Merge pull request #170 from par-tec/ioggstream-162-bis

Editorial suggestions.

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -119,10 +119,9 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Signing of artifacts:
-      risk: Unauthorized manipulation of artifacts might be difficult to spot. For
-        example, this may result in images with malicious code in the Docker registry.
+      risk: &execution-maliciuous Execution or usage of malicious code or data e.g. via executables, libraries or container images.
       measure: Digitally signing artifacts for all steps during the build and especially
-        docker images, helps to ensure their integrity.
+        docker images, helps to ensure their integrity and autenticity.
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -144,7 +143,7 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Signing of code:
-      risk: Unauthorized manipulation of source code might be difficult to spot.
+      risk: *execution-maliciuous
       measure: Digitally signing commits helps to prevent unauthorized manipulation
         of source code.
       difficultyOfImplementation:

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -2,10 +2,10 @@
 Build and Deployment:
   Deployment:
     Blue/Green Deployment:
-      risk: A new artifacts version can have unknown defects.
-      measure: By having multiple production environments, a deployment can be performant
-        on the first environment to spot possible defects before it is deployment
-        in the production environment(s)
+      risk: A new artifact's version can have unknown defects.
+      measure: |-
+        Using a blue/green deployment strategy increases application availability
+        and reduces deployment risk by simplifying the rollback process if a deployment fails.
       difficultyOfImplementation:
         knowledge: 1
         time: 2
@@ -20,21 +20,21 @@ Build and Deployment:
         samm2:
         - TODO
         iso27001-2017:
-        - 17.2.1
-        - 12.1.1
-        - 12.1.2
-        - 12.1.4
+        - 17.2.1  # Availability of information processing facilities
+        - 12.1.1  # Documented operational procedures
+        - 12.1.2  # Change management
+        - 12.1.4  # Separation of development,testing and operational environments
         - 12.5.1
         - 14.2.9
       isImplemented: false
       evidence: ""
       comments: ""
     Defined decommissioning process:
-      risk: Not used applications erode and are not maintained. As an evil actor,
-        I exploit known vulnerabilities in the not maintained applicaitons to perform
-        latteral movement within the organization.
-      measure: By having a clear decommissioning process, applicaitons not used are
-        not running anymore and can therefore not be explointed.
+      risk: >-
+        Unused applications are not maintained and may contain vulnerabilities.
+        Once exploited they can be used to attack other applications or
+        to perform lateral movements within the organization.
+      measure: A clear decommissioning process ensures the removal of unused applications.
       difficultyOfImplementation:
         knowledge: 1
         time: 2
@@ -50,10 +50,13 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Defined deployment process:
-      risk: Deployments without a defined process are error prone thus allowing old
-        or untested artifact to be deployed.
-      measure: A defined deployment process significantly lowers the likelihood of
-        errors during the deployment phase.
+      risk: >-
+        Deployment of insecure or malfunctioning artifacts.
+      measure: >-
+        Defining a deployment process ensures that there are
+        established criteria in terms of functionalities,
+        security, compliance, and performance,
+        and that the artifacts meet them.
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -75,19 +78,23 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Environment depending configuration parameters (secrets):
-      risk: '- Parameters are often used to set credentials, for example by starting
-        containers or applications; these parameters can often be seen by any one
-        listing running processes on the target system.'
-      measure: |
-        Configuration parameters are set for each environment not in the source code.
-        By using encryption, it is harder to read credentials , e.g. from the file system. Also, the usage of a credential management system can help protect credentials.
+      risk: >-
+        Unauthorized access to secrets stored in source code
+        or in artifacts (e.g. container images)
+        through process listing (e.g. ps -ef).
+      measure: >-
+        Set configuration parameters via environment variables 
+        stored using specific platform functionalities
+        or secrets management systems
+        (e.g. Kubernetes secrets or Hashicorp Vault).
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 1
       usefulness: 4
       level: 2
-      implementation: []
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/hasicorp-vault
       references:
         samm2:
         - I-SD-1-B
@@ -101,8 +108,10 @@ Build and Deployment:
       risk: '- Parameters are often used to set credentials, for example by starting
         containers or applications; these parameters can often be seen by any one
         listing running processes on the target system.'
-      measure: By using encryption, it is harder to read credentials , e.g. from the
-        file system. Also, the usage of a credential management system can help protect
+      measure: >-
+        Encryption ensures confidentiality of credentials
+        e.g. from unauthorized access on the file system.
+        Also, the usage of a credential management system can help protect
         credentials.
       difficultyOfImplementation:
         knowledge: 2

