Merge pull request #44 from devsecopsmaturitymodel/feat/samm-aram

feat: update SAMM mapping based on @aramhovsepyan feedback

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -31,7 +31,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
       references:
         samm2:
-          - I-SB-2-A
+          - I-SB-A-2
         iso27001-2017:
           - 14.2.6
         iso27001-2022:
@@ -72,7 +72,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/container-technologi
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-A-1
         iso27001-2017:
           - 12.1.1
           - 14.2.2
@@ -105,14 +105,16 @@ Build and Deployment:
         resources: 2
       usefulness: 3
       level: 2
+      tags:
+        - inventory
       implementation:
          - $ref: src/assets/YAML/default/implementations.yaml#/implementations/signing-of-containers
          - $ref: src/assets/YAML/default/implementations.yaml#/implementations/immutable-images
       dependsOn:
         - Defined build process
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-B-1
         iso27001-2017:
           - 14.2.6
         iso27001-2022:
@@ -145,7 +147,8 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-B-1
+          - D-TA-A-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -183,7 +186,7 @@ Build and Deployment:
         - Pinning of artifacts
       references:
         samm2:
-          - I-SB-1-A
+          - I-SB-A-1
         iso27001-2017:
           - 14.2.6
         iso27001-2022:
@@ -210,7 +213,7 @@ Build and Deployment:
         - Defined build process
       references:
         samm2:
-          - I-SB-2-A
+          - I-SB-A-2
         iso27001-2017:
           - 14.2.6
         iso27001-2022:

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -20,7 +20,7 @@ Build and Deployment:
         - Smoke Test
       references:
         samm2:
-          - I-SD-2-A
+          - I-SD-A-3
         iso27001-2017:
           - 17.2.1 # Availability of information processing facilities
           - 12.1.1 # Documented operational procedures
@@ -59,7 +59,7 @@ Build and Deployment:
       level: 2
       references:
         samm2:
-          - O-OM-2-B
+          - O-OM-B-2
         iso27001-2017:
           - 11.2.7
         iso27001-2022:
@@ -89,7 +89,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/docker
       references:
         samm2:
-          - I-SD-1-A
+          - I-SD-A-1
         iso27001-2017:
           - 12.1.1
           - 14.2.2
@@ -120,7 +120,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/hashicorp-vault
       references:
         samm2:
-          - I-SD-1-B
+          - I-SD-B-1
         iso27001-2017:
           - 9.4.5
           - 14.2.6
@@ -154,7 +154,7 @@ Build and Deployment:
         - Environment depending configuration parameters (secrets)
       references:
         samm2:
-          - I-SD-2-B
+          - I-SD-B-2
         iso27001-2017:
           - 14.1.3
           - 13.1.3
@@ -196,9 +196,9 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
-          - I-SB-3-B
-          - I-SB-2-B
-          - I-SB-1-B
+          - I-SB-B-3
+          - I-SB-B-2
+          - I-SB-B-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -230,7 +230,8 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
-          - I-SB-1-B
+          - I-SB-B-1
+          - D-TA-B-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -261,7 +262,8 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/image-metadata-collector
       references:
         samm2:
-          - I-SB-1-B
+          - I-SB-B-1
+          - D-TA-B-1
         iso27001-2017:
           - 8.1
           - 8.2
@@ -288,7 +290,8 @@ Build and Deployment:
         - Defined deployment process
       references:
         samm2:
-          - I-SD-1-A
+          - I-SD-A-2
+          - I-SD-A-3
         iso27001-2017:
           - 12.5.1
           - 14.2.2
@@ -320,7 +323,8 @@ Build and Deployment:
         - Defined build process
       references:
         samm2:
-          - I-SD-2-A
+          - I-SD-A-2
+          - I-SD-A-3
         iso27001-2017:
           - 14.3.1
           - 14.2.8
@@ -353,7 +357,7 @@ Build and Deployment:
         - Same artifact for environments
       references:
         samm2:
-          - I-SD-2-A
+          - I-SD-A-2
         iso27001-2017:
           - 14.3.1
           - 14.2.8
@@ -387,7 +391,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/packj
       references:
         samm2:
-          - O-EM-1-A
+          - O-EM-A-1
         iso27001-2017:
           - Not explicitly covered by ISO 27001 - too specific
           - 14.2.1

src/assets/YAML/default/BuildAndDeployment/PatchManagement.yaml

@@ -17,7 +17,7 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-1
         iso27001-2017:
           - 12.6.1
           - 12.5.1
@@ -58,7 +58,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/renovate
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-1
         iso27001-2017:
           - 12.6.1
           - 14.2.5
@@ -93,7 +93,7 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-2
         iso27001-2017:
           - 12.6.1
         iso27001-2022:
@@ -129,7 +129,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/distroless-usage
       references:
         samm2:
-          - I-SB-2
+          - I-SB-B-2
         iso27001-2017:
           - hardening is missing in ISO 27001
           - 14.2.1
@@ -169,7 +169,7 @@ Build and Deployment:
       implementation: []
       references:
         samm2:
-          - O-EM-1-B
+          - O-EM-B-1
         iso27001-2017:
           - 12.6.1
         iso27001-2022:
@@ -204,7 +204,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sample-concept-1
       references:
         samm2:
-          - O-EM-2-B
+          - O-EM-B-2
         iso27001-2017:
           - 12.6.1
         iso27001-2022:
@@ -237,7 +237,7 @@ Build and Deployment:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/renovate
       references:
         samm2:
-          - O-EM-2-B
+          - O-EM-B-2
         iso27001-2017:
           - 12.6.1
         iso27001-2022:

src/assets/YAML/default/CultureAndOrganization/Design.yaml

@@ -40,7 +40,7 @@ Culture and Organization:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/threat-matrix-for-storage
       references:
         samm2:
-          - D-TA-2-B
+          - D-TA-B-2
         iso27001-2017:
           - Not explicitly covered by ISO 27001
           - May be part of risk assessment
@@ -71,7 +71,8 @@ Culture and Organization:
       implementation: []
       references:
         samm2:
-          - D-TA-2-B
+          - D-TA-B-1
+          - D-TA-A-2
         iso27001-2017:
           - Not explicitly covered by ISO 27001
           - May be part of risk assessment
@@ -151,7 +152,7 @@ Culture and Organization:
         Source: OWASP Project Integration Project
       references:
         samm2:
-          - D-TA-2-B
+          - D-TA-B-2
         iso27001-2017:
           - Not explicitly covered by ISO 27001
           - May be part of risk assessment
@@ -184,7 +185,8 @@ Culture and Organization:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/don-t-forget-evil-user-stories
       references:
         samm2:
-          - D-TA-2-B
+          - D-TA-B-2
+          - V-RT-B-2
         iso27001-2017:
           - Not explicitly covered by ISO 27001
           - May be part of project management
@@ -219,7 +221,7 @@ Culture and Organization:
         - Creation of threat modeling processes and standards
       references:
         samm2:
-          - D-TA-2-B
+          - D-TA-B-2
         iso27001-2017:
           - Not explicitly covered by ISO 27001
           - May be part of project management
@@ -256,7 +258,8 @@ Culture and Organization:
         - Conduction of simple threat modeling on technical level
       references:
         samm2:
-          - D-TA-3-B
+          - D-TA-B-3
+          - D-TA-B-2
         iso27001-2017:
           - Not explicitly covered by ISO 27001
           - May be part of risk assessment
@@ -288,7 +291,7 @@ Culture and Organization:
       implementation: []
       references:
         samm2:
-          - G-PS-2
+          - G-SM-A-2
         iso27001-2017:
           - 5.1.1
           - 7.2.1