devsecopsmaturitymodel
diff --git a/‎src/assets/YAML/default/CultureAndOrganization/Process.yaml‎
Lines changed: 4 additions & 2 deletions b/‎src/assets/YAML/default/CultureAndOrganization/Process.yaml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/assets/YAML/default/Implementation/ApplicationHardening.yaml‎
Lines changed: 8 additions & 8 deletions b/‎src/assets/YAML/default/Implementation/ApplicationHardening.yaml‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml‎
Lines changed: 1 addition & 0 deletions b/‎src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/assets/YAML/default/Implementation/InfrastructureHardening.yaml‎
Lines changed: 25 additions & 48 deletions b/‎src/assets/YAML/default/Implementation/InfrastructureHardening.yaml‎
Lines changed: 25 additions & 48 deletions
diff --git a/‎src/assets/YAML/default/InformationGathering/Logging.yaml‎
Lines changed: 20 additions & 1 deletion b/‎src/assets/YAML/default/InformationGathering/Logging.yaml‎
Lines changed: 20 additions & 1 deletion
@@ -78,7 +78,8 @@ Culture and Organization:
       level: 1
       implementation: []
       references:
-        samm2: []
+        samm2:
+          - O-IM-2-B
         iso27001-2017:
           - 17.1.1
         iso27001-2022:
@@ -110,7 +111,8 @@ Culture and Organization:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
       references:
         samm2:
-          - I-DM-3-B
+          - O-OM-2-A
+          - G-PC-2-B
         iso27001-2022:
           - 5.25
           - 5.12
 
@@ -42,7 +42,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/apimaturity
       references:
         samm2:
-          - D-SR-1-A
+          - D-SR-2-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
@@ -65,7 +65,7 @@ Implementation:
         <a href="{{bad_data}}">Click me</a>
         <script>var x = '{{bad_data}}';</script>
         <script>/** Comment {{bad_data}} */</script>
-        ```                
+        ```
       risk:
         If an attacker manages to slip though your input validation, the attacker may gain control over the user session or execute arbitrary actions.
       measure: |
@@ -107,7 +107,7 @@ Implementation:
         Systems vulnerable to injections may lead to data breaches, loss of data, 
         unauthorized alteration of data, or complete database compromise or downtime.
 
-        This applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. 
+        This applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc.
       measure: |
         * Identify which of the types your application is using. Check that you use:
           * Use _parametrized queries_ (or _prepared statements_)
@@ -120,7 +120,7 @@ Implementation:
         resources: 1
       usefulness: 3
       level: 1
-      implementation: 
+      implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-parameterization-cheats
       references:
         samm2:
@@ -174,7 +174,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/apimaturity
       references:
         samm2:
-          - D-SR-1-A
+          - D-SR-3-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
@@ -204,7 +204,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-masvs
       references:
         samm2:
-          - D-SR-2-A
+          - D-SR-3-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
@@ -319,7 +319,7 @@ Implementation:
           - Referrer-Policy: Control information in the Referrer header
       references:
         samm2:
-          - D-SR-3-A
+          - O-EM-2-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
@@ -383,4 +383,4 @@ Implementation:
           - 13.1.3
         iso27001-2022:
           - Virtual environments are not explicitly covered by ISO 27001 - too specific
-          - 8.22
+          - 8.22
@@ -102,6 +102,7 @@ Implementation:
       references:
         samm2:
           - O-EM-1-A
+          - I-SB-A-2
         iso27001-2017:
           - Not explicitly covered by ISO 27001 - too specific
           - 12.1.1
 