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -2,9 +2,9 @@
 Implementation:
   Development and Source Control:
     Local development linting & style checks performed:
-      risk: Creating and developing code that contains code smells and quality issues.
-      measure: "Integration of quality and linting plugins with interactive development
-        environment (IDEs). \n"
+      risk: Insecure or unmaintenable code base.
+      measure: >-
+        Integrate static code analysis tools in IDEs.
       difficultyOfImplementation:
         knowledge: 1
         time: 1
@@ -26,7 +26,7 @@ Implementation:
       risk: Using an insecure application might lead to a compromised application.
         This might lead to total data theft or data modification.
       measure: |
-        Implement pre-commit validations to prevent secrets & other security issues being commit to source code.
+        Implement pre-commit checks to prevent secrets & other security issues being commit to source code.
       difficultyOfImplementation:
         knowledge: 4
         time: 4
@@ -43,10 +43,39 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
+    API design validation:
+      risk: Creation of insecure or non-compliant API.
+      measure: |
+        Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP
+        and validate the specification using specific tools.
+        Checks should be integrated in IDEs and CI/CD pipelines.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 4
+      level: 2
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stoplight-spectral
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/api-oas-checker
+      references:
+        samm2:
+        - V-ST-1-A
+        iso27001-2017:
+        - 8.25  # Secure development lifecycle
+        - 8.27  # Secure system architecture and engineering principles
+        - 8.28  # Secure coding
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Source Control Protection:
-      risk: Unapproved code in important branches like master.
-      measure: Enabled protections on the source code management system preventing
-        committed directly to an important branch.
+      risk: Intentional or accidental alterations in critical branches like master.
+      measure: >-
+        Define source code management system policies (e.g. branch protection rules,
+        mandatory code reviews, ...)
+        to ensure that changes to critical branches are only possible under defined conditions.
+        These policies can be implemented at repository level or organization level,
+        depending on the source code management system.
       difficultyOfImplementation:
         knowledge: 2
         time: 1
@@ -91,4 +120,32 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
+    MFA to SCM:
+      risk: Unauthorized access to source code.
+      measure: >-
+        Enforce Multi-Factor authentication to source code management platforms.
+        These policies can be implemented at repository level or organization level,
+        depending on the source code management system.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 1
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/yubikey
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/totp
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/smartcard
+      references:
+        samm2:
+        - O-EM-1-A
+        iso27001-2017:
+        - 5.17    # Authentication information
+        - 6.1.2   # Segregation of duties.
+        - 14.2.1  # Secure development policies.
+        d3f:
+        - Multi-factorAuthentication
+      isImplemented: false
+      evidence: ""
+      comments: ""
 ...

src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml

@@ -2,7 +2,7 @@
 Test and Verification:
   Dynamic depth for applications:
     Coverage analysis:
-      risk: Parts of the service are not still covered.
+      risk: Parts of the service are not still covered by tests.
       measure: Check that there are no missing paths in the application with coverage-tools.
       difficultyOfImplementation:
         knowledge: 4
@@ -12,6 +12,7 @@ Test and Verification:
       level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-code-pulse
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/coveragepy
       references:
         samm2:
         - V-ST-2-A
@@ -58,6 +59,8 @@ Test and Verification:
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/curl
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/openapi
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-zap
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/schemathesis
       dependsOn:
       - Usage of different roles
       references:
@@ -185,6 +188,7 @@ Test and Verification:
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/zest
       isImplemented: false
+      assessment: "For REST APIs, multiple OAuth2 scopes are used."
       evidence: ""
       comments: ""
     Usage of multiple scanners:

src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml

@@ -1,7 +1,7 @@
 ---
 Test and Verification:
   Static depth for applications:
-    Exclusion of source code duplicates:
+    Exclusion of source code duplicates: &Exclusion-of-source-code-duplicates
       risk: Duplicates in source code might influence the stability of the application.
       measure: Automatic Detection and manual removal of duplicates in source code.
       difficultyOfImplementation:
@@ -24,6 +24,11 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
+    Dead code elimination:
+      <<: *Exclusion-of-source-code-duplicates
+      risk: Dead code increases the attack surface (use of hard coded credentials and
+        variables, sensitive information)
+      measure: Collection of unused code and then manual removal of unused code.
     Local development security checks performed:
       risk: Creating and developing code contains code smells and quality issues.
       measure: |
@@ -38,6 +43,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/fortify-vscode-extension
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/checkmarx-vscode-extension
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/pre-commit
       references:
         samm2:
         - V-ST-1-A
@@ -47,6 +53,31 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
+    API design validation:
+      risk: Creation of insecure or non-compliant API.
+      measure: |
+        Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP
+        and validate the specification using specific tools.
+        Checks should be integrated in IDEs and CI/CD pipelines.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 4
+      level: 2
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stoplight-spectral
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/api-oas-checker
+      references:
+        samm2:
+        - V-ST-1-A
+        iso27001-2017:
+        - 8.25  # Secure development lifecycle
+        - 8.27  # Secure system architecture and engineering principles
+        - 8.28  # Secure coding
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Static analysis for all components/libraries:
       risk: Used components like libraries and legacy applications might have vulnerabilities
       measure: Usage of a static analysis for all used components.
@@ -155,9 +186,9 @@ Test and Verification:
       evidence: ""
       comments: ""
     Stylistic analysis:
-      risk: False source code indenting might lead to vulnerabilities.
+      risk: Unclear or obfuscated code might have unexpected behavior.
       measure: Analysis of compliance to style guides of the source code ensures that
-        source code indenting rules are met.
+        source code formatting rules are met (e.g. indentation, loops, ...).
       difficultyOfImplementation:
         knowledge: 1
         time: 1
@@ -168,6 +199,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/pmd
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stylecop
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sonarqube
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-super-linter
       references:
         samm2:
         - V-ST-2-A
@@ -193,6 +225,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-dependabot
       references:
         samm2:
         - V-ST-2-A
@@ -218,6 +251,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-dependabot
       references:
         samm2:
         - V-ST-2-A