devsecopsmaturitymodel
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 1 addition & 3 deletions b/‎.github/workflows/main.yml‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎README.md‎
Lines changed: 0 additions & 1 deletion b/‎README.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎src/assets/YAML/default/BuildAndDeployment/Build.yaml‎
Lines changed: 2 additions & 2 deletions b/‎src/assets/YAML/default/BuildAndDeployment/Build.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/assets/YAML/default/BuildAndDeployment/Deployment.yaml‎
Lines changed: 23 additions & 21 deletions b/‎src/assets/YAML/default/BuildAndDeployment/Deployment.yaml‎
Lines changed: 23 additions & 21 deletions
diff --git a/‎src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml‎
Lines changed: 8 additions & 4 deletions b/‎src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎src/assets/YAML/default/CultureAndOrganization/Design.yaml‎
Lines changed: 4 additions & 4 deletions b/‎src/assets/YAML/default/CultureAndOrganization/Design.yaml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml‎
Lines changed: 23 additions & 4 deletions b/‎src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml‎
Lines changed: 23 additions & 4 deletions
diff --git a/‎src/assets/YAML/default/CultureAndOrganization/Process.yaml‎
Lines changed: 1 addition & 26 deletions b/‎src/assets/YAML/default/CultureAndOrganization/Process.yaml‎
Lines changed: 1 addition & 26 deletions
@@ -3,8 +3,6 @@ name: CI
 on:
   push:
     branches: [master]
-  pull_request:
-    branches: [master]
   workflow_dispatch:
   schedule:
     - cron: "0 7 * * *"
@@ -24,7 +22,7 @@ jobs:
         id: version
         run: |
           if [ "${GITHUB_REF##*/}" == "master" ]; then
-            echo "VERSION=3.0.0-${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
+            echo "VERSION=3.1.0-${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
           else
             BRANCH_TO_DOCKER=$(echo ${GITHUB_REF##*/} | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9._-]//g')
             echo "VERSION=${BRANCH_TO_DOCKER}-${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV
 
@@ -66,7 +66,6 @@ You can download your current state from the circular headmap and mount it again
 
 This approach also allows teams to perform self assessment with changes tracked in a repository.
 
-
 ## Amazon EC2 Instance
 
 1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_
 
@@ -137,7 +137,7 @@ Build and Deployment:
         time: 2
         resources: 2
       usefulness: 4
-      level: 3
+      level: 5
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker-content-trust
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/in-toto
@@ -163,7 +163,7 @@ Build and Deployment:
         time: 2
         resources: 2
       usefulness: 3
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-commits-protection
 
@@ -11,7 +11,7 @@ Build and Deployment:
         time: 2
         resources: 1
       usefulness: 2
-      level: 4
+      level: 5
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/blue-green-deploymen
       dependsOn:
@@ -254,7 +254,7 @@ Build and Deployment:
         time: 2
         resources: 1
       usefulness: 4
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       dependsOn:
@@ -283,7 +283,7 @@ Build and Deployment:
         time: 1
         resources: 1
       usefulness: 2
-      level: 3
+      level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/martin-feature-toggles
@@ -305,32 +305,34 @@ Build and Deployment:
       isImplemented: false
       evidence: ""
       comments: ""
-    Usage of trusted images:
-      risk: Developers or operations might start random images in the production cluster
-        which have malicious code or known vulnerabilities.
-      measure: Create image assessment criteria, perform an evaluation of images and
-        create a whitelist of artifacts/container images/virtual machine images.
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/kubernetes-admission
+    Evaluation of the trust of used components:
+      risk:
+        - Application and system components like Open Source libraies or images can have implementation flaws or deployment flaws.
+        - Developers or operations might start random images in the production cluster 
+          which have malicious code or known vulnerabilities.
+      measure:
+        - Each components source is evaluated to be trusted. For example the source, number of developers included, email configuration used by maintainers to prevent maintainer account theft, typo-squatting, ...
+        - Create image assessment criteria, perform an evaluation of images and create a whitelist of artifacts/container images/virtual machine images.
       difficultyOfImplementation:
-        knowledge: 1
-        time: 1
+        knowledge: 3
+        time: 3
         resources: 1
       usefulness: 3
       level: 2
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/kubernetes-admission
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/packj
       references:
         samm2:
-        - I-SD-2-A
+          - O-EM-1-A
         iso27001-2017:
-        - 15.1.1
-        - 15.1.2
-        - 15.1.3
-        - 14.1.3
+         - Not explicitly covered by ISO 27001 - too specific
+         - 14.2.1
+         - 14.2.5
         iso27001-2022:
-        - 5.19
-        - 5.20
-        - 5.21
-        - 8.26
+         - Not explicitly covered by ISO 27001 - too specific
+         - 8.25
+         - 8.27
       isImplemented: false
       evidence: ""
       comments: ""
 