@@ -146,7 +146,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/firewalls
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - Virtual environments are not explicitly covered by ISO 27001 - too specific
           - 13.1.3
@@ -172,7 +172,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/remove-direct-access
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - Not explicitly covered by ISO 27001 - too specific
           - 17.2.1
@@ -205,7 +205,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/jenkinsfile
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - Not explicitly covered by ISO 27001 - too specific
           - 12.1.1
@@ -268,37 +268,14 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/falco
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - System hardening is not explicitly covered by ISO 27001 - too specific
         iso27001-2022:
           - ISO 27001:2022 mapping is missing
       isImplemented: false
       evidence: ""
       comments: ""
-    Microservice-architecture:
-      uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a
-      risk: Monolithic applications are hard to test.
-      measure:
-        A microservice-architecture helps to have small components, which are
-        more easy to test.
-      difficultyOfImplementation:
-        knowledge: 4
-        time: 5
-        resources: 5
-      usefulness: 1
-      level: 5
-      implementation: []
-      references:
-        samm2:
-          - O-EM-1-A
-        iso27001-2017:
-          - Not explicitly covered by ISO 27001
-        iso27001-2022:
-          - ISO 27001:2022 mapping is missing
-      isImplemented: false
-      evidence: ""
-      comments: ""
     Production near environments are used by developers:
       uuid: e14de741-94b3-447c-8b07-eea947d82e61
       risk:
@@ -322,7 +299,7 @@ Implementation:
       implementation: []
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - 12.1.4
           - 17.2.1
@@ -339,7 +316,7 @@ Implementation:
         or to modify information unauthorized on systems.
       measure:
         The usage of a (role based) access control helps to restrict system
-        access to authorized users.
+        access to authorized users. And enhancement is to use attribute based access control.
       difficultyOfImplementation:
         knowledge: 2
         time: 3
@@ -354,7 +331,7 @@ Implementation:
         - Defined build process
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - 9.4.1
         iso27001-2022:
@@ -444,7 +421,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/defend-the-core-kubernetes
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
@@ -473,7 +450,7 @@ Implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/chaosmonkey
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-3-A
         iso27001-2017:
           - Not explicitly covered by ISO 27001 - too specific
           - 17.1.3
@@ -607,7 +584,7 @@ Implementation:
         - Defined build process
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-2-A
         iso27001-2017:
           - not explicitly covered by ISO 27001 - too specific
         iso27001-2022:
@@ -676,13 +653,15 @@ Implementation:
           - 8.14
       isImplemented: false
       evidence: ""
-      comments: ""  
+      comments: ""
     WAF baseline:
       uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b
       risk:
         Vulnerable input, such as exploits, can infiltrate the application via numerous entry points, posing a significant security threat.
       measure:
         Implementing a web application firewall (WAF) is a critical security control. At a baseline level, the objective is to finely balance the reduction of false positives, maintaining user experience, against a potential increase in the less noticeable false negatives.
+      
+        Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic.
       description: |
         A baseline WAF configuration provides essential defense against common vulnerabilities, acting as a first line of automated threat detection and response.
         Steps:
@@ -699,27 +678,27 @@ Implementation:
         resources: 3
       usefulness: 3
       level: 3
-      description: |
-        Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic.
       dependsOn:
         - Context-aware output encoding
       implementation: []
       references:
         samm2:
-          - D-SR-3-A
+          - O-EM-1-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
         iso27001-2022:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
-      comments: 
+      comments:
     WAF medium:
       uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium
       risk:
         The threat from malicious inputs remains high, with exploits seeking to exploit any vulnerabilities present at the various points of entry to the application.
       measure:
         A WAF deployed with a medium level of protection strengthens the security posture by striking a more advanced balance between the detection of genuine threats and the minimization of false alarms.
+      
+        Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic.
       description: |
         A medium-level WAF configuration builds upon the baseline to offer a more nuanced and responsive defense mechanism against a wider array of threats.
 
@@ -737,28 +716,28 @@ Implementation:
         resources: 4
       usefulness: 3
       level: 4
-      description: |
-        Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic.
       dependsOn:
         - WAF baseline
       implementation: []
       references:
         samm2:
-          - D-SR-3-A
+          - O-EM-2-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
         iso27001-2022:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
-      comments: 
-        
+      comments:
+
     WAF Advanced:
       uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced
       risk:
         The presence of sophisticated threats necessitates a robust defense strategy where application inputs are meticulously scrutinized for security breaches, including advanced persistent threats and zero-day vulnerabilities.
       measure:
         An advanced WAF protection level includes rigorous input validation, rejecting any parameters not explicitly required, and custom rule sets that are dynamically updated in response to emerging threats.
+      
+        The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape.
       description: |
         This advanced configuration goes beyond typical WAF implementations by enforcing strict input format checks and parameter validation to prevent any unauthorized or malformed data from compromising the application.
 
@@ -780,22 +759,20 @@ Implementation:
         resources: 5
       usefulness: 4
       level: 5
-      description: |
-        The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape.
       dependsOn:
         - WAF medium
       implementation: []
       references:
         samm2:
-          - D-SR-3-A
+          - O-EM-2-A
         iso27001-2017:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 13.1.3
         iso27001-2022:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
-      comments: 
-        
+      comments:
+
 
 
 
@@ -150,7 +150,7 @@ Information Gathering:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/bash
       references:
         samm2:
-          - O-IM-1-A
+          - O-OM-1-A
         iso27001-2017:
           - Not explicitly covered by ISO 27001 - too specific
           - 12.4.1
@@ -195,3 +195,22 @@ Information Gathering:
       isImplemented: false
       evidence: ""
       comments: ""
+    Analyze logs:
+      uuid: b217c8bb-5d61-4b41-a675-1083993f83b1
+      risk: Not aware of attacks happening.
+      measure: Check logs for keywords.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 3
+      level: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sigmahq
+      references:
+        samm2:
+          - O-IM-1-A
+        iso27001-2017:
+          - ISO 27001:2017 mapping is missing
+        iso27001-2022:
+          - ISO 27001:2022 mapping is missing