Merge pull request #171 from par-tec/ioggstream-162-quater

More implementations. See #162.

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -101,11 +101,13 @@ Build and Deployment:
         iso27001-2017:
         - 9.4.5
         - 14.2.6
+        d3f:
+        - ApplicationConfigurationHardening
       isImplemented: false
       evidence: ""
       comments: ""
     Handover of confidential parameters:
-      risk: '- Parameters are often used to set credentials, for example by starting
+      risk: 'Parameters are often used to set credentials, for example by starting
         containers or applications; these parameters can often be seen by any one
         listing running processes on the target system.'
       measure: >-
@@ -131,6 +133,8 @@ Build and Deployment:
         - 9.4.3
         - 9.4.1
         - 10.1.2
+        d3f:
+        - ApplicationConfigurationHardening
       isImplemented: false
       evidence: ""
       comments: ""
@@ -235,11 +239,10 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Usage of feature toggles:
-      risk: By using environment dependent configuration, some parameters will not
-        be tested correctly. i.e. <pre>if (host == 'production') {} else {}</pre>
-      measure: Usage of environment independent configuration parameter, called feature
-        toggles, helps to enhance the test coverage. Only what has been tested, goes
-        to production.
+      risk: Using environment variables to enable or disable features can lead to
+        a situation where a feature is accidentally enabled in the production environment.
+      measure: Usage of environment independent configuration parameter, called static feature
+        toggles, mitigates the risk of accidentally enabling insecure features in production.
       difficultyOfImplementation:
         knowledge: 2
         time: 1
@@ -257,6 +260,8 @@ Build and Deployment:
         - 14.2.8
         - 14.2.9
         - 12.1.4
+        d3f: 
+        - ApplicationConfigurationHardening
       isImplemented: false
       evidence: ""
       comments: ""

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -97,9 +97,10 @@ Implementation:
       evidence: ""
       comments: ""
     Versioning:
-      risk: Changes to production systems can not be undone.
-      measure: versioning of artifacts related to production environments. For example
-        Jenkins configuration, docker images, (system provisioning) code.
+      risk: Deployment of untracked artifacts.
+      measure: >-
+        Version artifacts in order to identify deployed features and issues.
+        This includes application and infrastructure code, jenkins configuration, container and virtual machine images.
       difficultyOfImplementation:
         knowledge: 3
         time: 3

src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml

@@ -90,7 +90,8 @@ Test and Verification:
         - V-ST-2-A
         iso27001-2017:
         - not explicitly covered by ISO 27001 - too specific
-      implementation: []
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/schemathesis
       isImplemented: false
       evidence: ""
       comments: ""
@@ -135,7 +136,9 @@ Test and Verification:
         iso27001-2017:
         - 14.2.3
         - 14.2.8
-      implementation: []
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/pact-io
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/citrusframework
       isImplemented: false
       evidence: ""
       comments: ""

src/assets/YAML/default/implementations.yaml

@@ -233,22 +233,27 @@ implementations:
   gitops:
     name: GitOps
     tags: []
+    url: https://www.redhat.com/en/topics/devops/what-is-gitops
   ansible:
     name: Ansible
     tags: []
+    url: https://github.com/ansible/ansible
   chef:
     name: Chef
     tags: []
+    url: https://github.com/chef/chef
   puppet:
     name: Puppet
     tags: []
+    url: https://github.com/puppetlabs/puppet
   jenkinsfile:
     name: Jenkinsfile
     tags: []
-    url: 
+    url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/
   seccomp:
     name: seccomp
     tags: []
+    url: https://man7.org/linux/man-pages/man2/seccomp.2.html
   strace:
     name: strace
     tags: []
@@ -266,15 +271,18 @@ implementations:
   smartcard:
     name: Smartcard
     tags: []
+    url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
   yubikey:
     name: YubiKey
     tags: []
+    url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/
   sms:
     name: SMS
     tags: []
   totp:
     name: TOTP
     tags: []
+    url: https://d3fend.mitre.org/technique/d3f:One-timePassword/
   http-basic-authentic:
     name: HTTP-Basic Authentication
     tags: []