@@ -27,12 +27,14 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Automated PRs for patches:
-      risk: Known vulnerabilities components might stay for long and get exploited,
+      risk: Components with known (or unknown) vulnerabilities might stay for long and get exploited,
         even when a patch is available.
       measure: Fast patching of third party component is needed. The DevOps way is
-        to have an automated pull request for new components. This includes <ul> <li>Applications</li><li>Virtualized
-        operating system components (e.g. container images)</li> <li>Operating Systems</li><li>Infrastructure
-        as Code/GitOps (e.g. argocd)</li> </ul>
+        to have an automated pull request for new components. This includes 
+        * Applications
+        * Virtualized operating system components (e.g. container images)
+        * Operating Systems
+        * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform)
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -42,6 +44,8 @@ Build and Deployment:
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependabot
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/jenkins
+      # - $ref: src/assets/YAML/default/implementations.yaml#/implementations/argocd TODO
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/terraform
       references:
         samm2:
         - O-EM-1-B
 
@@ -10,7 +10,7 @@ Culture and Organization:
         time: 3
         resources: 2
       usefulness: 3
-      level: 3
+      level: 4
       dependsOn:
       - Conduction of simple threat modeling on technical level
       - Creation of threat modeling processes and standards
@@ -166,7 +166,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 4
-      level: 4
+      level: 5
       dependsOn:
       - Creation of simple abuse stories
       implementation:
@@ -265,8 +265,8 @@ Culture and Organization:
         knowledge: 1
         time: 1
         resources: 1
-      usefulness: 4
-      level: 1
+      usefulness: 3
+      level: 2
       implementation: []
       references:
         samm2: []
 
@@ -26,11 +26,30 @@ Culture and Organization:
       isImplemented: false
       evidence: ""
       comments: ""
+    Security Coaching:
+      risk: Even if security practices are understood, it doesn't mean that they get implemented.
+      measure: By coaching teams, teams are getting a better understanding and adoptiing security practices.
+      difficultyOfImplementation:
+        knowledge: 4
+        time: 3
+        resources: 1 # e.g. system resources
+      usefulness: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sammancoaching
+      level: 3
+      references:
+        samm2:
+          - G-EG-3-B
+        iso27001-2017:
+          - 7.1.1
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Aligning security in teams:
       risk: The concept of Security Champions might suggest that only he/she is responsible
         for security. However, everyone in the project team should be responsible
         for security.
-      measure: By aligning security SME with project teams, a higher security standard
+      measure: By aligning security Subject Matter Experts with project teams, a higher security standard
         can be achieved.
       difficultyOfImplementation:
         knowledge: 4
@@ -86,7 +105,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 3
-      level: 3
+      level: 5
       implementation: []
       references:
         samm2:
@@ -336,7 +355,7 @@ Culture and Organization:
         time: 2
         resources: 1
       usefulness: 3
-      level: 1
+      level: 2
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cwe25
       credits: |
@@ -425,7 +444,7 @@ Culture and Organization:
         time: 3
         resources: 1
       usefulness: 3
-      level: 2
+      level: 3
       credits: |
         AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
       implementation:
 
@@ -74,30 +74,5 @@ Culture and Organization:
       isImplemented: false
       evidence: ""
       comments: ""
-    Prevention of unauthorized installation:
-      risk: Unapproved components are used.
-      measure: Components must be whitelisted. Regular scans on the docker infrastructure
-        (e.g. cluster) need to be performed, to verify that only standardized base
-        images are used.
-      difficultyOfImplementation:
-        knowledge: 2
-        time: 1
-        resources: 1
-      usefulness: 3
-      level: 3
-      implementation:
-      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/example-all-docker
-      comment: By preventing teams from trying out new components, innovation might
-        be hampered
-      references:
-        samm2: []
-        iso27001-2017:
-        - 12.5.1
-        - 12.6.1
-        iso27001-2022:
-        - 8.19
-        - 8.8
-      isImplemented: false
-      evidence: ""
-      comments: ""
+
 ...