during
-        the build process.
+        A well-defined, automated, and auditable build process lowers the possibility of errors and unauthorized changes during the build process. It also enables traceability and rapid response to incidents.
+      level: 1
       difficultyOfImplementation:
         knowledge: 2
         time: 3
         resources: 2
       usefulness: 4
-      level: 1
       assessment: |
-        - Show your build pipeline and an exemplary job (build + test).
-        - Show that every team member has access.
-        - Show that failed jobs are fixed.
+        - Show your build pipeline configuration (e.g., Jenkinsfile, GitHub Actions workflow) and an exemplary job (build + test + security scan).
+        - Demonstrate that every team member has appropriate access (least privilege).
+        - Show that failed jobs are investigated and fixed promptly.
+        - Provide audit logs or evidence of build runs and changes.
+        - Document how security controls are enforced in the build process.
 
         Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ci-cd-tools
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technology
       references:
         samm2:
           - I-SB-1-A
+        nist-csf:
+          - PR.IP-1
+          - PR.DS-1
         iso27001-2017:
           - 12.1.1
           - 14.2.2

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -69,19 +69,21 @@ Build and Deployment:
       comments: ""
     Defined deployment process:
       uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a
+      description: |
+        A defined deployment process is a documented and automated set of steps for releasing software into production. It ensures that deployments are consistent, secure, and auditable, reducing the risk of errors and unauthorized changes. This process should include validation, approval, and rollback mechanisms.
       risk: >-
-        Deployment of insecure or malfunctioning artifacts.
+        Deployment based human routines are error prone, and of insecure or malfunctioning artifacts.
       measure: >-
         Defining a deployment process ensures that there are
         established criteria in terms of functionalities,
         security, compliance, and performance,
         and that the artifacts meet them.
+      level: 1
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 1
       usefulness: 4
-      level: 1
       dependsOn:
         - uuid:f6f7737f-25a9-4317-8de2-09bf59f29b5b # Def. Build Process
       implementation:
@@ -96,6 +98,12 @@ Build and Deployment:
         iso27001-2022:
           - 5.37
           - 8.32
+      assessment: |
+        - Deployment process is documented and available to relevant staff
+        - All deployment steps are automated and version-controlled
+        - Approvals and access controls are enforced for production deployments
+        - Rollback procedures are defined and tested
+        - Deployment logs and evidence are retained for audit purposes
       isImplemented: false
       evidence: ""
       comments: ""
@@ -211,19 +219,21 @@ Build and Deployment:
         - sbom
     Inventory of production components:
       uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f
+      description: |
+        An inventory of production components is a complete, up-to-date list of all applications and services running in production. This enables effective vulnerability management, incident response, and compliance. Without it, organizations risk running unmaintained or unauthorized software.
       risk: |-
         An organization is unaware of components like applications in production. Not knowing existing applications in production leads to not assessing it.
       measure: |-
         A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production.
         In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track.
       dependsOn:
         - Defined deployment process
+      level: 1
       difficultyOfImplementation:
         knowledge: 1
         time: 1
         resources: 1
       usefulness: 4
-      level: 1
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/backstage
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
@@ -237,6 +247,12 @@ Build and Deployment:
         iso27001-2022:
           - 5.9
           - 5.12
+      assessment: |
+        - Inventory of all production components exists and is regularly updated
+        - Inventory includes key metadata (e.g., version, owner, deployment date)
+        - Inventory is accessible to security and operations teams
+        - There is a process for adding, updating, and removing components
+        - Inventory reviews are performed and documented
       tags:
         - inventory
     Inventory of production artifacts:

src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml

@@ -4,16 +4,23 @@ Build and Deployment:
   Patch Management:
     A patch policy is defined:
       uuid: 99415139-6b50-441b-89e1-0aa59accd43d
-      risk: Vulnerabilities in running artifacts stay for long and might get exploited.
+      description: |
+        A patch policy defines how and when software components, images, and dependencies are updated. A patch policy ensures that all these artifacts are regularly reviewed and updated, reducing the window of exposure to known threats. The policy should specify the frequency, responsibilities, and documentation requirements for patching.
+      risk: Vulnerabilities in running artifacts may persist for a long time and might be exploited.
       measure:
-        A patch policy for all artifacts (e.g. in images) is defined. How often
+        Define a patch policy for all artifacts (e.g. in images) is defined. How often
         is an image rebuilt?
+      assessment: |
+        - Patch policy is documented and accessible to relevant staff.
+        - The policy defines patch frequency and responsible roles.
+        - Patch actions and exceptions are logged and reviewed.
+        - Evidence of regular patching and policy review is available.
+      level: 1
       difficultyOfImplementation:
         knowledge: 3
         time: 1
         resources: 2
       usefulness: 4
-      level: 1
       implementation: []
       references:
         samm2:
@@ -33,23 +40,27 @@ Build and Deployment:
         - patching
     Automated PRs for patches:
       uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488
-      risk:
-        Components with known (or unknown) vulnerabilities might stay for long and get exploited,
-        even when a patch is available.
-      measure:
-        Fast patching of third party component is needed. The DevOps way is
-        to have an automated pull request for new components. This includes
-
+      description: |
+        Automated PRs for patches ensure that updates for outdated or vulnerable dependencies are created and proposed without manual intervention. Tools continuously monitor for new versions or security advisories and immediately generate pull requests to update affected components in code, container images, or infrastructure. This process ensures that available patches are quickly visible to developers and can be reviewed and merged with minimal delay, reducing the risk window for known vulnerabilities.
+      risk: |
+        Components with known (or unknown) vulnerabilities might persist for a long time and be exploited, even when a patch is available.
+      measure: |
+        Fast patching of third-party components is needed. The DevOps way is to have an automated pull request for new components. This includes:
         * Applications
-        * Virtualized operating system components (e.g. container images)
-        * Operating Systems
-        * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform)
+        * Virtualized operating system components (e.g., container images)
+        * Operating systems
+        * Infrastructure as Code/GitOps (e.g., ArgoCD based on a git repository or Terraform)
+      assessment: |
+        - Automated PR tooling is enabled for all relevant repositories.
+        - PRs are created automatically for outdated or vulnerable dependencies.
+        - PRs are reviewed and merged in a timely manner.
+        - Evidence of automated PRs and patching activity is available.
+      level: 1
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 2
       usefulness: 4
-      level: 1
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependabot
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/jenkins

src/assets/YAML/default/implementations.yaml

@@ -37,7 +37,7 @@ implementations:
     name: API Security Maturity Model for Authorization
     tags: [api]
     url: https://curity.io/resources/learn/the-api-security-maturity-model/
-  container-technologi:
+  container-technology:
     uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11
     name: Container technologies and orchestration like Docker, Kubernetes
     tags: []